System and method for characterizing network traffic

US 9,832,140 B2
Filed: 02/20/2015
Issued: 11/28/2017
Est. Priority Date: 02/20/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising one or more processors and one or more memory devices coupled to the one or more processors, the one or more memory devices storing executable and operational code effective to cause the one or more processors to:

evaluate first traffic to identify for each first session of a portion of first sessions in which the first traffic occurs and, according to the evaluation, identify a local host associated with the each first session, a remote host associated with the each first session, and an application of a plurality of applications associated with the each first session;

evaluate second traffic subsequent to the first traffic; and

for each second session of a plurality of second sessions in the second traffic—

identify a local host and a remote host associated with the each second session;

identify an inferred application of the plurality of applications that is associated with a same local host and a same remote host in one or more of the first sessions as the each second session; and

apply prioritization logic to subsequent traffic in the each second session according to the associating of the inferred application to the each second session;

wherein the executable and operational code effective to cause the one or more processors to identify the inferred application of the plurality of applications for the each second session by—

if (a) one or more first sessions of the portion of the first sessions are associated with a same domain name as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions associated with the same domain name as the each second session;

if not (a), then if (b) one or more first sessions of the portion of the first sessions are associated with the same remote host and the same local host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host and the same remote host as the each second session; and

if not (b), then if one or more first sessions of the portion of the first sessions are associated with the same remote host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host as the each second session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system monitors first traffic and identifies associations between applications that generated or received the traffic and parameters such as domain names, a remote host, and a local host referenced in the traffic. Subsequent traffic is monitored and determined to be generated by or addressed to an application according to such parameters in the subsequent traffic, such as remote host, local host, domain name, or port number. The subsequent traffic is associated with an application without requiring deep packet inspection (DPI). In particular, an application may be associated with a session based on evaluation of a single packet of the session.

9 Citations

3 Claims

1. A system comprising one or more processors and one or more memory devices coupled to the one or more processors, the one or more memory devices storing executable and operational code effective to cause the one or more processors to:
- evaluate first traffic to identify for each first session of a portion of first sessions in which the first traffic occurs and, according to the evaluation, identify a local host associated with the each first session, a remote host associated with the each first session, and an application of a plurality of applications associated with the each first session;
  
  evaluate second traffic subsequent to the first traffic; and
  
  for each second session of a plurality of second sessions in the second traffic—
  
  identify a local host and a remote host associated with the each second session;
  
  identify an inferred application of the plurality of applications that is associated with a same local host and a same remote host in one or more of the first sessions as the each second session; and
  
  apply prioritization logic to subsequent traffic in the each second session according to the associating of the inferred application to the each second session;
  
  wherein the executable and operational code effective to cause the one or more processors to identify the inferred application of the plurality of applications for the each second session by—
  
  if (a) one or more first sessions of the portion of the first sessions are associated with a same domain name as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions associated with the same domain name as the each second session;
  
  if not (a), then if (b) one or more first sessions of the portion of the first sessions are associated with the same remote host and the same local host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host and the same remote host as the each second session; and
  
  if not (b), then if one or more first sessions of the portion of the first sessions are associated with the same remote host as the each second session, identifying as the inferred application, the application associated with the one or more first sessions of the portion of the first sessions including the same remote host as the each second session.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the executable and operational code effective to cause the one or more processors to identify the inferred application of the plurality of applications for the each second session by:
    - if not (c), selecting the inferred application as an application that is mapped to a port associated with the each second session in a mapping database.
  - 3. The system of claim 2, wherein the executable and operational code effective to cause the one or more processors to identify the inferred application of the plurality of applications for the each second session by:
    - attempting to perform deep packet inspection (DPI) for the each second session; and
      
      if DPI for the each second session is successful, selecting as the inferred application an application determined according to DPI.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Saisei Networks, Inc.
Original Assignee
Saisei Networks Pte Ltd.
Inventors
Harper, John Anthony
Primary Examiner(s)
Chacko, Joe

Application Number

US14/627,996
Publication Number

US 20160248700A1
Time in Patent Office

1,012 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/14   Network analysis or design

H04L 43/028   by filtering

H04L 43/062   related to network traffic

H04L 47/801   Real time traffic

H04L 47/805   QOS or priority aware

System and method for characterizing network traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

3 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for characterizing network traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

3 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links