System and method for characterizing network traffic
First Claim
1. A system comprising one or more processors and one or more memory devices coupled to the one or more processors, the one or more memory devices storing executable and operational code effective to cause the one or more processors to:
- evaluate first traffic to identify for each first session of a portion of first sessions in which the first traffic occurs and, according to the evaluation, identify a local host associated with the each first session, a remote host associated with the each first session, and an application of a plurality of applications associated with the each first session;
evaluate second traffic subsequent to the first traffic; and
for each second session of a plurality of second sessions in the second traffic—
identify a local host and a remote host associated with the each second session;
identify an inferred application of the plurality of applications that is associated with a same local host and a same remote host in one or more of the first sessions as the each second session; and
apply prioritization logic to subsequent traffic in the each second session according to the associating of the inferred application to the each second session;
wherein the executable and operational code effective to cause the one or more processors to identify the inferred application of the plurality of applications for the each second session by—
if (a) one or more first sessions of the portion of the first sessions are associated with a same domain name as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions associated with the same domain name as the each second session;
if not (a), then if (b) one or more first sessions of the portion of the first sessions are associated with the same remote host and the same local host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host and the same remote host as the each second session; and
if not (b), then if one or more first sessions of the portion of the first sessions are associated with the same remote host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host as the each second session.
3 Assignments
0 Petitions
Accused Products
Abstract
A system monitors first traffic and identifies associations between applications that generated or received the traffic and parameters such as domain names, a remote host, and a local host referenced in the traffic. Subsequent traffic is monitored and determined to be generated by or addressed to an application according to such parameters in the subsequent traffic, such as remote host, local host, domain name, or port number. The subsequent traffic is associated with an application without requiring deep packet inspection (DPI). In particular, an application may be associated with a session based on evaluation of a single packet of the session.
9 Citations
3 Claims
-
1. A system comprising one or more processors and one or more memory devices coupled to the one or more processors, the one or more memory devices storing executable and operational code effective to cause the one or more processors to:
-
evaluate first traffic to identify for each first session of a portion of first sessions in which the first traffic occurs and, according to the evaluation, identify a local host associated with the each first session, a remote host associated with the each first session, and an application of a plurality of applications associated with the each first session; evaluate second traffic subsequent to the first traffic; and for each second session of a plurality of second sessions in the second traffic— identify a local host and a remote host associated with the each second session; identify an inferred application of the plurality of applications that is associated with a same local host and a same remote host in one or more of the first sessions as the each second session; and apply prioritization logic to subsequent traffic in the each second session according to the associating of the inferred application to the each second session; wherein the executable and operational code effective to cause the one or more processors to identify the inferred application of the plurality of applications for the each second session by— if (a) one or more first sessions of the portion of the first sessions are associated with a same domain name as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions associated with the same domain name as the each second session; if not (a), then if (b) one or more first sessions of the portion of the first sessions are associated with the same remote host and the same local host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host and the same remote host as the each second session; and if not (b), then if one or more first sessions of the portion of the first sessions are associated with the same remote host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host as the each second session. - View Dependent Claims (2, 3)
-
Specification