Application detection architecture and techniques

US 8,484,338 B2
Filed: 09/28/2009
Issued: 07/09/2013
Est. Priority Date: 10/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method for detecting network-based applications based on network traffic generated by the network-based applications, the method comprising:

receiving network traffic at a computer system;

generating first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines using a processor associated with the computer system based on whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines;

generating second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines using the processor associated with the computer system to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines;

generating third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines using the processor associated with the computer system to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information;

identifying, with the processor associated with the computer system, a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase;

determining, with the processor associated with the computer system, a policy that is applicable to the network-based application; and

performing an action defined by the policy in regard to the network-based application.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application detection architecture and related techniques are provided for detecting, identifying, and managing network-based applications. In various embodiments, a combined layered approach to application detection and various application-detection techniques provide for quick assessments that move from simplest to complex for rapid detection of unauthorized or misbehaving applications in communication with one or more computer networks. This layering, in some embodiments, further provides scalability and speed for determining and implementing policies that may be applicable to detected network-based application, users, groups, or devices associated with unauthorized network-based applications sending or receiving data via a computer network.

68 Citations

View as Search Results

21 Claims

1. A method for detecting network-based applications based on network traffic generated by the network-based applications, the method comprising:
- receiving network traffic at a computer system;
  
  generating first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines using a processor associated with the computer system based on whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines;
  
  generating second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines using the processor associated with the computer system to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines;
  
  generating third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines using the processor associated with the computer system to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information;
  
  identifying, with the processor associated with the computer system, a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase;
  
  determining, with the processor associated with the computer system, a policy that is applicable to the network-based application; and
  
  performing an action defined by the policy in regard to the network-based application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein analyzing, in the first phase associated with the network traffic, the network traffic with the one or more single inspection point engines provided by the processor associated with the computer system comprises analyzing the network traffic for an IP address, an IP port, presence of a single value in a packet header, or presence of a single value in a packet body.
  - 3. The method of claim 1 wherein analyzing, in the second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with the one or more multiple inspection point engines provided by the processor associated with the computer system comprises analyzing the network traffic for a combination of IP address and an IP port, presence of a plurality of values in a packet header, presence of a plurality of values in a packet body, or combinations thereof.
  - 4. The method of claim 1 wherein analyzing, in the third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines provided by the processor associated with the computer system comprises analyzing the network traffic according to processing logic specified by the one or more custom inspection point engines.
  - 5. The method of claim 1 wherein analyzing, in the third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines provided by the processor associated with the computer system comprises maintaining state information with the one or more custom inspection point engines across one or more packets.
  - 6. The method of claim 1 wherein determining, with the processor associated with the computer system, the policy that is applicable to the network-based application comprises determining a set of policies based on one or more characteristics of the network-based application.
  - 7. The method of claim 1 wherein determining, with the processor associated with the computer system, the policy that is applicable to the network-based application comprises:
    - determining one or more users associated with the network-based application; and
      
      determining a set of policies based on information associated with the one or more user.
  - 8. The method of claim 1 wherein performing the action defined by the policy comprises blocking the network traffic generated by the network-based application.
  - 9. The method of claim 1 wherein performing the action defined by the policy comprises modifying the network traffic generated by the network-based application.
  - 10. The method of claim 1 further comprising:
    - receiving, at the computer system, one or more updates from a service provider that configure at least one of the single inspection point engines, the multiple inspection point engines, or the custom inspection point engines for determining whether the network traffic satisfies a particular inspection point engine.

11. A non-transitory computer-readable storage medium storing a computer program product executable by one or more computer systems for detecting network-based applications based on network traffic generated by the network-based applications, the non-transitory computer-readable storage medium comprising:
- code for receiving network traffic;
  
  code for generating first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines to determine whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines;
  
  code for generating second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines;
  
  code for generating third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information;
  
  code for identifying a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase;
  
  code for determining a policy that is applicable to the network-based application; and
  
  code for performing an action defined by the policy in regard to the network-based application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable storage medium of claim 11 wherein the code for analyzing, in the first phase associated with the network traffic, the network traffic with the one or more single inspection point engines comprises code for analyzing the network traffic for an IP address, an IP port, presence of a single value in a packet header, or presence of a single value in a packet body.
  - 13. The non-transitory computer-readable storage medium of claim 11 wherein the code for analyzing, in the second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with the one or more multiple inspection point engines comprises code for analyzing the network traffic for a combination of IP address and an IP port, presence of a plurality of values in a packet header, presence of a plurality of values in a packet body, or combinations thereof.
  - 14. The non-transitory computer-readable storage medium of claim 11 wherein the code for analyzing, in the third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines comprises code for analyzing the network traffic according to processing logic specified by the one or more custom inspection point engines.
  - 15. The non-transitory computer-readable storage medium of claim 11 wherein the code for analyzing, in the third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines comprises code for maintaining state information with the one or more custom inspection point engines across one or more packets.
  - 16. The non-transitory computer-readable storage medium of claim 11 wherein the code for determining the policy that is applicable to the network-based application comprises code for determining a set of policies based on one or more characteristics of the network-based application.
  - 17. The non-transitory computer-readable storage medium of claim 11 wherein the code for determining the policy that is applicable to the network-based application comprises:
    - code for determining one or more users associated with the network-based application; and
      
      code for determining a set of policies based on information associated with the one or more user.
  - 18. The non-transitory computer-readable storage medium of claim 11 wherein the code for performing the action defined by the policy comprises code for blocking the network traffic generated by the network-based application.
  - 19. The non-transitory computer-readable storage medium of claim 11 wherein the code for performing the action defined by the policy comprises code for modifying the network traffic generated by the network-based application.
  - 20. The non-transitory computer-readable storage medium of claim 11 further comprising:
    - code for receiving one or more updates from a service provider that configure at least one of the single inspection point engines, the multiple inspection point engines, or the custom inspection point engines for determining whether the network traffic satisfies a particular inspection point engine.

21. A network appliance for detecting network-based applications based on network traffic generated by the network-based applications, the network appliance comprising:
- a database storing information for configuring one or more single inspection point engines, one or more multiple inspection point engines, and one or more custom inspection point engines;
  
  a communications interface configured to be coupled to a communications network and receive network traffic;
  
  a processor configured to;
  
  configure the one or more single inspection point engines and generate first results information in response to analyzing, in a first phase associated with the network traffic, the network traffic with an ordered sequence of a plurality of single inspection point engines to determine whether a single inspection point of the network traffic satisfies at least one of the plurality of single inspection point engines;
  
  configure the one or more multiple inspection point engines and generate second results information in response to analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with the one or more multiple inspection point engines to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines;
  
  configure the one or more custom inspection point engines and generate third results information in response to analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with the one or more custom inspection point engines to determine whether the network traffic satisfies at least one of the custom inspection point engines based on a determination using the second results information;
  
  identify a network-based application that generated the network traffic based on results information obtained from at least one of the second phase or the third phase;
  
  determine a policy that is applicable to the network-based application; and
  
  perform an action defined by the policy in regard to the network-based application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Actiance, Inc.
Original Assignee
Actiance, Inc.
Inventors
Paster, Steven B.
Primary Examiner(s)
Dailey, Thomas
Assistant Examiner(s)
Golabbakhsh, Ebrahim

Application Number

US12/568,073
Publication Number

US 20100085883A1
Time in Patent Office

1,380 Days
Field of Search

709/224, 709/203, 726/23, 726/24
US Class Current

709/224
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/5058   Service discovery by the se...

H04L 41/5096   wherein the managed service...

H04L 63/102   Entity profiles

H04L 67/125   involving control of end-de...

H04L 67/303   Terminal profiles

H04L 67/535   Tracking the activity of th...

Application detection architecture and techniques

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Application detection architecture and techniques

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others