Network application classification for network traffic management
First Claim
1. A method of controlling computer network traffic, the method comprising:
- receiving a Domain Name System (DNS) query request for a network name of a content server;
in response to receiving the DNS query request, monitoring for a corresponding DNS query response that is responsive to the DNS query request;
receiving the DNS query response;
retrieving from the DNS query response an Internet Protocol (IP) address associated with the network name;
classifying the IP address as belonging to a network application associated with the content server;
forwarding the DNS query response to a user computer that sent out the DNS query request;
after forwarding the DNS query response to the user computer that sent out the DNS query request, receiving network traffic with encrypted packet payloads;
in response to determining that the network traffic includes packets having a source or destination address that matches the IP address, classifying the network traffic as belonging to the network application associated with the content server; and
in response to classifying the network traffic as belonging to the network application associated with the content server, enforcing a security policy on the network traffic,wherein the security policy includes blocking the network traffic.
1 Assignment
0 Petitions
Accused Products
Abstract
Network traffic with encrypted packet payloads is classified based on monitored Domain Name System (DNS) query requests and responses. A network appliance, or some other computer, receives a DNS query request for a network name (e.g., host name) of a content server, and starts monitoring for a corresponding DNS query response. The network appliance receives the DNS query response and parses the DNS query response to retrieve an Internet Protocol (IP) address associated with the network name. The network appliance classifies the IP address as belonging to the content server or a network application associated with the content server. When the network appliance subsequently receives packets with a source or destination address that matches the IP address, the network appliance classifies the received packets as belonging to the content server or a network application associated with the content server.
33 Citations
15 Claims
-
1. A method of controlling computer network traffic, the method comprising:
-
receiving a Domain Name System (DNS) query request for a network name of a content server; in response to receiving the DNS query request, monitoring for a corresponding DNS query response that is responsive to the DNS query request; receiving the DNS query response; retrieving from the DNS query response an Internet Protocol (IP) address associated with the network name; classifying the IP address as belonging to a network application associated with the content server; forwarding the DNS query response to a user computer that sent out the DNS query request; after forwarding the DNS query response to the user computer that sent out the DNS query request, receiving network traffic with encrypted packet payloads; in response to determining that the network traffic includes packets having a source or destination address that matches the IP address, classifying the network traffic as belonging to the network application associated with the content server; and in response to classifying the network traffic as belonging to the network application associated with the content server, enforcing a security policy on the network traffic, wherein the security policy includes blocking the network traffic. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer network comprising:
-
a user computer that runs a client software for accessing a content server and sends a Domain Name System (DNS) query request initiated by the client software, the DNS query request being a request for Internet Protocol (IP) address associated with a network name of the content server; and a network appliance that detects the DNS query request, starts monitoring for a corresponding DNS query response in response to detecting the DNS query request, forwards the DNS query request to a DNS server, receives the DNS query response sent by the DNS server, retrieves the IP address from the DNS query response, classifies the IP address as belonging to a network application associated with the content server, detects and classifies received packets having a destination address that matches the IP address as belonging to the network application after forwarding the DNS query response to the user computer, and enforces a security policy on the received packets, wherein the security policy includes blocking the received packets. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method of controlling computer network traffic, the method comprising:
-
a first computer sending a Domain Name System (DNS) query request for a network name of a content server; a second computer receiving the DNS query request; in response to receiving the DNS query request, the second computer monitoring for a corresponding DNS query response; the second computer forwarding the DNS query request to a DNS server; the second computer receiving the DNS query response that is sent by the DNS server; the second computer retrieving an Internet Protocol (IP) address from the DNS server; the second computer classifying the IP address as belonging to a network application associated with the content server; the second computer forwarding the DNS query response to the first computer; after forwarding the DNS query response to the first computer, the second computer receiving packets with encrypted packet payloads and having a destination address that matches the IP address; the second computer classifying the received packets as belonging to the network application associated with the content server; and the second computer enforcing a security policy pertaining to the content server on the received packets, wherein the security policy includes blocking the received packets. - View Dependent Claims (12, 13, 14, 15)
-
Specification