Application detection architecture and techniques
First Claim
1. A method for detecting network-based applications based on network traffic generated by the network-based applications, the method comprising:
- receiving network traffic at a computer system;
generating first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines using a processor associated with the computer system based on whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines;
generating second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines using the processor associated with the computer system to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines;
generating third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines using the processor associated with the computer system to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information;
identifying, with the processor associated with the computer system, a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase;
determining, with the processor associated with the computer system, a policy that is applicable to the network-based application; and
performing an action defined by the policy in regard to the network-based application.
8 Assignments
0 Petitions
Accused Products
Abstract
An application detection architecture and related techniques are provided for detecting, identifying, and managing network-based applications. In various embodiments, a combined layered approach to application detection and various application-detection techniques provide for quick assessments that move from simplest to complex for rapid detection of unauthorized or misbehaving applications in communication with one or more computer networks. This layering, in some embodiments, further provides scalability and speed for determining and implementing policies that may be applicable to detected network-based application, users, groups, or devices associated with unauthorized network-based applications sending or receiving data via a computer network.
68 Citations
21 Claims
-
1. A method for detecting network-based applications based on network traffic generated by the network-based applications, the method comprising:
-
receiving network traffic at a computer system; generating first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines using a processor associated with the computer system based on whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines; generating second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines using the processor associated with the computer system to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines; generating third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines using the processor associated with the computer system to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information; identifying, with the processor associated with the computer system, a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase; determining, with the processor associated with the computer system, a policy that is applicable to the network-based application; and performing an action defined by the policy in regard to the network-based application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium storing a computer program product executable by one or more computer systems for detecting network-based applications based on network traffic generated by the network-based applications, the non-transitory computer-readable storage medium comprising:
-
code for receiving network traffic; code for generating first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines to determine whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines; code for generating second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines; code for generating third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information; code for identifying a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase; code for determining a policy that is applicable to the network-based application; and code for performing an action defined by the policy in regard to the network-based application. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network appliance for detecting network-based applications based on network traffic generated by the network-based applications, the network appliance comprising:
-
a database storing information for configuring one or more single inspection point engines, one or more multiple inspection point engines, and one or more custom inspection point engines; a communications interface configured to be coupled to a communications network and receive network traffic; a processor configured to; configure the one or more single inspection point engines and generate first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines to determine whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines; configure the one or more multiple inspection point engines and generate second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with the one or more multiple inspection point engines to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines; configure the one or more custom inspection point engines and generate third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with the one or more custom inspection point engines to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information; identify a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase; determine a policy that is applicable to the network-based application; and perform an action defined by the policy in regard to the network-based application.
-
Specification