Heuristic behavior pattern matching of data flows in enhanced network traffic classification

US 7,664,048 B1
Filed: 11/24/2003
Issued: 02/16/2010
Est. Priority Date: 11/24/2003
Status: Active Grant

First Claim

Patent Images

1. A method facilitating classification of data flows, comprising monitoring, by a network device, a data flow associated with a host relative to at least one behavioral attribute;

comparing the at least one behavioral attribute observed in the monitoring step to a knowledge base of at least one known application behavior pattern, wherein the at least one known application behavior pattern corresponds to a network application classification and comprises one or more behavioral attribute parameter values indicating a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application classification; and

classifying the data flow into the network application classification by matching packet sizes of packets of the data flow to the pattern of expected packet sizes.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems facilitating enhanced classification of network traffic that extends beyond analysis of explicitly presented packet attributes and holistically analyzes data flows, and in some implementations, related data flows against known application behavior patterns to classify the data flows. Implementations of the present invention facilitate the classification of encrypted or compressed network traffic, or where the higher layer information in the data flows are formatted according to a non-public or proprietary protocol.

Citations

31 Claims

1. A method facilitating classification of data flows, comprising monitoring, by a network device, a data flow associated with a host relative to at least one behavioral attribute;
- comparing the at least one behavioral attribute observed in the monitoring step to a knowledge base of at least one known application behavior pattern, wherein the at least one known application behavior pattern corresponds to a network application classification and comprises one or more behavioral attribute parameter values indicating a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application classification; and
  
  classifying the data flow into the network application classification by matching packet sizes of packets of the data flow to the pattern of expected packet sizes.
- View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the pattern of expected packet sizes includes a packet size of the first packet in the data flow corresponding to the network application classification.
  - 3. The method of claim 1 wherein the pattern of expected packet sizes includes a packet size of the second packet in the data flow corresponding to the network application classification.
  - 4. The method of claim 1 wherein the pattern of expected packet sizes includes packet sizes for a plurality of packets in the data flow corresponding to the network application classification.
  - 7. The method of claim 1 wherein at least one behavioral attribute parameter value of the one or more behavioral attribute parameter values indicates the timing of the data flow relative to at least one similar data flow associated with the host.
  - 8. The method of claim 1 wherein at least one behavioral attribute parameter value of the one or more behavioral attribute parameter values indicates the number of related data flows associated with the host.
  - 9. The method of claim 1 wherein at least one behavioral attribute parameter value of the one or more behavioral attribute parameter values indicates the timing between at least two packets in the data flow.
  - 10. The method of claim 1 wherein at least one behavioral attribute parameter values of the one or more behavioral attribute parameter values indicates a sequence of protocol flags contained in packets of the data flow.
  - 11. The method of claim 1 wherein at least one behavioral attribute parameter values of the one or more behavioral attribute parameter values indicates a timing of protocol flags contained in packets of the data flow.
  - 12. The method of claim 1 wherein at least one behavioral attribute parameter values of the one or more behavioral attribute parameter values indicates a timing and sequence protocol flags contained in packets of the data flow.
  - 13. The method of claim 1 wherein the application behavior pattern comprises at least one instance of any one of the following:
    - a packet size pattern, a threshold information density value, a threshold inter-flow timing value, or a threshold number of related application data flows.
  - 14. The method of claim 1 wherein the application behavior pattern characterizes the first group of packets of a data flow associated with a traffic class.
  - 15. The method of claim 13 wherein the application behavior pattern characterizes the first group of packets of a data flow associated with a traffic class, and wherein the first group of packets are characterized in relation to at least one instance of any one of the following:
    - a packet size pattern, a threshold information density value, a threshold inter-flow timing value, or a threshold number of related application data flows.

5. A method facilitating classification of data flows, comprising monitoring, by a network device, a data flow associated with a host relative to at least one behavioral attribute;
- comparing the at least one behavioral attribute observed in the monitoring step to a knowledge base of at least one known application behavior pattern, wherein the at least one known application behavior pattern corresponds to a network application classification and comprises one or more behavioral attribute parameter values indicating a pattern of expected information density associated with at least one packet in the data flow corresponding to the network application classification, wherein the information density corresponds to a level of randomness of data of the at least one packet; and
  
  classifying the data flow into the network application classification by matching information density of packets of the data flow to the pattern of expected information density.
- View Dependent Claims (6)
- - 6. The method of claim 5 wherein the pattern of expected information density comprises the information density associated with the first packet in the data flow.

16. A method facilitating classification of data flows, comprisingmodeling behavior of a network application to generate an application behavior pattern corresponding to the network application;
- andconfiguring a network traffic monitoring device to monitor data flows relative to at least one behavioral attribute and classify the data flows into a traffic class of a plurality of traffic classes by comparing one or more of the data flows against the application behavior pattern;
  
  wherein the application behavior pattern comprises at least one instance of any one of the following;
  
  a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application, a pattern of expected threshold information density values for one or more packets of a data flow corresponding to the network application, a threshold inter-flow timing value between data flows corresponding to a host, or a threshold number of related application data flows corresponding to a host.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 wherein the application behavior pattern further comprises at least one instance of any one of the following:
    - an inter-packet timing value between a plurality of packets of a data flow corresponding to the network application, a sequence of protocol flags in a plurality of packets of a data flow corresponding to the network application, an inter-packet protocol flag timing value corresponding to a plurality of packets of a data flow corresponding to the network application.
  - 18. The method of claim 17 wherein the protocol flags are Transport Control Protocol (TCP) protocol flags.

19. A method facilitating classification of data flows, comprisingmonitoring, by a network device, the data flows associated with a host relative to at least one application behavior model corresponding to a traffic class;
- matching, by the network device, at least one of the data flows associated with the host to a traffic class, if a threshold number of the data flows match a corresponding application behavior model;
  
  wherein the application behavior model comprises at least one instance of any one of the following;
  
  a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application, a pattern of expected threshold information density values for one or more packets of a data flow corresponding to the network application, a threshold inter-flow timing value between data flows corresponding to a host, a threshold number of related application data flows corresponding to a host, an inter-packet timing value between a plurality of packets of a data flow corresponding to the network application, a sequence of protocol flags in a plurality of packets of a data flow corresponding to the network application, an inter-packet protocol flag timing value corresponding to a plurality of packets of a data flow corresponding to the network application.

20. An apparatus comprisinga packet processor operative todetect data flows in network traffic traversing a communications path, the data flows each comprising at least one packet;
- parse at least one packet associated with a data flow into a flow specification, a traffic classification engine operative tomatch the data flow to a plurality of traffic classes, wherein at least one of the plurality of traffic classes is defined by one or more matching attributes, wherein said matching attributes are explicitly presented in the packets associated with the data flows, and wherein at least one other of the traffic classes is defined by one or more application behavior patterns, wherein the application behavior patterns each comprise at least one instance of any one of the following;
  
  a pattern of expected packet sizes for one or more packets of a data flow corresponding to a traffic class, a pattern of expected threshold information density values for one or more packets of a data flow corresponding to a traffic class, a threshold inter-flow timing value between data flows corresponding to a host, a threshold number of related application data flows corresponding to a host, an inter-packet timing value between a plurality of packets of a data flow, a sequence of protocol flags in a plurality of packets of a data flow, or an inter-packet protocol flag timing value between a plurality of packets of a data flow;
  
  having found a matching traffic class in the matching step, associate the flow specification corresponding to the data flow with a traffic class from the plurality of traffic classes.
- View Dependent Claims (21, 22, 23)
- - 21. The apparatus of claim 20 wherein said flow specification contains at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific attribute.
  - 22. The apparatus of claim 20 wherein said flow specification contains, and wherein the one or more matching attributes include, at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific attribute.
  - 23. The apparatus of claim 20 further comprisinga flow control module operative to apply bandwidth utilization controls to the data flows based on the traffic class associated with the data flows.

24. A method facilitating classification of data flows, comprisingdetecting, by a network device, a data flow in network traffic traversing a communications path, the data flow each comprising at least one packet;
- parsing, by the network device, explicit attributes of at least one packet associated with the data flow into a flow specification,matching, by the network device, the flow specification to a first plurality of traffic classes, wherein the first plurality of traffic classes are each defined by one or more matching attributes,having found a matching traffic class in the matching step, associating, by the network device, the flow specification corresponding to the data flow with a traffic class from the first plurality of traffic classes,not having found a matching traffic class in the first plurality of traffic classes, matching, by the network device, the data flow to at least one additional traffic class, the additional traffic class defined by an application behavior pattern, the application behavior pattern comprising comprises at least one instance of;
  
  a pattern of expected packet sizes for one or more packets of a data flow, a pattern of expected threshold information density values for one or more packets of a data flow, a threshold inter-flow timing value between data flows corresponding to a host, or a threshold number of related application data flows corresponding to a host.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24 wherein the flow specification contains at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific attribute.
  - 26. The method of claim 24 wherein said flow specification contains, and wherein the one or more matching attributes include, at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific attribute.

27. A method facilitating the classification of network traffic, comprisingdetecting, by a network device, a data flow in network traffic traversing a communications path, the data flow comprising at least one packet;
- classifying, by the network device, the data flow into a network application of a plurality of network applications byapplying a mathematical function to at least one packet in the data flow to derive a computed value that characterizes entropy of information contained in the at least one packet, wherein the entropy information corresponds to a level of randomness of data of the at least one packet; and
  
  comparing the computed value to at least one traffic class corresponding to the network application, said traffic class defined, at least in part, by a required computed entropy value.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27 wherein the required computed value is determined by applying the mathematical function to data flows known to be of the traffic class.
  - 29. The method of claim 27 wherein the mathematical function computes a value indicating the information density of at least one packet.
  - 30. The method of claim 27 wherein the required computed value is a range of values.

31. A method facilitating the classification of network traffic, comprisingdetecting, by a network device, a data flow in network traffic traversing a communications path, the data flow comprising at least one packet containing a first checksum;
- applying, by the network device, a mathematical function to at least one packet in the data flow to derive a second checksum;
  
  comparing, by the network device, the computed second checksum to the first checksum contained in the at least one packet;
  
  matching, by the network device, the data flow to a traffic class, wherein the traffic class is defined at least in part by whether the computed second checksum should match the first checksum in the at least one packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Packeteer Incorporated (Gen Digital Inc.)
Inventors
Yung, Weng-Chin, Cesa Klein, Anne, Hill, Mark
Primary Examiner(s)
Mills; Donald L

Application Number

US10/720,329
Time in Patent Office

2,276 Days
Field of Search

370/223, 370/224, 370/229, 370/230, 370/231, 370/236.1, 370/238, 370/235, 370/253, 370/252, 709/224, 709/226, 709/233, 709/235, 709/246
US Class Current

370/253
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/28   Restricting access to netwo...

H04L 41/5022   by giving priorities, e.g. ...

H04L 47/10   Flow control; Congestion co...

H04L 47/2475   for supporting traffic char...

H04L 47/2483   involving identification of...

H04L 47/36   by determining packet size,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 69/22   Parsing or analysis of headers

Heuristic behavior pattern matching of data flows in enhanced network traffic classification

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Heuristic behavior pattern matching of data flows in enhanced network traffic classification

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links