Probing hosts against network application profiles to facilitate classification of network traffic
First Claim
Patent Images
1. An apparatus facilitating network traffic classification, comprising:
- a memory for buffering packets corresponding to data flows traversing a network path;
a packet processor operative toassociate the buffered packets with corresponding data flows;
parse explicit attributes of at least one packet associated with the data flows into corresponding flow objects;
a traffic classification engine operative tocompare the flow objects to a plurality of traffic types, andif the comparison finds a matching traffic type in the plurality of traffic types, associate the data flow with the matching traffic type; and
a host probing module operative, as to a selected data flow between a first host and a second host, togenerate and transmit a probe packet to the first host;
receive a response to the probe packet;
compare the response to a profile corresponding to a network application; and
associate the data flow with an identifier corresponding to the network application, if the response matches the profile.
12 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatuses and systems directed to a network traffic classification mechanism that probes hosts against one or more network application profiles to facilitate identification of network applications corresponding to data flows traversing a network.
237 Citations
23 Claims
-
1. An apparatus facilitating network traffic classification, comprising:
-
a memory for buffering packets corresponding to data flows traversing a network path; a packet processor operative to associate the buffered packets with corresponding data flows; parse explicit attributes of at least one packet associated with the data flows into corresponding flow objects; a traffic classification engine operative to compare the flow objects to a plurality of traffic types, and if the comparison finds a matching traffic type in the plurality of traffic types, associate the data flow with the matching traffic type; and a host probing module operative, as to a selected data flow between a first host and a second host, to generate and transmit a probe packet to the first host; receive a response to the probe packet; compare the response to a profile corresponding to a network application; and associate the data flow with an identifier corresponding to the network application, if the response matches the profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for classifying network traffic, comprising:
-
detecting a data flow comprising at least one packet transmitted between a first host and a second host; classifying, based on attributes of the at least one packet, the data flow into a traffic class selected from a plurality of traffic classes; if, after encountering a threshold number of packets in the data flow, the traffic class identified in the classifying step does not correspond to a network application, then generating and transmitting a probe packet to the first host; receiving a response to the probe packet; comparing the response to a profile corresponding to a network application; and associating the data flow with a traffic class corresponding to the network application, if the response matches the profile. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method for classifying network traffic, comprising:
-
detecting a data flow comprising at least one packet transmitted between a first host and a second host; classifying, based on attributes of at least one packet of the data flow, the data flow into a traffic class selected from a plurality of traffic classes; selecting a profile from a plurality of profiles based on attributes of at least one packet the data flow, wherein each profile in the plurality of profiles corresponds to a respective network application; generating and transmitting a probe packet according to the selected profile to the first host; receiving a response to the probe packet; comparing the response to the selected profile; and associating the data flow with an identifier corresponding to the network application associated with the selected profile, if the response matches the selected profile; stopping the classifying step if a network application is associated with the flow; and aborting the receiving, comparing and associating steps if the classifying step yields a traffic class corresponding to a network application.
-
-
17. An apparatus facilitating network traffic classification, comprising:
-
a memory for buffering packets corresponding to data flows traversing a network path; a packet processor operative to associate the buffered packets with corresponding data flows; a host probing module operative, as to a selected data flow between a first host and a second host, and in connection with a plurality of profiles each corresponding to a respective network application, to select a profile from the plurality of profiles based on attributes of at least one packet in the selected data flow, wherein each profile defines attributes of a probe packet and attributes of an expected response to the probe packet; generate and transmit a probe packet to the first host; receive a response to the probe packet; compare the response to the selected profile corresponding to a network application; and associate the data flow with an identifier corresponding to the network application, if the response matches the selected profile. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification