Application-layer monitoring and profiling network traffic

US 7,769,851 B1
Filed: 01/27/2005
Issued: 08/03/2010
Est. Priority Date: 01/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing packet flows with an intermediate network device positioned between a node and a public network to identify network elements associated with the packet flows;

forming, with the intermediate device, application-layer communications from the packet flows, wherein forming application-layer communications comprises buffering and reassembling packets of the same packet flows into the corresponding application-layer communications;

processing the application-layer communications with protocol-specific decoders to identify application-layer elements within the application-layer communications; and

generating profiling data that associates the application-layer elements of the application-layer communications with the network elements of the packet flows, wherein generating profiling data comprises storing the network elements and the application-layer elements in a correlation database and defining relationships within the correlation database to associate the network elements of the packet flows with the application-layer elements of the application-layer communications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection and prevention (IDP) device includes a flow analysis module, an analysis engine, a plurality of protocol-specific decoders and a profiler. The flow analysis module processes packet flows in a network to identify network elements associated with the packet flows. The analysis engine forms application-layer communications from the packet flows. The plurality of protocol-specific decoders processes the application-layer communications to generate application-layer elements. The profiler correlates the application-layer elements of the application-layer communications with the network elements of the packet flows of the computer network.

81 Citations

View as Search Results

22 Claims

1. A method comprising:
- processing packet flows with an intermediate network device positioned between a node and a public network to identify network elements associated with the packet flows;
  
  forming, with the intermediate device, application-layer communications from the packet flows, wherein forming application-layer communications comprises buffering and reassembling packets of the same packet flows into the corresponding application-layer communications;
  
  processing the application-layer communications with protocol-specific decoders to identify application-layer elements within the application-layer communications; and
  
  generating profiling data that associates the application-layer elements of the application-layer communications with the network elements of the packet flows, wherein generating profiling data comprises storing the network elements and the application-layer elements in a correlation database and defining relationships within the correlation database to associate the network elements of the packet flows with the application-layer elements of the application-layer communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21)
- - 2. The method of claim 1,wherein the network elements comprise data defining hosts associated with the packet flows, data defining peers for each of the packet flows, and data defining ports associated with the packet flows, andwherein defining relationships within the database comprises mapping each of the application-layer elements to a respective one of the peers.
  - 3. The method of claim 1, wherein processing the application-layer communications comprises processing the application-layer communications with protocol-specific decoders for at least one of a HyperText Transfer Protocol (HTTP) decoder, a File Transfer Protocol (FTP) decoder, a Network News Transfer Protocol (NNTP) decoder, a Telnet decoder, a Domain Name System (DNS) decoder, a Gopher decoder, a Finger decoder, a Post Office Protocol (POP) decoder, a Secure Socket Layer (SSL) protocol decoder, a Lightweight Directory Access Protocol (LDAP) decoder, a Secure Shell (SSH) decoder, a Server Message Block (SMB) decoder or a Simple Mail Transfer Protocol (SMTP) decoder.
  - 4. The method of claim 1, wherein processing the packet flows with the network device to identify network elements comprises processing the packet flows with the network device to identify at least one of a network host, network peers, and a network port associated with the network traffic.
  - 5. The method of claim 1, wherein processing the application-layer communications comprises processing the application-layer communications with protocol-specific decoders to identify named elements that uniquely identify types of the application-layer elements and values for the named elements.
  - 6. The method of claim 5, wherein the named elements for the application-layer communications include at least one of a file name, a user name, a software application name or a name of an attached document.
  - 7. The method of claim 1, further comprising analyzing the application-layer elements and the network elements to determine whether each of the packet flows presents a security risk.
  - 8. The method of claim 7, further comprising:
    - discarding the network packets associated with a security risk, andforwarding the network packets that are not associated with a security risk.
  - 9. The method of claim 1, further comprising:
    - updating a flow table within a forwarding plane of the network device to store date describing the packet flows that are currently active within the computing network;
      
      outputting commands from the forwarding plane to a profiling module upon updating the flow table, wherein the commands include the network elements associated with one or more of the packet flows; and
      
      outputting the application-layer elements from the protocol decoders to the profiling module.
  - 21. The method of claim 1,wherein the correlation database of the intermediate device comprises a hosts table, a peers table, a ports table, a contexts table, a values table, and a profiles table,wherein storing the network elements in the correlation database comprises:
    - storing, with the intermediate device, data defining either a source address or a destination address to an entry to the hosts table;
      
      storing data defining a pair of hosts identified in the hosts table that have established a communication session to an entry of the peers table; and
      
      storing data defining a port used by the pair of hosts identified in the peers table when communicating via the established communication session,wherein storing the application-layer elements in the correlation database comprises;
      
      storing data defining named elements to an entry in the contexts table, wherein the named-elements provide a context for one or more types of protocols;
      
      storing data to an entry of the values table that defines application-specific values for the named elements, andwherein defining relationships within the database comprises storing data, with the intermediate device, to an entry of the profiles table that associates the pair of hosts specified within the entry of the peers table with the application-specific values specified within the entry of the values table.

10. An intermediate network device positioned between a node and a network comprising:
- a forwarding plane that includes;
  
  a flow analysis module to process packet flows with a network to identify network elements associated with the packet flows;
  
  an analysis engine to form application-layer communications from the packet flows, wherein the analysis engine forms the application-layer communications by buffering and reassembling packets of the same packet flows into the corresponding application-layer communications; and
  
  a plurality of protocol-specific decoders to process the application-layer communications to generate application-layer elements;
  
  a processor that executes a profiler to correlate the application-layer elements of the application-layer communications with the network elements of the packet flows; and
  
  a correlation database, wherein the profiler updates the correlation database to store profiling data that maps the application-layer elements to the network elements.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 22)
- - 11. The intermediate network device of claim 10, wherein the correlation database comprises:
    - a plurality of tables to store the network elements;
      
      a plurality of tables to store the application-layer elements; and
      
      data relating the application-layer elements to the network elements.
  - 12. The intermediate network device of claim 10, wherein the plurality of protocol-specific decoders include at least one of a HyperText Transfer Protocol (HTTP) decoder, a File Transfer Protocol (FTP) decoder, a Network News Transfer Protocol (NNTP) decoder or a Simple Mail Transfer Protocol (SMTP) decoder.
  - 13. The intermediate network device of claim 10, wherein the network elements comprise at least one of a network host, network peers, and a network port associated with the network traffic.
  - 14. The intermediate network device of claim 10, wherein the application-layer elements comprise:
    - protocol-specific named elements that identify types of the application-layer elements, andvalues for the named elements for the application-layer communications.
  - 15. The intermediate network device of claim 14, wherein the named elements for the application-layer communications include at least one of a file name, a user name, a software application name or a name of an attached document.
  - 16. The intermediate network device of claim 10, wherein the protocol decoders apply protocol-specific algorithms to analyze the application-layer elements to determine whether any of the packet flows present a security risk.
  - 17. The intermediate network device of claim 16, wherein the forwarding plane comprises a forwarding component that discards the network packets for the packet flows determined to present security risks, and forwards the network packets for packet flows that do not present security risks.
  - 18. The intermediate network device of claim 17, wherein the forwarding component includes a routing table storing routes for the network.
  - 19. The intermediate network device of claim 10, further comprising:
    - a flow table that stores data describing the packet flows that are currently active within the computing network,wherein the flow analysis module outputs commands to the profiler upon updating the flow table, the commands including the network elements associated with one or more of the packet flows,wherein the protocol-specific decoders output the application-layer elements to the profiler; and
      
      wherein in response to the commands the profiler associates the network elements with the application-layer elements.
  - 22. The intermediate network device of claim 10,wherein the correlation database comprises a hosts table, a peers table, a ports table, a contexts table, a values table, and a profiles table,wherein the profiler further stores data defining either a source address or a destination address to an entry to the hosts table, stores data defining a pair of hosts identified in the hosts table that have established a communication session to an entry of the peers table, and stores data defining a port used by the pair of hosts identified in the peers table when communicating via the established communication session,wherein the profiler also stores data defining named elements to an entry in the contexts table, wherein the named-elements provide a context for one or more types of protocols and stores data to an entry of the values table that defines application-specific values for the named elements, andwherein the profiler stores data to an entry of the profiles table that associates the pair of hosts specified within the entry of the peers table with the application-specific values specified within the entry of the values table.

20. A computer-readable storage medium comprising instructions that cause a programmable processor within a network device to:
- receive network elements associated with packet flows within a computer network;
  
  receive application-layer elements associated with application-layer communications from the packet flows wherein the application-layer communications are formed by buffering and reassembling packets of the same packet flows into the corresponding application-layer communications; and
  
  maintain a correlation database that associates the application-layer elements of the application-layer communications with the network elements of the packet flows of the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Guruswamy, Kowsik, Leung, Siu-Wang
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
Conaway; James E

Application Number

US11/044,619
Time in Patent Office

2,014 Days
Field of Search

709/203, 709/224, 726/13, 726/23
US Class Current

709/224
CPC Class Codes

G06F 15/173   using an interconnection ne...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/0245   Filtering by information in...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Application-layer monitoring and profiling network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Application-layer monitoring and profiling network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links