Heuristic behavior pattern matching of data flows in enhanced network traffic classification
First Claim
Patent Images
1. A method facilitating classification of data flows, comprising monitoring, by a network device, a data flow associated with a host relative to at least one behavioral attribute;
- comparing the at least one behavioral attribute observed in the monitoring step to a knowledge base of at least one known application behavior pattern, wherein the at least one known application behavior pattern corresponds to a network application classification and comprises one or more behavioral attribute parameter values indicating a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application classification; and
classifying the data flow into the network application classification by matching packet sizes of packets of the data flow to the pattern of expected packet sizes.
12 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatuses and systems facilitating enhanced classification of network traffic that extends beyond analysis of explicitly presented packet attributes and holistically analyzes data flows, and in some implementations, related data flows against known application behavior patterns to classify the data flows. Implementations of the present invention facilitate the classification of encrypted or compressed network traffic, or where the higher layer information in the data flows are formatted according to a non-public or proprietary protocol.
-
Citations
31 Claims
-
1. A method facilitating classification of data flows, comprising monitoring, by a network device, a data flow associated with a host relative to at least one behavioral attribute;
-
comparing the at least one behavioral attribute observed in the monitoring step to a knowledge base of at least one known application behavior pattern, wherein the at least one known application behavior pattern corresponds to a network application classification and comprises one or more behavioral attribute parameter values indicating a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application classification; and classifying the data flow into the network application classification by matching packet sizes of packets of the data flow to the pattern of expected packet sizes. - View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
5. A method facilitating classification of data flows, comprising monitoring, by a network device, a data flow associated with a host relative to at least one behavioral attribute;
-
comparing the at least one behavioral attribute observed in the monitoring step to a knowledge base of at least one known application behavior pattern, wherein the at least one known application behavior pattern corresponds to a network application classification and comprises one or more behavioral attribute parameter values indicating a pattern of expected information density associated with at least one packet in the data flow corresponding to the network application classification, wherein the information density corresponds to a level of randomness of data of the at least one packet; and classifying the data flow into the network application classification by matching information density of packets of the data flow to the pattern of expected information density. - View Dependent Claims (6)
-
-
16. A method facilitating classification of data flows, comprising
modeling behavior of a network application to generate an application behavior pattern corresponding to the network application; - and
configuring a network traffic monitoring device to monitor data flows relative to at least one behavioral attribute and classify the data flows into a traffic class of a plurality of traffic classes by comparing one or more of the data flows against the application behavior pattern;
wherein the application behavior pattern comprises at least one instance of any one of the following;
a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application, a pattern of expected threshold information density values for one or more packets of a data flow corresponding to the network application, a threshold inter-flow timing value between data flows corresponding to a host, or a threshold number of related application data flows corresponding to a host. - View Dependent Claims (17, 18)
- and
-
19. A method facilitating classification of data flows, comprising
monitoring, by a network device, the data flows associated with a host relative to at least one application behavior model corresponding to a traffic class; matching, by the network device, at least one of the data flows associated with the host to a traffic class, if a threshold number of the data flows match a corresponding application behavior model;
wherein the application behavior model comprises at least one instance of any one of the following;
a pattern of expected packet sizes for one or more packets of a data flow corresponding to the network application, a pattern of expected threshold information density values for one or more packets of a data flow corresponding to the network application, a threshold inter-flow timing value between data flows corresponding to a host, a threshold number of related application data flows corresponding to a host, an inter-packet timing value between a plurality of packets of a data flow corresponding to the network application, a sequence of protocol flags in a plurality of packets of a data flow corresponding to the network application, an inter-packet protocol flag timing value corresponding to a plurality of packets of a data flow corresponding to the network application.
-
20. An apparatus comprising
a packet processor operative to detect data flows in network traffic traversing a communications path, the data flows each comprising at least one packet; -
parse at least one packet associated with a data flow into a flow specification, a traffic classification engine operative to match the data flow to a plurality of traffic classes, wherein at least one of the plurality of traffic classes is defined by one or more matching attributes, wherein said matching attributes are explicitly presented in the packets associated with the data flows, and wherein at least one other of the traffic classes is defined by one or more application behavior patterns, wherein the application behavior patterns each comprise at least one instance of any one of the following;
a pattern of expected packet sizes for one or more packets of a data flow corresponding to a traffic class, a pattern of expected threshold information density values for one or more packets of a data flow corresponding to a traffic class, a threshold inter-flow timing value between data flows corresponding to a host, a threshold number of related application data flows corresponding to a host, an inter-packet timing value between a plurality of packets of a data flow, a sequence of protocol flags in a plurality of packets of a data flow, or an inter-packet protocol flag timing value between a plurality of packets of a data flow;having found a matching traffic class in the matching step, associate the flow specification corresponding to the data flow with a traffic class from the plurality of traffic classes. - View Dependent Claims (21, 22, 23)
-
-
24. A method facilitating classification of data flows, comprising
detecting, by a network device, a data flow in network traffic traversing a communications path, the data flow each comprising at least one packet; -
parsing, by the network device, explicit attributes of at least one packet associated with the data flow into a flow specification, matching, by the network device, the flow specification to a first plurality of traffic classes, wherein the first plurality of traffic classes are each defined by one or more matching attributes, having found a matching traffic class in the matching step, associating, by the network device, the flow specification corresponding to the data flow with a traffic class from the first plurality of traffic classes, not having found a matching traffic class in the first plurality of traffic classes, matching, by the network device, the data flow to at least one additional traffic class, the additional traffic class defined by an application behavior pattern, the application behavior pattern comprising comprises at least one instance of;
a pattern of expected packet sizes for one or more packets of a data flow, a pattern of expected threshold information density values for one or more packets of a data flow, a threshold inter-flow timing value between data flows corresponding to a host, or a threshold number of related application data flows corresponding to a host. - View Dependent Claims (25, 26)
-
-
27. A method facilitating the classification of network traffic, comprising
detecting, by a network device, a data flow in network traffic traversing a communications path, the data flow comprising at least one packet; classifying, by the network device, the data flow into a network application of a plurality of network applications by applying a mathematical function to at least one packet in the data flow to derive a computed value that characterizes entropy of information contained in the at least one packet, wherein the entropy information corresponds to a level of randomness of data of the at least one packet; and comparing the computed value to at least one traffic class corresponding to the network application, said traffic class defined, at least in part, by a required computed entropy value. - View Dependent Claims (28, 29, 30)
-
31. A method facilitating the classification of network traffic, comprising
detecting, by a network device, a data flow in network traffic traversing a communications path, the data flow comprising at least one packet containing a first checksum; -
applying, by the network device, a mathematical function to at least one packet in the data flow to derive a second checksum; comparing, by the network device, the computed second checksum to the first checksum contained in the at least one packet; matching, by the network device, the data flow to a traffic class, wherein the traffic class is defined at least in part by whether the computed second checksum should match the first checksum in the at least one packet.
-
Specification