System and method for determining network application signatures using flow payloads

US 8,964,548 B1
Filed: 03/02/2011
Issued: 02/24/2015
Est. Priority Date: 04/17/2008
Status: Active Grant

First Claim

Patent Images

1. A method for profiling network traffic of a network, comprising:

obtaining, from the network traffic, a plurality of flows generated by a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;

identifying, using a processor of a computer system, a training set from the plurality of flows by;

determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;

determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;

determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and

determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold,wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;

identifying, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application;

determining, using the processor and from the training set that exceeds the pre-determined training set size threshold, a first signature term of the unique network application based on a first pre-determined algorithm; and

determining, using the processor, a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow generated by the second server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for profiling network traffic of a network is presented. The method includes obtaining a cohesive flow-set based on a (port number, transport protocol) pair, identifying a statistically representative training set from the flow-set, identifying a network application associated with the (port number, transport protocol) pair, determining a packet content based signature term of the network application based on the training set, generate a nondeterministic finite automaton (NFA) using the signature terms to represent regular expressions in the training set, matching a portion of a new flow to the NFA in real time and identify a server attached to the new flow as executing the network application, and generate an alert in response to the match for blocking the new flow prior to the server completing a task performed using the new flow.

Citations

33 Claims

1. A method for profiling network traffic of a network, comprising:
- obtaining, from the network traffic, a plurality of flows generated by a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;
  
  identifying, using a processor of a computer system, a training set from the plurality of flows by;
  
  determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;
  
  determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;
  
  determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and
  
  determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold,wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;
  
  identifying, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application;
  
  determining, using the processor and from the training set that exceeds the pre-determined training set size threshold, a first signature term of the unique network application based on a first pre-determined algorithm; and
  
  determining, using the processor, a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow generated by the second server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1,wherein the port number of the pair corresponds to the source port of the five tuple,wherein the source IP-address of the five tuple is associated with the first server executing the unique network application, andwherein the plurality of packets in the first flow are sent from the first server to a client to execute the unique network application.
  - 3. The method of claim 1,wherein the port number of the pair corresponds to the destination port of the five tuple,wherein the destination IP-address of the five tuple is associated with the first server executing the unique network application, andwherein the plurality of packets in the first flow are sent from a client to the first server to execute the unique network application.
  - 4. The method of claim 1, wherein determining the statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than the pre-determined server contribution deviation threshold comprises determining, for said each of the plurality of servers, a number of flows associated with said each server in the plurality of flows as being less than a pre-determined maximum number.
  - 5. The method of claim 1, wherein the unique network application is identified based on the unique network application executing on more servers in the plurality of servers than any other network application in the one or more network applications.
  - 6. The method of claim 1, wherein the unique network application comprises a layer-seven application.

7. A method for profiling network traffic of a network, comprising:
- obtaining, from the network traffic, a plurality of flows associated with a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;
  
  identifying, using a processor of a computer system, a training set from the plurality of flows by;
  
  determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;
  
  determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;
  
  determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and
  
  determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold,wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;
  
  identifying, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application;
  
  determining, using the processor and from the training set, a first signature term of the unique network application based on a first pre-determined algorithm, wherein determining the first signature term of the unique network application comprises;
  
  dividing the plurality of captured payloads into a plurality of groups;
  
  identifying a first longest common substring of two or more captured payloads in a first group of the plurality of groups using a second pre-determined algorithm; and
  
  determining the first longest common substring as the first signature term based on a first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined noise threshold; and
  
  determining, using the processor, a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow associated with the second server.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, further comprising:
    - obtaining a plurality of longest common substrings by identifying one or more longest common substring of each pair of captured payloads in each of the plurality of groups,wherein the plurality of longest common substrings comprises the first longest common substring identified from the first group and a second longest common substring identified from a second group of the plurality of groups.
  - 9. The method of claim 8, further comprising:
    - including the first signature term in a set of signature terms determined from the plurality of longest common substrings;
      
      representing each of two or more captured payloads of the plurality of captured payloads as a regular expression to obtain a plurality of regular expressions, each comprising one or more signature terms in the set of signature terms; and
      
      representing the plurality of regular expressions as a nondeterministic finite automaton (NFA),wherein determining the second server in the network as executing the unique network application is by analyzing the second flow associated with the second server based on the NFA.
  - 10. The method of claim 9,wherein the first signature term is included in the set of signature terms based on the first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined popularity threshold,wherein a second signature terms and a third signature term are included in the set of signature terms based on:
    - a second probability of occurrence of the second signature term in the plurality of captured payloads exceeding the noise threshold,a third probability of occurrence of the third signature term in the plurality of captured payloads exceeding the noise threshold,a combined probability of occurrence of the second signature term and the third signature term in the plurality of captured payloads exceeding the pre-determined popularity threshold, andthe second signature term and the third signature being mutually exclusive in any one captured payload of the plurality of captured payloads.
  - 11. The method of claim 9, further comprising:
    - generating the NFA during a training phase to represent the plurality of regular expressions, wherein the plurality of flows are obtained from the network traffic during the training phase, wherein the set of signature terms are compiled during the training phase;
      
      obtaining a portion of the second flow from the network traffic subsequent to the training phase; and
      
      analyzing the portion of the second flow based on the NFA to determine, prior to the second flow being completed by the second server, the second server as executing the unique network application,wherein the second server is not determined, prior to obtaining the portion of the second flow, as executing the unique network application.

12. A system for profiling network traffic of a network, comprising:
- a data collector configured to obtain, from the network traffic, a plurality of flows generated by a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;
  
  a statistical analyzer configured to identify a training set from the plurality of flows by;
  
  determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;
  
  determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;
  
  determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and
  
  determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold,wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;
  
  a signature generator configured to extract, from the training set that exceeds the pre-determined training set size threshold, a first signature term based on a first pre-determined algorithm; and
  
  a processor and memory storing instructions when executed by the processor comprising functionalities to;
  
  identify, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application; and
  
  determine a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow generated by the second server.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12,wherein the port number of the pair corresponds to the source port of the five tuple,wherein the source IP-address of the five tuple is associated with the first server executing the unique network application, andwherein the plurality of packets in the first flow are sent from the first server to a client to execute the unique network application.
  - 14. The system of claim 12,wherein the port number of the pair corresponds to the destination port of the five tuple,wherein the destination IP-address of the five tuple is associated with the first server executing the unique network application, andwherein the plurality of packets in the first flow are sent from a client to the first server to execute the unique network application.
  - 15. The system of claim 12, wherein determining the statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than the pre-determined server contribution deviation threshold comprises determining, for said each of the plurality of servers, a number of flows associated with said each server in the plurality of flows as being less than a pre-determined maximum number.
  - 16. The system of claim 12, wherein the unique network application is identified based on the unique network application executing on more servers in the plurality of servers than any other network application in the one or more network applications.
  - 17. The system of claim 12, wherein the unique network application comprises a layer-seven application.

18. A system for profiling network traffic of a network, comprising:
- a data collector configured to obtain, from the network traffic, a plurality of flows associated with a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;
  
  a statistical analyzer configured to identify a training set from the plurality of flows by;
  
  determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;
  
  determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;
  
  determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and
  
  determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold,wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;
  
  a signature generator configured to determine, from the training set, a first signature term based on a first pre-determined algorithm, wherein determining the first signature term comprises;
  
  dividing the plurality of captured payloads into a plurality of groups;
  
  identifying a first longest common substring of two or more captured payloads in a first group of the plurality of groups using a pre-determined algorithm; and
  
  determining the first longest common substring as the first signature term based on a first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined noise threshold; and
  
  a processor and memory storing instructions when executed by the processor comprising functionalities to;
  
  identify, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application; and
  
  determine a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow associated with the second server.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The system of claim 18, the signature generator further configured to:
    - obtain a plurality of longest common substrings by identifying one or more longest common substring of each pair of captured payloads in each of the plurality of groups,wherein the plurality of longest common substrings comprises the first longest common substring identified from the first group and a second longest common substring identified from a second group of the plurality of groups.
  - 20. The system of claim 19, the signature generator further configured to:
    - represent each of two or more captured payloads of the plurality of captured payloads as a regular expression to obtain a plurality of regular expressions, each comprising one or more signature terms in a set of signature terms determined from the plurality of longest common substrings, wherein the set of signature terms comprises the first signature term; and
      
      represent the plurality of regular expressions as a nondeterministic finite automaton (NFA),wherein determining the second server in the network as executing the unique network application is by analyzing the second flow associated with the second server based on the NFA.
  - 21. The system of claim 20, further comprising:
    - a signature library comprising the set of signature terms; and
      
      a distiller configured to;
      
      include the first signature term in the set of signature terms based on the first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined popularity threshold; and
      
      include a second signature terms and a third signature term in the set of signature terms based on;
      
      a second probability of occurrence of the second signature term in the plurality of captured payloads exceeding the noise threshold,a third probability of occurrence of the third signature term in the plurality of captured payloads exceeding the noise threshold,a combined probability of occurrence of the second signature term and the third signature term in the plurality of captured payloads exceeding the pre-determined popularity threshold, andthe second signature term and the third signature being mutually exclusive in any one captured payload of the plurality of captured payloads.
  - 22. The system of claim 20,wherein the data collector is further configured to obtain a portion the second flow from the network traffic,wherein the signature analyzer is further configure to analyze the portion of the second flow based on the NFA to determine, prior to the second flow being completed by the second server, the second server as executing the unique network application, andwherein the second server is not determined, prior to obtaining the portion of the second flow, as executing the unique network application.

23. A non-transitory computer readable medium embodying instructions for profiling network traffic of a network, the instructions when executed by a processor comprising functionality for:
- obtaining, from the network traffic, a plurality of flows generated by a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;
  
  identifying a training set from the plurality of flows based on a first pre-determined algorithm, wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;
  
  identifying, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application;
  
  determining, from the training set that exceeds the pre-determined training set size threshold, a first signature term of the unique network application by;
  
  dividing the plurality of captured payloads into a plurality of groups;
  
  identifying a first longest common substring of two or more captured payloads in a first group of the plurality of groups using a second pre-determined algorithm; and
  
  determining the first longest common substring as the first signature term based on a first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined noise threshold; and
  
  determining a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow generated by the second server.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The non-transitory computer readable medium of claim 23, wherein identifying the training set from the plurality of flows comprises:
    - determining that a pair comprising a port number and the transport protocol is same for each of the plurality of flows;
      
      determining a number of servers for the plurality of servers as exceeding a pre-determined server diversity threshold;
      
      determining a number of flows for the plurality of flows as exceeding a pre-determined training set size threshold; and
      
      determining a statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than a pre-determined server contribution deviation threshold.
  - 25. The non-transitory computer readable medium of claim 24,wherein the port number of the pair corresponds to the source port of the five tuple,wherein the source IP-address of the five tuple is associated with the first server executing the unique network application, andwherein the plurality of packets in the first flow are sent from the first server to a client to execute the unique network application.
  - 26. The non-transitory computer readable medium of claim 24,wherein the port number of the pair corresponds to the destination port of the five tuple,wherein the destination IP-address of the five tuple is associated with the first server executing the unique network application, andwherein the plurality of packets in the first flow are sent from a client to the first server to execute the unique network application.
  - 27. The non-transitory computer readable medium of claim 24, wherein determining the statistical deviation in contributions of each of the plurality of servers to the plurality of flows as being less than the pre-determined server contribution deviation threshold comprises determining, for said each of the plurality of servers, a number of flows associated with said each server in the plurality of flows as being less than a pre-determined maximum number.
  - 28. The non-transitory computer readable medium of claim 24, wherein the unique network application is identified based on the unique network application executing on more servers in the plurality of servers than any other network application in the one or more network applications.
  - 29. The non-transitory computer readable medium of claim 24, wherein the unique network application comprises a layer-seven application.

30. A non-transitory computer readable medium embodying instructions for profiling network traffic of a network, the instructions when executed by a processor comprising functionality for:
- obtaining, from the network traffic, a plurality of flows that are generated by a plurality of servers executing one or more network applications in the network, wherein a five tuple comprising a source IP-address, a destination IP-address, a source port, a destination port, and a transport protocol is same for each of a plurality of packets in a first flow of the plurality of flows;
  
  identifying a training set from the plurality of flows based on a first pre-determined algorithm, wherein the training set comprises a plurality of captured payloads corresponding to the plurality of flows;
  
  identifying, from the one or more network applications based on a pre-determined criterion, a unique network application associated with the port number and the transport protocol, wherein a portion of the plurality of flows associated with at least a first server of the plurality of servers is generated responsive to at least the first server executing the unique network application;
  
  determining, from the training set, a first signature term of the unique network application by;
  
  dividing the plurality of captured payloads into a plurality of groups;
  
  obtaining a plurality of longest common substrings by identifying one or more longest common substring of each pair of captured payloads in each of the plurality of groups;
  
  identifying a first longest common substring of two or more captured payloads in a first group of the plurality of groups using a second pre-determined algorithm, wherein the plurality of longest common substrings comprises the first longest common substring identified from the first group and a second longest common substring identified from a second group of the plurality of groups; and
  
  determining the first longest common substring as the first signature term based on a first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined noise threshold; and
  
  determining a second server in the network as executing the unique network application by analyzing, based on at least the first signature term, a second flow associated with the second server.
- View Dependent Claims (31, 32, 33)
- - 31. The non-transitory computer readable medium of claim 30, the instructions when executed by the processor further comprising functionality for:
    - including the first signature term in a set of signature terms determined from the plurality of longest common substrings;
      
      representing each of two or more captured payloads of the plurality of captured payloads as a regular expression to obtain a plurality of regular expressions, each comprising one or more signature terms in the set of signature terms; and
      
      representing the plurality of regular expressions as a nondeterministic finite automaton (NFA),wherein determining the second server in the network as executing the unique network application is by analyzing the second flow associated with the second server based on the NFA.
  - 32. The non-transitory computer readable medium of claim 31, the instructions when executed by the processor further comprising functionality for:
    - wherein the first signature term is included in the set of signature terms based on the first probability of occurrence of the first longest common substring in the plurality of captured payloads exceeding a pre-determined popularity threshold,wherein a second signature terms and a third signature term are included in the set of signature terms based on;
      
      a second probability of occurrence of the second signature term in the plurality of captured payloads exceeding the noise threshold,a third probability of occurrence of the third signature term in the plurality of captured payloads exceeding the noise threshold,a combined probability of occurrence of the second signature term and the third signature term in the plurality of captured payloads exceeding the pre-determined popularity threshold, andthe second signature term and the third signature being mutually exclusive in any one captured payload of the plurality of captured payloads.
  - 33. The non-transitory computer readable medium of claim 31, the instructions when executed by the processor further comprising functionality for:
    - generating the NFA during a training phase to represent the plurality of regular expressions, wherein the plurality of flows are obtained from the network traffic during the training phase, wherein the set of signature terms are compiled during the training phase;
      
      obtaining a portion of the second flow from the network traffic subsequent to the training phase; and
      
      analyzing the portion of the second flow based on the NFA to determine, prior to the second flow being completed by the second server, the second server as executing the unique network application,wherein the second server is not determined, prior to obtaining the portion of the second flow, as executing the unique network application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
Narus, Inc. (Gen Digital Inc.)
Inventors
Keralapura, Ram, Nucci, Antonio
Primary Examiner(s)
Alia, Curtis A

Application Number

US13/039,125
Time in Patent Office

1,455 Days
Field of Search

370229-235, 370/254, 370/351, 370/389, 370/392
US Class Current

370/235
CPC Class Codes

H04L 43/022   by sampling

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 47/2483   involving identification of...

System and method for determining network application signatures using flow payloads

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for determining network application signatures using flow payloads

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links