Adaptive network traffic classification using historical context

US 8,125,908 B2
Filed: 12/02/2008
Issued: 02/28/2012
Est. Priority Date: 12/04/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

a first computer system receiving first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint, wherein the first computer system does not participate in communication between the first and second endpoints;

the first computer system automatically classifying at least one connection according to an application protocol, wherein said classifying is based on the first data and uses one or more classification rules to produce classified data;

after said classifying, the first computer system automatically determining if the classified data of the at least one connection conforms to an application protocol specification of the application protocol;

if the classified data does not conform to the application protocol specification, the first computer system automatically modifying the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Adaptive network traffic classification using historical context. Network traffic may be monitored and classified by considering several attributes using packet filters, regular expressions, context-free grammars, rule sets, and/or protocol dissectors, among other means and by applying a variety of techniques such as signature matching and statistical analysis. Unlike static systems, the classification decisions may be reexamined from time to time or after subsequent processing determines that the traffic does not conform to the protocol specification corresponding to the classification decision. Historical context may be used to adjust the classification strategy for similar or related traffic.

Citations

19 Claims

1. A computer-implemented method, comprising:
- a first computer system receiving first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint, wherein the first computer system does not participate in communication between the first and second endpoints;
  
  the first computer system automatically classifying at least one connection according to an application protocol, wherein said classifying is based on the first data and uses one or more classification rules to produce classified data;
  
  after said classifying, the first computer system automatically determining if the classified data of the at least one connection conforms to an application protocol specification of the application protocol;
  
  if the classified data does not conform to the application protocol specification, the first computer system automatically modifying the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner.
- View Dependent Claims (2, 3, 4, 5, 11)
- - 2. The method of claim 1, wherein said classifying the at least one connection comprises determining one or more identifying characteristics of the packets of the at least one connection.
  - 3. The method of claim 2, wherein said classifying the at least one connection comprises determining if a previous connection having the one or more identifying characteristics has been classified;
    - andif the previous connection has been classified, classifying the at least one connection according to the classification of the previous connection.
  - 4. The method of claim 1, further comprising:
    - if the classified data conforms to the application protocol specification, performing said receiving data, said classifying, and said determining a plurality of times.
  - 5. The method of claim 1, wherein said modifying the one or more classification rules comprises deprioritizing the one or more classification rules.
  - 11. The method of claim 1, wherein said classifying comprises reconstructing a stream of data of the at least one connection from the respective plurality of packets.

6. A tangible non-transitory memory medium comprising program instructions, wherein the program instructions are executable to:
- receive first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint;
  
  automatically classify at least one connection according to an application protocol, wherein the classification is based on the first data and uses one or more classification rules to produce classified data;
  
  automatically determine if the classified data conforms to an application protocol specification of the application protocol;
  
  if the classified data does not conform to the application protocol specification, automatically modify the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner;
  
  wherein the reception, classification, determination, and modification does not involve participation in the communication between the first and second endpoints.
- View Dependent Claims (7, 8, 9, 10, 12)
- - 7. The memory medium of claim 6, wherein in classifying the at least one connection the program instructions are further executable to determine one or more identifying characteristics of packets of the at least one connection.
  - 8. The memory medium of claim 7, wherein said classifying the at least one connection comprises determining if a previous connection having the one or more identifying characteristics has been classified;
    - andif the previous connection has been classified, classifying the at least one connection according to the classification of the previous data.
  - 9. The memory medium of claim 6, wherein if the classified data conforms to the application protocol specification, the program instructions are executable to perform said receiving data, said classifying, and said determining a plurality of times.
  - 10. The memory medium of claim 6, wherein said modifying the one or more classification rules comprises deprioritizing the one or more classification rules.
  - 12. The memory medium of claim 6, wherein said classifying comprises reconstructing a stream of data of the at least one connection from the respective plurality of packets.

13. A network monitoring device, comprising:
- at least one input for receiving first data over a network, wherein the first data comprises a plurality of packets from each of a plurality of connections, wherein the plurality of connections are between a corresponding first endpoint and a corresponding second endpoint; and
  
  logic coupled to the at least one input, wherein the logic is configured to;
  
  automatically classify at least one connection according to an application protocol, wherein the classification is based on the first data and uses one or more classification rules to produce classified data;
  
  automatically determine if the classified data conforms to an application protocol specification of the application protocol;
  
  if the classified data does not conform to the application protocol specification, automatically modify the one or more classification rules such that later data with identifying characteristics similar to that of the at least one connection are not classified in the same manner;
  
  wherein the network monitoring device does not participate in the communication between the first and second endpoints.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The network monitoring device of claim 13, wherein the logic comprises one or more of an application specific integrated circuit or a field programmable gate array (FPGA).
  - 15. The network monitoring device of claim 13, wherein the logic comprises a processor and memory medium.
  - 16. The network monitoring device of claim 13, wherein in classifying the at least one connection the logic is further configured to determine one or more identifying characteristics of packets of the at least one connection.
  - 17. The network monitoring device of claim 16, wherein said classifying the at least one connection comprises determining if a previous connection having the one or more identifying characteristics has been classified;
    - andif the previous connection has been classified, classifying the at least one connection according to the classification of the previous data.
  - 18. The network monitoring device of claim 13, wherein said modifying the one or more classification rules comprises deprioritizing the one or more classification rules.
  - 19. The network monitoring device of claim 13, wherein said classifying comprises reconstructing a stream of data of the at least one connection from the respective plurality of packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Rothstein, Jesse Abraham, Mukerji, Arindum
Primary Examiner(s)
Lai, Andrew
Assistant Examiner(s)
LOO, JUVENA W

Application Number

US12/326,672
Publication Number

US 20090141634A1
Time in Patent Office

1,183 Days
Field of Search

370/395.3, 370/469, 370/474, 370229-253, 370351-400
US Class Current

370/235
CPC Class Codes

H04L 47/10 Flow control; Congestion co...

H04L 47/2483 involving identification of...

Adaptive network traffic classification using historical context

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive network traffic classification using historical context

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links