Techniques for dynamic updating and loading of custom application detectors

US 8,413,111 B2
Filed: 09/28/2009
Issued: 04/02/2013
Est. Priority Date: 10/02/2008
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing code executable by one or more processors of one or more of a plurality of computer systems for detecting network-based applications, the non-transitory computer-readable storage medium comprising:

code for receiving at a first set of one or more computer systems in the plurality of computer systems information describing one or more data points, the one or more data points identified in response to an analysis of network traffic sent to or received from a network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application;

code for associating with the first set of one or more computer systems in the plurality of computer systems the information describing the identified one or more data points with the network-based application;

code for storing with the first set of one or more computer systems in the plurality of computer systems information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;

code for generating with a second set of one or more computer systems in the plurality of computer systems a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and

code for communicating from one or more computer systems in the plurality of computer systems the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, a data-driven model is provided for an application detection engine for the detection and identification of network-based applications. In one embodiment, information can be input into an application detection database. The information may include a hostname, ports, transport protocol (TCP/UDP), higher layer protocol (SOCKS, HTTP, SMTP, FTP, etc), or the like. The information may be associated with a given application. The information may be used to create rule sets or custom program logic used by one or more various application detection engines for determining whether network traffic has been initiated by a given application. The information may be dynamically loaded and updated at the application detection engine.

25 Citations

View as Search Results

24 Claims

1. A non-transitory computer-readable storage medium storing code executable by one or more processors of one or more of a plurality of computer systems for detecting network-based applications, the non-transitory computer-readable storage medium comprising:
- code for receiving at a first set of one or more computer systems in the plurality of computer systems information describing one or more data points, the one or more data points identified in response to an analysis of network traffic sent to or received from a network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application;
  
  code for associating with the first set of one or more computer systems in the plurality of computer systems the information describing the identified one or more data points with the network-based application;
  
  code for storing with the first set of one or more computer systems in the plurality of computer systems information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;
  
  code for generating with a second set of one or more computer systems in the plurality of computer systems a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and
  
  code for communicating from one or more computer systems in the plurality of computer systems the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory computer-readable storage medium of claim 1 wherein the code for receiving the one or more data points comprises code for receiving one or more of a source address, a destination address, a source port, a destination port, one or more header fields, payload data, or combinations thereof.
  - 3. The non-transitory computer-readable storage medium of claim 1 further comprising:
    - code for receiving one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application; and
      
      code for storing information associating the one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application with the network-based application in the database.
  - 4. The non-transitory computer-readable storage medium of claim 1 further comprising:
    - code for packaging the set of rules into a format appropriate for the application detection device.
  - 5. The non-transitory computer-readable storage medium of claim 1 further comprising:
    - code for receiving information describing logic for determining information using one or more of the identified one or more data points;
      
      code for associating the logic with the network-based application; and
      
      code for storing the logic and information associating the logic and the network-based application in the database.
  - 6. The non-transitory computer-readable storage medium of claim 5 further comprising:
    - code for generating program code based on the logic; and
      
      code for compiling the program code for execution at the application detection device.
  - 7. The non-transitory computer-readable storage medium of claim 6 wherein the code for compiling the program code for execution at the application detection device comprises code for compiling the program code for dynamic loading at the application detection device.
  - 8. The non-transitory computer-readable storage medium of claim 6 wherein the code for communicating the set of rules to the application detection device further comprise code for communicating the compiled program code, wherein at least the application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules and the compiled program code.
  - 9. The non-transitory computer-readable storage medium of claim 5 wherein the code for receiving the information describing the logic comprises code for receiving logic for maintaining stating information across the network traffic.
  - 10. The non-transitory computer-readable storage medium of claim 5 wherein the code for receiving the information describing the logic comprises code for receiving logic for determining one or more hash values or checksum from the network traffic.
  - 11. The method of claim 1 wherein the dynamic updated of at least the application detection functionality of the application detection device to support detection of the network-based application based on the communicated set of rules comprises updated during run-time.
  - 12. The method of claim 1 wherein at least one or more user interfaces of the application detection device are dynamically updated to support displaying of information associated with the network-based application based on the communicated set of rules.
  - 13. The method of claim 1 wherein at least reporting functionality of the application detection device is dynamically updated to support reporting of information associated with the network-based application based on the communicated set of rules.

14. A non-transitory computer-readable storage medium storing code executable by one or more processors of one or more of a plurality of computer systems for detecting network-based applications, the non-transitory computer-readable storage medium comprising:
- code for receiving at a first set it one or more computer systems in the plurality of computer systems information describing one or more data points, the one or more data points identified in response to an analysis of network traffic sent to or received from a network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application;
  
  code for associating with the first set of one or more computer systems in the plurality of computer systems the information describing the identified one or more data points with the network-based application;
  
  code for storing with the first set of one or more computer systems in the plurality of computer systems information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;
  
  code for generating with a second set of one or more computer systems in the plurality of computer systems a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and
  
  code for communicating from one or more computer systems in the plurality of computer systems the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The non-transitory computer-readable storage medium of claim 14 wherein the code for receiving the one or more data points comprises code for receiving one or more of a source address, a destination address, a source port, a destination port, one or more header fields, payload data, or combinations thereof.
  - 16. The non-transitory computer-readable storage medium of claim 14 further comprising:
    - code for receiving one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application; and
      
      code for storing information associating the one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application with the network-based application in the database.
  - 17. The non-transitory computer-readable storage medium of claim 14 further comprising:
    - code for packaging the set of rules into a format appropriate for the application detection device.
  - 18. The non-transitory computer-readable storage medium of claim 14 further comprising:
    - code for receiving information describing logic for determining information using one or more of the identified one or more data points;
      
      code for associating the logic with the network-based application; and
      
      code for storing the logic and information associating the logic and the network-based application in the database.
  - 19. The non-transitory computer-readable storage medium of claim 18 further comprising:
    - code for generating program code based on the logic; and
      
      code for compiling the program code for execution at the application detection device.
  - 20. The non-transitory computer-readable storage medium of claim 19 wherein the code for compiling the program code for execution at the application detection device comprises code for compiling the program code for dynamic loading at the application detection device.
  - 21. The non-transitory computer-readable storage medium of claim 19 wherein the code for communicating the set of rules to the application detection device further comprise code for communicating the compiled program code, wherein at least the application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules and the compiled program code.
  - 22. The non-transitory computer-readable storage medium of claim 18 wherein the code for receiving the information describing the logic comprises code for receiving logic for maintaining stating information across the network traffic.
  - 23. The non-transitory computer-readable storage medium of claim 18 wherein the code for receiving the information describing the logic comprises code for receiving logic for determining one or more hash values or checksum from the network traffic.

24. A system for detecting network-based applications, the system comprising:
- a database configured to store information about a network-based application;
  
  a first set of one or more computer systems configured to;
  
  receive information describing the one or more data points, the one or more data points determined in response to an analysis of network traffic sent to or received from the network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application,associate the information describing the identified one or more data points with the network-based application, andstore the information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in the database; and
  
  a second set of one or more computer systems configured to;
  
  generate a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule, andcommunicate the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Actiance, Inc.
Original Assignee
Actiance, Inc.
Inventors
Paster, Steven B.
Primary Examiner(s)
Das, Chameli

Application Number

US12/568,080
Publication Number

US 20100088670A1
Time in Patent Office

1,282 Days
Field of Search

None
US Class Current

717/106
CPC Class Codes

H04L 43/022   by sampling

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 45/745   Address table lookup; Addre...

Techniques for dynamic updating and loading of custom application detectors

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for dynamic updating and loading of custom application detectors

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links