×

System and method for determining network application signatures using flow payloads

  • US 8,964,548 B1
  • Filed: 03/02/2011
  • Issued: 02/24/2015
  • Est. Priority Date: 04/17/2008
  • Status: Active Grant
First Claim
Patent Images

1. A method for profiling network traffic of a network, comprising:

  • obtaining, from the network traffic, a plurality of flows generated by a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;

    identifying, using a processor of a computer system, a training set from the plurality of flows by;

    determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;

    determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;

    determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and

    determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold,wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;

    identifying, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application;

    determining, using the processor and from the training set that exceeds the pre-determined training set size threshold, a first signature term of the unique network application based on a first pre-determined algorithm; and

    determining, using the processor, a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow generated by the second server.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×