Classification techniques for encrypted network traffic

US 7,957,319 B2
Filed: 05/08/2009
Issued: 06/07/2011
Est. Priority Date: 05/08/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a network device, a data flow associated with a host;

accessing a memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application;

determining a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and

classifying the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems directed to detecting network applications whose data flows have been encrypted. The present invention extends beyond analysis of explicitly presented packet attributes of data flows and holistically analyzes the behavior of host or end systems as expressed in related data flows against a statistical behavioral model to classify the data flows.

51 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, at a network device, a data flow associated with a host;
  
  accessing a memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application;
  
  determining a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and
  
  classifying the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising modifying the threshold flow affinity value over time based on analysis of network traffic observed at the network device.
  - 3. The method of claim 1 further comprising modifying the correlation values corresponding to the one or more count values over time based on analysis of network traffic observed at the network device.
  - 4. The method of claim 1 wherein one of the one or more count values corresponds to a number of service discovery data flows associated with the host.
  - 5. The method of claim 1 wherein one of the one or more count values corresponds to a number of unresolved transport layer connection attempts associated with the host.
  - 6. The method of claim 1 wherein one of the one or more count values corresponds to a number of control message data flows associated with the host.
  - 7. The method of claim 1 wherein one of the one or more count values corresponds to a number of data flows associated with the host that have been classified according to a separate classification framework.
  - 8. The method of claim 1 further comprising incrementing one or more of the count values for the host as events are detected;
    - andat periodic intervals;
      
      storing the current count values in a data structure as previous values for use in the accessing and determining steps; and
      
      resetting the one or more count values.

9. A method, comprising:
- receiving, at a network device, a data flow associated with a host;
  
  applying a first classification framework to classify the data flow based on attributes of individual packets of the data flow that are readily discoverable or unconcealed by encryption;
  
  if the data flow is not classified into a network application by applying the first classification framework, then applying a second classification framework, wherein the second classification framework comprisesaccessing a memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application;
  
  determining a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and
  
  classifying the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9 further comprising modifying the threshold flow affinity value over time based on analysis of network traffic observed at the network device.
  - 11. The method of claim 9 further comprising modifying the correlation values corresponding to the one or more count values over time based on analysis of network traffic observed at the network device.
  - 12. The method of claim 9 further comprising modifying the correlation values corresponding to the one or more count values and the threshold flow affinity value over time based on analysis of network traffic observed at the network device.

13. An apparatus, comprising:
- one or more network interfaces,a memory;
  
  one or more processors;
  
  one or more code modules comprising computer-executable instructions stored on a computer readable medium, the instructions readable by the one or more processors, the instructions, when and executed, for causing the one or more processors to;
  
  receive a data flow associated with a host;
  
  access the memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application;
  
  determine a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and
  
  classify the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus of claim 13 further comprising computer-executable instructions for causing the one or more processors tomodify the threshold flow affinity value over time based on analysis of network traffic observed at the network device.
  - 15. The apparatus of claim 13 further comprising computer-executable instructions for causing the one or more processors tomodify the correlation values corresponding to the one or more count values over time based on analysis of network traffic observed at the network device.
  - 16. The apparatus of claim 13 wherein one of the one or more count values corresponds to a number of service discovery data flows associated with the host.
  - 17. The apparatus of claim 13 wherein one of the one or more count values corresponds to a number of unresolved transport layer connection attempts associated with the host.
  - 18. The apparatus of claim 13 wherein one of the one or more count values corresponds to a number of control message data flows associated with the host.
  - 19. The apparatus of claim 13 wherein one of the one or more count values corresponds to a number of data flows associated with the host that have been classified according to a separate classification framework.
  - 20. The apparatus of claim 13 further comprising computer-executable instructions for causing the one or more processors toincrement one or more of the count values for the host as events are detected;
    - andat periodic intervals;
      
      store the current count values in a data structure as previous values for use in the accessing and determining steps; and
      
      reset the one or more count values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Deshpande, Shivani A., Hankins, Scott Andrew
Primary Examiner(s)
Moe; Aung S
Assistant Examiner(s)
RIYAMI, ABDULLA A

Application Number

US12/463,318
Publication Number

US 20100284300A1
Time in Patent Office

760 Days
Field of Search

370/53, 370/235, 370/230, 370/229, 370/230.1, 370/231, 370/232, 370/233, 370/234, 370/252, 370/254, 370/255, 370/389, 370/392, 370/412, 370/413, 370/401, 370/463, 370/468, 709/224, 709/223, 709/250, 709/235, 709/227, 709/238, 709/226, 709/229, 709/231, 726/23
US Class Current

370/253
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/026   using flow identification

Classification techniques for encrypted network traffic

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Classification techniques for encrypted network traffic

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links