Recognizing application protocols by identifying message traffic patterns
First Claim
1. A computer-implemented method in a computing device of a wireless communication network for restricting use of applications, the method comprising the steps of:
- receiving a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted;
measuring a traffic pattern of the stream of network packets;
identifying an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and
applying a treatment associated with the application protocol, comprising;
mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and
rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use.
5 Assignments
0 Petitions
Accused Products
Abstract
A communication system detects particular application protocols in response to their message traffic patterns, which might be responsive to packet size, average packet rate, burstiness of packet transmissions, or other message pattern features. Selected message pattern features include average packet rate, maximum packet burst, maximum future accumulation, minimum packet size, and maximum packet size. The system maintains a counter of packet tokens, each arriving at a constant rate, and maintains a queue of real packets. Each real packet is released from the queue when there is a corresponding packet token also available for release. Packet tokens overfilling the counter, and real packets overfilling the queue, are discarded. Users might add or alter application protocol descriptions to account for profiles thereof.
136 Citations
11 Claims
-
1. A computer-implemented method in a computing device of a wireless communication network for restricting use of applications, the method comprising the steps of:
-
receiving a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted; measuring a traffic pattern of the stream of network packets; identifying an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and applying a treatment associated with the application protocol, comprising; mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable medium storing instructions that, when executed by a processor, perform a method in a computing device of a wireless communication network for restricting use of applications, the method comprising the steps of:
-
receiving a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted; measuring a traffic pattern of the stream of network packets; identifying an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and applying a treatment associated with the application protocol, comprising; mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computing device, comprising:
-
a processor; and a memory, comprising; an interface to receive a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted; a traffic measurement module to measure a traffic pattern of the stream of network packets; an application identifying module to identify an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and a treatment application module to apply a treatment associated with the application protocol, comprising; mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use.
-
Specification