Adaptive network traffic classification using historical context
First Claim
1. A computer-implemented method, comprising:
- a first computer system receiving first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint, wherein the first computer system does not participate in communication between the first and second endpoints;
the first computer system automatically classifying at least one connection according to an application protocol, wherein said classifying is based on the first data and uses one or more classification rules to produce classified data;
after said classifying, the first computer system automatically determining if the classified data of the at least one connection conforms to an application protocol specification of the application protocol;
if the classified data does not conform to the application protocol specification, the first computer system automatically modifying the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner.
6 Assignments
0 Petitions
Accused Products
Abstract
Adaptive network traffic classification using historical context. Network traffic may be monitored and classified by considering several attributes using packet filters, regular expressions, context-free grammars, rule sets, and/or protocol dissectors, among other means and by applying a variety of techniques such as signature matching and statistical analysis. Unlike static systems, the classification decisions may be reexamined from time to time or after subsequent processing determines that the traffic does not conform to the protocol specification corresponding to the classification decision. Historical context may be used to adjust the classification strategy for similar or related traffic.
-
Citations
19 Claims
-
1. A computer-implemented method, comprising:
-
a first computer system receiving first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint, wherein the first computer system does not participate in communication between the first and second endpoints; the first computer system automatically classifying at least one connection according to an application protocol, wherein said classifying is based on the first data and uses one or more classification rules to produce classified data; after said classifying, the first computer system automatically determining if the classified data of the at least one connection conforms to an application protocol specification of the application protocol; if the classified data does not conform to the application protocol specification, the first computer system automatically modifying the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner. - View Dependent Claims (2, 3, 4, 5, 11)
-
-
6. A tangible non-transitory memory medium comprising program instructions, wherein the program instructions are executable to:
-
receive first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint; automatically classify at least one connection according to an application protocol, wherein the classification is based on the first data and uses one or more classification rules to produce classified data; automatically determine if the classified data conforms to an application protocol specification of the application protocol; if the classified data does not conform to the application protocol specification, automatically modify the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner; wherein the reception, classification, determination, and modification does not involve participation in the communication between the first and second endpoints. - View Dependent Claims (7, 8, 9, 10, 12)
-
-
13. A network monitoring device, comprising:
-
at least one input for receiving first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint; and logic coupled to the at least one input, wherein the logic is configured to; automatically classify at least one connection according to an application protocol, wherein the classification is based on the first data and uses one or more classification rules to produce classified data; automatically determine if the classified data conforms to an application protocol specification of the application protocol; if the classified data does not conform to the application protocol specification, automatically modify the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner; wherein the network monitoring device does not participate in the communication between the first and second endpoints. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification