Network application classification for network traffic management

US 9,253,068 B1
Filed: 02/22/2013
Issued: 02/02/2016
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method of controlling computer network traffic, the method comprising:

receiving a Domain Name System (DNS) query request for a network name of a content server;

in response to receiving the DNS query request, monitoring for a corresponding DNS query response that is responsive to the DNS query request;

receiving the DNS query response;

retrieving from the DNS query response an Internet Protocol (IP) address associated with the network name;

classifying the IP address as belonging to a network application associated with the content server;

forwarding the DNS query response to a user computer that sent out the DNS query request;

after forwarding the DNS query response to the user computer that sent out the DNS query request, receiving network traffic with encrypted packet payloads;

in response to determining that the network traffic includes packets having a source or destination address that matches the IP address, classifying the network traffic as belonging to the network application associated with the content server; and

in response to classifying the network traffic as belonging to the network application associated with the content server, enforcing a security policy on the network traffic,wherein the security policy includes blocking the network traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic with encrypted packet payloads is classified based on monitored Domain Name System (DNS) query requests and responses. A network appliance, or some other computer, receives a DNS query request for a network name (e.g., host name) of a content server, and starts monitoring for a corresponding DNS query response. The network appliance receives the DNS query response and parses the DNS query response to retrieve an Internet Protocol (IP) address associated with the network name. The network appliance classifies the IP address as belonging to the content server or a network application associated with the content server. When the network appliance subsequently receives packets with a source or destination address that matches the IP address, the network appliance classifies the received packets as belonging to the content server or a network application associated with the content server.

33 Citations

View as Search Results

15 Claims

1. A method of controlling computer network traffic, the method comprising:
- receiving a Domain Name System (DNS) query request for a network name of a content server;
  
  in response to receiving the DNS query request, monitoring for a corresponding DNS query response that is responsive to the DNS query request;
  
  receiving the DNS query response;
  
  retrieving from the DNS query response an Internet Protocol (IP) address associated with the network name;
  
  classifying the IP address as belonging to a network application associated with the content server;
  
  forwarding the DNS query response to a user computer that sent out the DNS query request;
  
  after forwarding the DNS query response to the user computer that sent out the DNS query request, receiving network traffic with encrypted packet payloads;
  
  in response to determining that the network traffic includes packets having a source or destination address that matches the IP address, classifying the network traffic as belonging to the network application associated with the content server; and
  
  in response to classifying the network traffic as belonging to the network application associated with the content server, enforcing a security policy on the network traffic,wherein the security policy includes blocking the network traffic.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the network name comprises a host name.
  - 3. The method of claim 1 wherein the network application comprises a client software running on the user computer.
  - 4. The method of claim 1 wherein the content server serves streaming video.
  - 5. The method of claim 1 wherein the method is performed by a network appliance that provides a gateway function in a private computer network that includes the user computer.

6. A computer network comprising:
- a user computer that runs a client software for accessing a content server and sends a Domain Name System (DNS) query request initiated by the client software, the DNS query request being a request for Internet Protocol (IP) address associated with a network name of the content server; and
  
  a network appliance that detects the DNS query request, starts monitoring for a corresponding DNS query response in response to detecting the DNS query request, forwards the DNS query request to a DNS server, receives the DNS query response sent by the DNS server, retrieves the IP address from the DNS query response, classifies the IP address as belonging to a network application associated with the content server, detects and classifies received packets having a destination address that matches the IP address as belonging to the network application after forwarding the DNS query response to the user computer, and enforces a security policy on the received packets,wherein the security policy includes blocking the received packets.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer network of claim 6 wherein the network name comprises a host name.
  - 8. The computer network of claim 6 wherein the received packets have encrypted payloads.
  - 9. The computer network of claim 6 wherein the content server serves streaming video.
  - 10. The computer network of claim 6 wherein the network appliance provides a gateway function in the computer network.

11. A method of controlling computer network traffic, the method comprising:
- a first computer sending a Domain Name System (DNS) query request for a network name of a content server;
  
  a second computer receiving the DNS query request;
  
  in response to receiving the DNS query request, the second computer monitoring for a corresponding DNS query response;
  
  the second computer forwarding the DNS query request to a DNS server;
  
  the second computer receiving the DNS query response that is sent by the DNS server;
  
  the second computer retrieving an Internet Protocol (IP) address from the DNS server;
  
  the second computer classifying the IP address as belonging to a network application associated with the content server;
  
  the second computer forwarding the DNS query response to the first computer;
  
  after forwarding the DNS query response to the first computer, the second computer receiving packets with encrypted packet payloads and having a destination address that matches the IP address;
  
  the second computer classifying the received packets as belonging to the network application associated with the content server; and
  
  the second computer enforcing a security policy pertaining to the content server on the received packets,wherein the security policy includes blocking the received packets.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein the network name comprises a host name.
  - 13. The method of claim 11 wherein the content server serves streaming video.
  - 14. The method of claim 11 wherein the second computer provides a gateway function to the first computer and other computers on a private computer network.
  - 15. The method of claim 11 wherein the network application is a client software of the content server running in the first computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Wu, Tzu-Chien, Wu, Kuang-Yu
Primary Examiner(s)
DINH, KHANH Q

Application Number

US13/774,166
Time in Patent Office

1,075 Days
Field of Search

709/219, 709/224, 709/245, 709/203, 370/252
US Class Current

1/1
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/166   at the transport layer

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Network application classification for network traffic management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Network application classification for network traffic management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links