Recognizing application protocols by identifying message traffic patterns

US 8,995,459 B1
Filed: 06/30/2010
Issued: 03/31/2015
Est. Priority Date: 09/07/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method in a computing device of a wireless communication network for restricting use of applications, the method comprising the steps of:

receiving a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted;

measuring a traffic pattern of the stream of network packets;

identifying an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and

applying a treatment associated with the application protocol, comprising;

mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and

rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication system detects particular application protocols in response to their message traffic patterns, which might be responsive to packet size, average packet rate, burstiness of packet transmissions, or other message pattern features. Selected message pattern features include average packet rate, maximum packet burst, maximum future accumulation, minimum packet size, and maximum packet size. The system maintains a counter of packet tokens, each arriving at a constant rate, and maintains a queue of real packets. Each real packet is released from the queue when there is a corresponding packet token also available for release. Packet tokens overfilling the counter, and real packets overfilling the queue, are discarded. Users might add or alter application protocol descriptions to account for profiles thereof.

136 Citations

11 Claims

1. A computer-implemented method in a computing device of a wireless communication network for restricting use of applications, the method comprising the steps of:
- receiving a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted;
  
  measuring a traffic pattern of the stream of network packets;
  
  identifying an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and
  
  applying a treatment associated with the application protocol, comprising;
  
  mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and
  
  rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the traffic pattern measurement comprises one or more of:
    - minimum values for R (average packet rate), B (maximum packet burst), Q (maximum future accumulation) and specified bounds for MIN (minimum packet size), MAX (maximum packet size), MIN2 (minimum packet bound), MAX2 (maximum packet bound) and TI (time interval).
  - 3. The method of claim 1, wherein identifying the application protocol is further based on deep packet inspection of a payload of one or more packets from the stream of network packets.
  - 4. The method of claim 1, wherein the application protocol is defined at level 7 of the OSI/ISO model.
  - 5. The method of claim 1, further comprising:
    - mapping tokens to the stream of network packets by making tokens available according to an expected probabilistic distribution function that is not constant; and
      
      rejecting network packets from the stream of network packets that exceed available tokens.

6. A non-transitory computer-readable medium storing instructions that, when executed by a processor, perform a method in a computing device of a wireless communication network for restricting use of applications, the method comprising the steps of:
- receiving a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted;
  
  measuring a traffic pattern of the stream of network packets;
  
  identifying an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and
  
  applying a treatment associated with the application protocol, comprising;
  
  mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and
  
  rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable medium of claim 6, wherein the traffic pattern measurement comprises one or more of:
    - minimum values for R (average packet rate), B (maximum packet burst), Q (maximum future accumulation) and specified bounds for MIN (minimum packet size), MAX (maximum packet size), MIN2 (minimum packet bound), MAX2 (maximum packet bound) and TI (time interval).
  - 8. The computer-readable medium of claim 6, wherein identifying the application protocol is further based on deep packet inspection of a payload of one or more packets from the stream of network packets.
  - 9. The computer-readable medium of claim 6, wherein the application protocol is defined at level 7 of the OSI/ISO model.
  - 10. The computer-readable medium of claim 6, wherein the treatment restricts use of the application protocol during preconfigured business hours.

11. A computing device, comprising:
- a processor; and
  
  a memory, comprising;
  
  an interface to receive a stream of network packets associated with a network source, the stream of packets having frames with data payloads that are encrypted;
  
  a traffic measurement module to measure a traffic pattern of the stream of network packets;
  
  an application identifying module to identify an application protocol of the stream of network packets based on parameters of the traffic patterns apart from the encrypted data payloads, the application protocol corresponding to an application in use by an end user; and
  
  a treatment application module to apply a treatment associated with the application protocol, comprising;
  
  mapping tokens to the stream of network packets by making tokens available based on an expected probabilistic distribution function of the application protocol being restricted, wherein the expected probabilistic distribution function is nonlinear; and
  
  rejecting network packets from the stream of network packets that exceed available tokens and the allowed application use.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Meru Networks, Inc. (Fortinet Inc.)
Inventors
Bharghavan, Vaduvur, Han, Sung-Wook, Varma, Shishir
Primary Examiner(s)
Elliott, IV, Benjamin H

Application Number

US12/827,295
Time in Patent Office

1,735 Days
Field of Search

370/230, 370/232, 370/235, 370/450, 370/909, 370/412, 370/413, 370/414, 370/429, 726 2- 13, 726 18- 20, 380277-286, 380 44- 47
US Class Current

370/429
CPC Class Codes

H04L 43/0894   Packet rate

H04L 47/10   Flow control; Congestion co...

H04L 47/215   using token-bucket

H04L 47/2475   for supporting traffic char...

H04L 47/2483   involving identification of...

H04L 47/39   Credit based

H04L 49/90   Buffering arrangements

Recognizing application protocols by identifying message traffic patterns

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Recognizing application protocols by identifying message traffic patterns

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others