Method and apparatus for identifying application protocol

US 9,031,959 B2
Filed: 05/19/2010
Issued: 05/12/2015
Est. Priority Date: 05/19/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method of identifying an application protocol, the method comprising:

A. classifying a data packet to be detected into an individual traffic flow;

B. searching for keywords in a valid payload of the traffic flow based upon a keyword database of identifiable application protocols, and determining a keyword weight vector of the traffic flow, wherein a weight of a keyword is related to a location of the keyword in a valid payload of a traffic flow;

C. determining similarities between the keyword weight vector of the traffic flow and feature keyword weight vectors of the identifiable application protocols; and

D. determining an application protocol corresponding to a feature keyword weight vector with the highest similarity to the keyword weight vector of the traffic flow as the application protocol of the traffic flow if a predetermined condition is satisfied.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, the method of identifying an application protocol includes classifying a data packet to be detected into an individual traffic flow, searching for keywords in a valid payload of the traffic flow based upon a keyword database of identifiable application protocols, and determining a keyword weight vector of the traffic flow. The weight of a keyword is related to a location of the keyword in a valid payload of a traffic flow. Similarities between the keyword weight vector of the traffic flow and feature keyword weight vectors of the identifiable application protocols are determined; and an application protocol corresponding to a feature keyword weight vector with the highest similarity to the keyword weight vector of the traffic flow as the application protocol of the traffic flow is deteremined if a condition is satisfied.

15 Citations

View as Search Results

14 Claims

1. A method of identifying an application protocol, the method comprising:
- A. classifying a data packet to be detected into an individual traffic flow;
  
  B. searching for keywords in a valid payload of the traffic flow based upon a keyword database of identifiable application protocols, and determining a keyword weight vector of the traffic flow, wherein a weight of a keyword is related to a location of the keyword in a valid payload of a traffic flow;
  
  C. determining similarities between the keyword weight vector of the traffic flow and feature keyword weight vectors of the identifiable application protocols; and
  
  D. determining an application protocol corresponding to a feature keyword weight vector with the highest similarity to the keyword weight vector of the traffic flow as the application protocol of the traffic flow if a predetermined condition is satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein a keyword, which appears earlier in a valid payload of a traffic flow for a first time, has a larger weight in the step B.
  - 3. The method according to claim 2, wherein a weight of an i^thkeyword in a key weight vector of a traffic flow f_dis represented as ω
    - _id=itp_id×
      
      idf_i;
      
      wherein itp_id=1/o_id, o_idrepresents a location where the i^thkeyword appears in the traffic flow f_dfor a first time; and
      
      wherein
  - 4. The method according to claim 1, wherein before the step A, the method further comprises:
    - a. searching for keywords in valid payloads of a plurality of training traffic flows based upon the keyword database of the identifiable application protocols, and determining keyword weight vectors of the plurality of training traffic flows; and
      
      b. determining a feature keyword weight vector corresponding to each of the identifiable application protocols according to the keyword weight vectors of the plurality of training traffic flows.
  - 5. The method according to claim 4, wherein the keyword weight vectors of the plurality of training traffic flows are determined in the step a using the same algorithm as in the step B;
    - andwherein a weight of an ith keyword in a key weight vector of a j^thtraffic flow is represented as ω
      
      _ij=itp_ij×
      
      idf_i;
      
      wherein itp_ij=1/o_ij, o_ij, represents a location where the i^thkeyword appears in the J^thtraffic flow for a first time; and
      
      wherein
  - 6. The method according to claim 1, wherein the data packet to be detected is classified according to a 5-tuple of the data packet in the step A, and the 5-tuple includes a source address, a destination address, a source port number, a destination port number and a transport protocol type;
    - and the similarity in the step C includes a cosine similarity.
  - 7. The method according to claim 1, wherein the predetermined condition includes the highest similarity being above a predetermined value.

8. An apparatus for identifying an application protocol, the apparatus comprising:
- a first device, in network equipment controlled by a processor, configured to classify a data packet to be detected into an individual traffic flow;
  
  a second device, in the network equipment controlled by the processor, configured to search for keywords in a valid payload of the traffic flow based upon a keyword database of identifiable application protocols, and to determine a keyword weight vector of the traffic flow, wherein a weight of a keyword is related to a location of the keyword in a valid payload of a traffic flow;
  
  a third device, in the network equipment controlled by the processor, configured to determine similarities between the keyword weight vector of the traffic flow and feature keyword weight vectors of the identifiable application protocols; and
  
  a fourth device, in the network equipment controlled by the processor, configured to determine an application protocol corresponding to a feature keywordweight vector with highest similarity to the keyword weight vector of the traffic flow as the application protocol of the traffic flow if a predetermined condition is satisfied.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The protocol identifying apparatus according to claim 8, wherein a keyword, which appears earlier in a valid payload of a traffic flow for a first time, has a larger weight in the second device.
  - 10. The protocol identifying apparatus according to claim 9, wherein a weight of an i^thkeyword in a key weight vector of a traffic flow f_dis represented as ω
    - _id=itp_id×
      
      idf_i;
      
      wherein itp_id=1/o_id, o_idrepresents a location where the i^thkeyword appears in the traffic flow f_dfor a first time; and
      
      wherein
  - 11. The protocol identifying apparatus according to claim 8, wherein before the step A, wherein the second device is further configured:
    - to search for keywords in valid payloads of a plurality of training traffic flows based upon the keyword database of the identifiable application protocols, and to determine keyword weight vectors of the plurality of training traffic flows; and
      
      to determine a feature keyword weight vector corresponding to each of the identifiable application protocols according to the keyword weight vectors of the plurality of training traffic flows.
  - 12. The protocol identifying apparatus according to claim 11, wherein the second device determines the keyword weight vectors of the plurality of training traffic flows and the traffic flow of the data packet to be detected using the same algorithm;
    - andwherein a weight of an i^thkeyword in a key weight vector of a j^thtraffic flow is represented as ω
      
      _ij=itp_ij×
      
      idf_i;
      
      wherein itp_ij=1/o_ij, o_ijrepresents a location where the i^thkeyword appears in the j^thtraffic flow for a first time; and
      
      wherein
  - 13. The protocol identifying apparatus according to claim 8, wherein the first device classifies the data packet to be detected according to a 5-tuple of the data packet, and the 5-tuple includes a source address, a. destination address, a source port number, a destination port number and a transport protocol type;
    - and the similarity in the third device includes a cosine similarity.
  - 14. The protocol identifying apparatus according to claim 8, wherein the predetermined condition includes the highest similarity being above a predetermined value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Liu, Fang
Primary Examiner(s)
Bullock, Joshua

Application Number

US13/696,431
Publication Number

US 20130054619A1
Time in Patent Office

1,819 Days
Field of Search

707/748, 709/230
US Class Current

707/748
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 43/18   Protocol analysers

H04L 63/0245   Filtering by information in...

H04L 9/40   Network security protocols

Method and apparatus for identifying application protocol

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for identifying application protocol

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links