WO2023249679A1 - Application traffic flow prediction based on multi-stage network traffic flow scanning - Google Patents
Application traffic flow prediction based on multi-stage network traffic flow scanning Download PDFInfo
- Publication number
- WO2023249679A1 WO2023249679A1 PCT/US2023/016575 US2023016575W WO2023249679A1 WO 2023249679 A1 WO2023249679 A1 WO 2023249679A1 US 2023016575 W US2023016575 W US 2023016575W WO 2023249679 A1 WO2023249679 A1 WO 2023249679A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- pattern
- traffic flow
- application
- match
- protocol
- Prior art date
Links
- 230000011664 signaling Effects 0.000 claims abstract description 27
- 238000013507 mapping Methods 0.000 claims abstract description 25
- 238000000034 method Methods 0.000 claims description 15
- 239000000284 extract Substances 0.000 claims description 11
- 230000014509 gene expression Effects 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000004069 differentiation Effects 0.000 abstract description 4
- 238000007689 inspection Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 150000001768 cations Chemical class 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 229920002776 polycyclohexyl methacrylate Polymers 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/302—Route determination based on requested QoS
- H04L45/306—Route determination based on the nature of the carried application
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2475—Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
Definitions
- the disclosure generally relates to electronic communication (e.g., CPC Class H04 and digital transmission arrangements for network maintenance, administration, or management (e.g., subclass H04L 41/00).
- electronic communication e.g., CPC Class H04 and digital transmission arrangements for network maintenance, administration, or management (e.g., subclass H04L 41/00).
- Flow tracking inspects information in headers of packets (i.e., transport layer protocol data units) to classify packets of network traffic into different flows.
- a flow is identified with a tuple, which may be a 5- or 3- tuple.
- a 5-tuple for flow classification includes source Internet Protocol (IP) address, source Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) port, destination IP address, destination TCP/UDP port, and IP protocol.
- IP Internet Protocol
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- a 3-tuple for flow classification would include source IP address, destination IP address, and IP protocol.
- a firewall can use stateful inspection to identify the application of a flow based on port and source/ destination addresses.
- a firewall may also use deep packet inspection to identify an application based on an application signature/pattem in application data.
- Figure 1 is a diagram of a network device control plane using multi-stage pattern matching on network traffic for application flow prediction.
- Figure 2 is a flowchart of example operations for building application/data protocol databases for multi-stage application flow prediction.
- Figure 3 is a flowchart of example operations for multi-stage scanning of network traffic for application flow prediction.
- Figure 4 depicts an example computer system with a data plane and a control plane that includes an application flow predictor.
- Identifying an application layer protocol e.g., session initiation protocol (SIP) or file transfer protocol (FTP)
- an application prior to application data beginning to flow across an inspection point e.g., a firewall
- an inspection point e.g., a firewall
- Some applications and application layer protocols rely on session establishment by a signaling protocol (e.g., SIP or H.323) before application trafflc/data begins to flow.
- SIP session initiation protocol
- FTP file transfer protocol
- This description refers to an application layer/level protocol that often precedes data/ application traffic as a “predictor protocol” since the subsequent flow of data or application traffic is expected or can be predicted.
- a security appliance e.g., a firewall with an application level gateway
- a pattern matching database is built and maintained for identifying an application or application level protocol (e.g., SIP, Hypertext Transfer Protocol (HTTP), etc.).
- pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained.
- a process(es) in the control plane (“application identification engine”) scans a flow in a first stage and then scans the traffic in a second stage if a predictor protocol message is detected in the first stage scan. For the second stage, the application identification engine selects one of the application/data protocol pattern databases for scanning based on the predictor protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, the application identification engine creates a mapping between the predictor protocol identifier and an identifier for a predicted application traffic flow.
- Figure 1 is a diagram of a network device control plane using multi-stage pattern matching on network traffic for application flow prediction.
- Figure 1 illustrates a control plane 101 and a data plane 103.
- the data plane 103 includes a packet forwarding engine 117.
- the control plane 101 includes an application identification engine 111 with an application flow predictor.
- the application identification engine 111 also includes a pattern matching engine 109.
- the control plane 101 also includes a traffic processor 110 that implements deep packet inspection (DPI) with flow tracking.
- DPI deep packet inspection
- FIG. 1 is annotated with a series of letters A-G. Each stage represents one or more operations. Although these stages are ordered for this example, the stages illustrate one example to aid in understanding this disclosure and should not be used to limit the claims. Subject matter falling within the scope of the claims can vary from what is illustrated.
- network traffic received at the data plane 103 is mirrored to the control plane 101.
- the mirroring can be implemented with port mirroring.
- the traffic processor 110 differentiates the mirrored network traffic into detected traffic flows. For instance, the traffic processor 110 creates (or spawns a thread to create) a data structure with the detected network information tuples for flow differentiation.
- the application identification engine 111 scans the packets of the flow to identify an application or application level protocol in order to ensure a corresponding policy is applied.
- the application identification engine 111 scans the traffic flow using the pattern matching engine 109 for a match in a stage 1 application layer pattern database 113.
- the pattern matching database 113 and the pattern matching databases 115 are built.
- Expert/domain knowledge is used to select and define patterns or regular expressions based on fields of messages that represent applications, signaling protocols, etc.
- expert/domain knowledge is used to select and define patterns based on fields of messages that represent data protocols or applications. For this illustration, assume the stage 1 scanning y ields a matching entry indicating a SIP message is detected in the transport layer packet pay load or user data payload.
- the application identification engine 111 selects the one of the pattern matching databases 115 for SIP based on the stage 1 scanning result and scans the traffic flow
- the application identification engine 111 scans the traffic flow using the pattern matching engine 109 (or another instance of the pattern matching engine 109) for a match in the selected SIP pattern matching database of the databases 115.
- the application identification engine 111 determines a data protocol indicated in the traffic flow and extracts flow identifying information of the data protocol from the matched packet payload, based on finding a pattern match in the selected stage 2 database.
- the matching entry can indicate location of flow identify ing information in the matched payload with the SIP message.
- the matching pattern may be for the Real-Time Protocol (RTP) indicated in a Session Description Protocol (SDP) message of the SIP message.
- RTP Real-Time Protocol
- SDP Session Description Protocol
- the matching entry can indicate an offset within the SIP message to locate the network address (e g., IP address) and port for the RTP connection that will be established and stream multimedia data.
- INVITE sip bob@biloxi . example SIP/2.0
- the stage 1 scanning would have matched a pattern corresponding to “INVITE sip” and determine that the traffic flow included a SIP message.
- the stage 2 scanning would match multiple patterns within the SIP message, each of which corresponds to the data or application level protocol RTP. After SIP establishes the session(s), RTP will be used to deliver audio and video data streams. These are indicated with the m-lines.
- the extracted network address forms part of the flow identifier for the RTP application that will subsequently begin traversing the data plane 103 after the SIP session is established.
- the control plane 101 communicates the mapping(s) to the data plane 103. Assuming the matching pattern was found in the one of the databases 115 that represents SIP, the control plane 101 communicates a mapping of “sip” to an Internet Protocol (IP) address and a port, for example.
- IP Internet Protocol
- the control plane 101 can communicate the mapping via an interprocess communication channel or inband interface.
- the packet forwarding engine 117 determines a policy to apply to the flow identified in the communicated mapping.
- the packet forwarding engine 117 accesses a repository (or structure) 119 that indicates policies assigned to applications and/or data protocols.
- the packet forwarding engine 117 accesses the repository 119 with the application or protocol identifier communicated from the control plane 101 to determine a configured or assigned policy. The packet forwarding engine 117 then updates a memory or structure of the data plane 103 to indicate the determined policy for enforcement on the flow identified in the communicated mapping.
- Figures 2-3 are flowcharts of example operations related to the multi-stage prediction of an appli cation/ data protocol flow that follows detection of a message of a supporting and/or preceding protocol, such as a signaling protocol setup message. While the preceding figure refers to an application identification engine, the example operations are described with reference to an application flow predictor which can be a component of an application identification engine or a separate program that interacts with or supplements the application identification engine.
- the name chosen for the program code is not to be limiting on the claims. Structure and organization of a program can vary due to platform, programmer/architect preferences, programming language, etc. In addition, names of code units (programs, modules, methods, functions, etc.) can vary for the same reasons and can be arbitrary.
- Figure 2 is a flowchart of example operations for building application/data protocol databases for multi-stage application flow prediction. While at least some of the databases will be built in advance, others for different application/data protocols can be added later. In addition, database maintenance can involve adding, removing, and/or editing entnes, each of which associates information for flow identifying information extraction with a pattern.
- the application flow predictor begins operations for building pattern matching databases for application/data protocols that expected or predicted to follow session establishment by a signaling protocol. For example, the application flow predictor may build a regex matching database for each application/data protocol.
- the application flow predictor obtains application/data protocol identifier patterns that occur in preceding session setup messages. For example, the application flow predictor can iterate over files/structures containing regular expressions for a multi-channel application layer gateway (ALG) protocol (e.g., SIP, file transfer protocol (FTP), a H.323 protocol). The application flow predictor can process each of these files/structures in parallel or sequence.
- ALG application layer gateway
- the application flow predictor obtains location(s) of flow identifying information to associate with the identifier patterns.
- the network address follows a matching c line pattern and ports follow matching m line patterns.
- the obtained location may be indicated or represented with an offset from a beginning of a payload/message or with respect to the matched pattern.
- the application flow predictor compiles the identifier pattem(s) selected to represent the application/data protocol into the database. For instance, the application flow predictor compiles regular expressions of the application/data protocol into a regex matching database. Compilation depends upon the regex matching engine implementation being used. For instance, compilation functions of the Hyperscan library can be used to compile regular expressions selected for the application/data protocol. For a SIP pattern database, c-line and inline tokens from SDP payloads can be used to predict media flows (e.g., audio/video, RTP/AVP). As another example, patterns can be based on FTP port commands. Below are example SIP patterns defined with wildcards that can be compiled into a regex database for application/data protocols expected/predicted to follow a SIP session setup.
- TOK_IP4 "/ . *IN IP4 / i" ,
- TOK_RTP_AVP “/ . *RTP ⁇ /AVP / i” ,
- TOK_RTP_SAVP "/ . *RTP ⁇ /SAVP / i" ,
- TOK_RTP_AVPF "/ . *RTP ⁇ /AVPF / i" ,
- TOK_RTP_SAVPF "/ . *RTP ⁇ /SAVPF /i”
- the application flow predictor associates the obtained flow identifying information location(s) with the compiled pattern in the corresponding database entry.
- the application flow predictor can update a pointer or field to indicate the location information. This is an optional operation since location information can be separately defined for each signaling protocol. For example, a match in the SIP pattern matching database causes the application flow predictor to lookup location information based on finding a match instead of having the location information in the database.
- the application flow predictor determines whether there are patterns for an additional application/data protocol for flow prediction. If so, operational flow returns to block 201. Otherwise, operational flow ends.
- Figure 3 is a flowchart of example operations for multi-stage scanning of network traffic for application flow prediction.
- the example operations run after flow differentiation of network traffic mirrored from a data plane.
- the scanning is of an individual flow.
- a different thread can be instantiated for each flow to be scanned, depending upon implementation.
- an application identification engine scans mirrored packets of a traffic flow against a stage 1 pattern database.
- the Hyperscan library in scan mode can be used to scan the payloads of the packets in the flow.
- the scan generates a stage 1 scan result 302.
- An FTP process will use the control connection to communicate a command(s).
- a pattern match for detecting FTP in a traffic flow as a predictor protocol will match a FTP command or response code based pattern (e.g., USER, RETR, CDUP, CWD, XRCP, XRMD, 220, 227, 332, 421, etc.). If a predictor protocol is not indicated, then operational flow proceeds to block 307. If a predictor protocol is indicated in the stage 1 scan result, then operational flow proceeds to block 309 for stage 2 scanning.
- the application flow predictor of the application identification engine selects a stage 2 database based on the stage 1 scan result. For example, predictor protocol pattern matching databases are indexed or identified by the values that would be returned from a matching entry in the stage 1 pattern matching database.
- the application flow predictor scans the mirrored packets of the traffic flow in which the predictor protocol message was detected for a match in the selected predictor protocol database.
- the application flow predictor determines whether a match(es) is found in the selected database. If not, then operational flow ends. For instance, the scanning for multiple patterns in parallel may return a match indication or set of match indications. Using FTP as an example, after stage 1 scanning detects a FTP port command message “227 Entering Passive Mode” which will communicate address and port that the FTP server will use for the data transfer the stage 2 scanning will find the patterns associated with the flow identifying information. If a match is found, then operational flow proceeds to block 315.
- the application flow predictor extracts the predicted flow information based on the matching entry .
- the match(es) in the selected predictor protocol database predicts at least one subsequent flow (e.g., an RTP flow for an audio stream after the SIP setup) will begin to traverse the inspection point.
- the matching entry can indicate location of the flow information (e.g., locations of network address and port) within the predictor protocol message.
- Embodiments may separately indicate location of flow information based on a match in a predictor protocol database. For example, a match in the predictor protocol XYZ pattern matching database causes the application flow predictor to lookup the location information of network address and port in a separate table.
- a predictor protocol may allow for multiple flows to be indicated within a conforming message.
- a SIP message body can contain a SDP description for multiple flows with multiple connections and multiple media sessions.
- the application flow predictor can extract the flow identifying information by forming network address and port with detected parts of a FTP port command message.
- the command message formatted as PORT-COMMAND-CODE II, 12, 13, 14, pl, p2
- the application flow predictor can form the network address with II.12.13.14 and the port as (pl * 256) + p2.
- the application flow predictor creates a mapping 318 of predicted flow information to an identifier of the predictor protocol.
- the application flow predictor can use the predictor protocol identifier that was indicated in the stage 1 scan result.
- the application flow predictor creates a mapping 192.168,20. 101 :30206 ⁇ -> FTP.
- the application flow predictor (or another process in the control plane of the inspection point) communicates the mapping to the data plane. This can be communicated with inter-process communication, via an interface between the control plane and data plane, etc.
- Signaling protocol was selected as a representative type of predictor protocol since it often precedes ALG application traffic, (e.g., a SIP message precedes a RTP audio stream).
- SUBSTITUTE SHEET (RULE 26) accordance with any one of platform (operating system and/or hardware), application ecosystem, interfaces, programmer preferences, programming language, administrator preferences, etc.
- the machine readable medium may be a machine readable signal medium or a machine readable storage medium.
- a machine readable storage medium may be, for example, but not limited to, a system, apparatus, or device, that employs any one of or combination of electronic, magnetic, optical, electromagnetic, infrared, or semiconductor technology to store program code.
- Figure 4 depicts an example computer system with a data plane and a control plane that includes an application flow predictor.
- the computer system includes a control plane 401
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol. In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, the network traffic flow is scanned in a first stage and then in a second stage if a signaling protocol message is detected in the first stage scan. For the second stage, one of the application/data protocol pattern databases is selected for scanning based on the signaling protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, a mapping between the signaling protocol identifier and an identifier for a predicted application traffic flow is created and communicated to the data plane for policy selection and enforcement.
Description
APPLICATION TRAFFIC FLOW PREDICTION BASED ON MULTI-STAGE NETWORK TRAFFIC FLOW SCANNING
BACKGROUND
[0001] The disclosure generally relates to electronic communication (e.g., CPC Class H04 and digital transmission arrangements for network maintenance, administration, or management (e.g., subclass H04L 41/00).
[0002] Flow tracking inspects information in headers of packets (i.e., transport layer protocol data units) to classify packets of network traffic into different flows. A flow is identified with a tuple, which may be a 5- or 3- tuple. A 5-tuple for flow classification includes source Internet Protocol (IP) address, source Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) port, destination IP address, destination TCP/UDP port, and IP protocol. A 3-tuple for flow classification would include source IP address, destination IP address, and IP protocol. After flow classification, a firewall can use stateful inspection to identify the application of a flow based on port and source/ destination addresses. A firewall may also use deep packet inspection to identify an application based on an application signature/pattem in application data.
BRIEF DESCRIPTION OF THE DRAWINGS
[0003] Embodiments of the disclosure may be better understood by referencing the accompanying drawings.
[0004] Figure 1 is a diagram of a network device control plane using multi-stage pattern matching on network traffic for application flow prediction.
[0005] Figure 2 is a flowchart of example operations for building application/data protocol databases for multi-stage application flow prediction.
[0006] Figure 3 is a flowchart of example operations for multi-stage scanning of network traffic for application flow prediction.
[0007] Figure 4 depicts an example computer system with a data plane and a control plane that includes an application flow predictor.
1
SUBSTITUTE SHEET ( RULE 26)
DESCRIPTION
[0008] The description that follows includes example systems, methods, techniques, and program flows to aid in understanding the disclosure and not to limit claim scope. Well-known instruction instances, protocols, structures, and techniques have not been shown in detail for conciseness.
[0009] Overview
[0010] Identifying an application layer protocol (e.g., session initiation protocol (SIP) or file transfer protocol (FTP)) or an application prior to application data beginning to flow across an inspection point (e.g., a firewall) allows for timely enforcement of a relevant policy and reduces the opportunity for a cyberattack. Some applications and application layer protocols rely on session establishment by a signaling protocol (e.g., SIP or H.323) before application trafflc/data begins to flow. This description refers to an application layer/level protocol that often precedes data/ application traffic as a “predictor protocol” since the subsequent flow of data or application traffic is expected or can be predicted. A security appliance (e.g., a firewall with an application level gateway) can use identification of a signaling protocol message establishing a session for an application or application layer protocol to determine flow identifying information to identify the application or application protocol before data begins streaming for the application or application layer protocol. In a network control plane, a pattern matching database is built and maintained for identifying an application or application level protocol (e.g., SIP, Hypertext Transfer Protocol (HTTP), etc.). In addition, pattern matching databases for predicting a subsequent flow for application layer/level protocols or data protocols are built and maintained. After flow differentiation in network traffic mirrored from a data plane, a process(es) in the control plane (“application identification engine”) scans a flow in a first stage and then scans the traffic in a second stage if a predictor protocol message is detected in the first stage scan. For the second stage, the application identification engine selects one of the application/data protocol pattern databases for scanning based on the predictor protocol message detected in the first stage scanning. If a match is found from the stage 2 scanning, the application identification engine creates a mapping between the predictor protocol identifier and an identifier for a predicted application traffic flow.
[0011] Example Illustrations
2
SUBSTITUTE SHEET ( RULE 26)
[0012] Figure 1 is a diagram of a network device control plane using multi-stage pattern matching on network traffic for application flow prediction. Figure 1 illustrates a control plane 101 and a data plane 103. The data plane 103 includes a packet forwarding engine 117. The control plane 101 includes an application identification engine 111 with an application flow predictor. The application identification engine 111 also includes a pattern matching engine 109. The control plane 101 also includes a traffic processor 110 that implements deep packet inspection (DPI) with flow tracking.
[0013] Figure 1 is annotated with a series of letters A-G. Each stage represents one or more operations. Although these stages are ordered for this example, the stages illustrate one example to aid in understanding this disclosure and should not be used to limit the claims. Subject matter falling within the scope of the claims can vary from what is illustrated.
[0014] At stage A, network traffic received at the data plane 103 is mirrored to the control plane 101. The mirroring can be implemented with port mirroring.
[0015] At stage B, the traffic processor 110 differentiates the mirrored network traffic into detected traffic flows. For instance, the traffic processor 110 creates (or spawns a thread to create) a data structure with the detected network information tuples for flow differentiation.
[0016] For each flow, the application identification engine 111 scans the packets of the flow to identify an application or application level protocol in order to ensure a corresponding policy is applied.
[0017] At stage C, the application identification engine 111 scans the traffic flow using the pattern matching engine 109 for a match in a stage 1 application layer pattern database 113. In advance, the pattern matching database 113 and the pattern matching databases 115 are built. Expert/domain knowledge is used to select and define patterns or regular expressions based on fields of messages that represent applications, signaling protocols, etc. For the pattern matching databases 115, expert/domain knowledge is used to select and define patterns based on fields of messages that represent data protocols or applications. For this illustration, assume the stage 1 scanning y ields a matching entry indicating a SIP message is detected in the transport layer packet pay load or user data payload.
[0018] At stage D, the application identification engine 111 selects the one of the pattern matching databases 115 for SIP based on the stage 1 scanning result and scans the traffic flow
3
SUBSTITUTE SHEET ( RULE 26)
accordingly. The application identification engine 111 scans the traffic flow using the pattern matching engine 109 (or another instance of the pattern matching engine 109) for a match in the selected SIP pattern matching database of the databases 115.
[0019] At stage E, the application identification engine 111 determines a data protocol indicated in the traffic flow and extracts flow identifying information of the data protocol from the matched packet payload, based on finding a pattern match in the selected stage 2 database. The matching entry can indicate location of flow identify ing information in the matched payload with the SIP message. For example, the matching pattern may be for the Real-Time Protocol (RTP) indicated in a Session Description Protocol (SDP) message of the SIP message. The matching entry can indicate an offset within the SIP message to locate the network address (e g., IP address) and port for the RTP connection that will be established and stream multimedia data. Below is an example of a SIP message with indications of the data protocol and flow identifying information for the data protocol. Lines within the SIP message with tokens that will match a pattern are marked with bold.
INVITE sip : bob@biloxi . example SIP/2.0
Via: SIP/2.0/UDP pc33. atlanta . example ; branch=z 9hG4bK776asdhds Max-Forwards: 70
To: Bob <sip : bob@biloxi . example >
From: Alice <sip : alice@atlanta . example >; tag=1928301774 Call-ID: a84b4c76e66710@pc33. atlanta. example CSeq: 314159 INVITE Contact: <sip : alice@pc33. atlanta . example > Content-Type: application/sdp Content-Length: 142 v=0 o=Andrew 2890844526 2890844526 IN IP4 10.120.42.3 c=IN IP4 10.120.42.3 t=0 0 m=audio 49170 RTP/AVP 0 8 97 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:97 iLBC/8000 m=video 51372 RTP/AVP 31 34
4
SUBSTITUTE SHEET (RULE 26)
a=rtpmap : 31 H261/ 90000 a=rtpmap : 34 H263/ 90000
The stage 1 scanning would have matched a pattern corresponding to “INVITE sip” and determine that the traffic flow included a SIP message. The stage 2 scanning would match multiple patterns within the SIP message, each of which corresponds to the data or application level protocol RTP. After SIP establishes the session(s), RTP will be used to deliver audio and video data streams. These are indicated with the m-lines. The matching patterns of this example would be “c=IN”, “m=audio”, and “m=video.” The stage 2 scanning will find a match for “c=IN” in the SIP pattern database and the application identification engine will extract the network address 10.120.42.3 according to the match result, which could indicate location of the network address with an offset, for example. The extracted network address forms part of the flow identifier for the RTP application that will subsequently begin traversing the data plane 103 after the SIP session is established. The stage 2 scanning will find a match for “m=audio” in the SIP pattern database and the application identification engine will extract the port 49170 according to the match result. This port in combination with the extracted network address forms a flow identifier for the audio stream. The stage 2 scanning will also find a match for “m=video” in the SIP pattern database and the application identification engine will extract the port 51372 according to the match result. This port in combination with the extracted network address forms a flow identifier for the video stream. With the extracted flow identifying information for the expected/predicted data streams, the application identification engine will create a mapping between the signaling protocol and the flow identifying information. Referring again to the above example SIP message, the application identification engine will create two mappings. A first mapping will be “10.120.42.3 : 49170 SIP” for the predicted audio stream. A second mapping will be “10.120.42.3: 51372 <= SIP” for the predicted video stream.
[0020] At stage F, the control plane 101 communicates the mapping(s) to the data plane 103. Assuming the matching pattern was found in the one of the databases 115 that represents SIP, the control plane 101 communicates a mapping of “sip” to an Internet Protocol (IP) address and a port, for example. The control plane 101 can communicate the mapping via an interprocess communication channel or inband interface.
[0021] At stage G, the packet forwarding engine 117 determines a policy to apply to the flow identified in the communicated mapping. The packet forwarding engine 117 accesses a repository (or structure) 119 that indicates policies assigned to applications and/or data protocols.
5
SUBSTITUTE SHEET ( RULE 26)
The packet forwarding engine 117 accesses the repository 119 with the application or protocol identifier communicated from the control plane 101 to determine a configured or assigned policy. The packet forwarding engine 117 then updates a memory or structure of the data plane 103 to indicate the determined policy for enforcement on the flow identified in the communicated mapping.
[0022] Figures 2-3 are flowcharts of example operations related to the multi-stage prediction of an appli cation/ data protocol flow that follows detection of a message of a supporting and/or preceding protocol, such as a signaling protocol setup message. While the preceding figure refers to an application identification engine, the example operations are described with reference to an application flow predictor which can be a component of an application identification engine or a separate program that interacts with or supplements the application identification engine. The name chosen for the program code is not to be limiting on the claims. Structure and organization of a program can vary due to platform, programmer/architect preferences, programming language, etc. In addition, names of code units (programs, modules, methods, functions, etc.) can vary for the same reasons and can be arbitrary.
[0023] Figure 2 is a flowchart of example operations for building application/data protocol databases for multi-stage application flow prediction. While at least some of the databases will be built in advance, others for different application/data protocols can be added later. In addition, database maintenance can involve adding, removing, and/or editing entnes, each of which associates information for flow identifying information extraction with a pattern.
[0024] At block 201, the application flow predictor begins operations for building pattern matching databases for application/data protocols that expected or predicted to follow session establishment by a signaling protocol. For example, the application flow predictor may build a regex matching database for each application/data protocol.
[0025] At block 203, the application flow predictor obtains application/data protocol identifier patterns that occur in preceding session setup messages. For example, the application flow predictor can iterate over files/structures containing regular expressions for a multi-channel application layer gateway (ALG) protocol (e.g., SIP, file transfer protocol (FTP), a H.323 protocol). The application flow predictor can process each of these files/structures in parallel or sequence.
6
SUBSTITUTE SHEET ( RULE 26)
[0026] At block 205, the application flow predictor obtains location(s) of flow identifying information to associate with the identifier patterns. In the case of SIP, the network address follows a matching c line pattern and ports follow matching m line patterns. The obtained location may be indicated or represented with an offset from a beginning of a payload/message or with respect to the matched pattern.
[0027] At block 207, the application flow predictor compiles the identifier pattem(s) selected to represent the application/data protocol into the database. For instance, the application flow predictor compiles regular expressions of the application/data protocol into a regex matching database. Compilation depends upon the regex matching engine implementation being used. For instance, compilation functions of the Hyperscan library can be used to compile regular expressions selected for the application/data protocol. For a SIP pattern database, c-line and inline tokens from SDP payloads can be used to predict media flows (e.g., audio/video, RTP/AVP). As another example, patterns can be based on FTP port commands. Below are example SIP patterns defined with wildcards that can be compiled into a regex database for application/data protocols expected/predicted to follow a SIP session setup.
TOK_IP4 : "/ . *IN IP4 / i" ,
TOK_M_AUDIO : "/ . *\\nm=audio /im" , TOK_M_VIDEO : "/ . *\\nm=video /im" , TOK_RTP_AVP : "/ . *RTP\\/AVP / i" ,
TOK_RTP_SAVP : "/ . *RTP\\/SAVP / i" ,
TOK_RTP_AVPF: "/ . *RTP\\/AVPF / i" ,
TOK_RTP_SAVPF : "/ . *RTP\\/SAVPF /i" , TOK M APP : "/ . *\\nm= (application | image ) /im" ,
[0028] At block 209, the application flow predictor associates the obtained flow identifying information location(s) with the compiled pattern in the corresponding database entry. The application flow predictor can update a pointer or field to indicate the location information. This is an optional operation since location information can be separately defined for each signaling protocol. For example, a match in the SIP pattern matching database causes the application flow predictor to lookup location information based on finding a match instead of having the location information in the database.
7
SUBSTITUTE SHEET ( RULE 26)
[0029] At block 211, the application flow predictor determines whether there are patterns for an additional application/data protocol for flow prediction. If so, operational flow returns to block 201. Otherwise, operational flow ends.
[0030] Figure 3 is a flowchart of example operations for multi-stage scanning of network traffic for application flow prediction. The example operations run after flow differentiation of network traffic mirrored from a data plane. Thus, the scanning is of an individual flow. A different thread can be instantiated for each flow to be scanned, depending upon implementation.
[0031] At block 301, an application identification engine scans mirrored packets of a traffic flow against a stage 1 pattern database. For example, the Hyperscan library in scan mode can be used to scan the payloads of the packets in the flow. The scan generates a stage 1 scan result 302.
[0032] At block 303, the application identification engine determines whether the stage 1 scan result 302 indicates a match in the stage 1 pattern database. If the stage 1 scan result is negative for a match, then the operational flow ends. In some cases, a default policy will be indicated for the scanned flow. If the stage 1 scan result indicates a match, then operational flow proceeds to block 305.
[0033] At block 305, the application identification engine determines whether the stage 1 scan result indicates a match for a “predictor” protocol. A predictor protocol being an application level protocol (i.e., above the transport layer) for which a conforming message will indicate in advance another application level protocol, likely because the predictor protocol is establishing a session or control information for a follow-on apphcation/data protocol. The frequently used example of a predictor protocol in this description is SIP. The stage 1 scan result will include an identifier based on the match (e.g., “SIP” or “H.323”). The predictor protocol is not necessarily different than the protocol for the subsequent data flow. For instance, the FTP will establish a control connection and then a data connection. An FTP process will use the control connection to communicate a command(s). To illustrate, a pattern match for detecting FTP in a traffic flow as a predictor protocol will match a FTP command or response code based pattern (e.g., USER, RETR, CDUP, CWD, XRCP, XRMD, 220, 227, 332, 421, etc.). If a predictor protocol is not indicated, then operational flow proceeds to block 307. If a predictor protocol is indicated in the stage 1 scan result, then operational flow proceeds to block 309 for stage 2 scanning.
[0034] At block 307, the application identification engine communicates the identified application to the data plane. Although the application traffic corresponding to the identified
8
SUBSTITUTE SHEET ( RULE 26)
application has likely already begun to flow across the inspection point, the data plane can start enforcing a relevant policy. Operational flow ends after block 307.
[0035] At block 309, the application flow predictor of the application identification engine selects a stage 2 database based on the stage 1 scan result. For example, predictor protocol pattern matching databases are indexed or identified by the values that would be returned from a matching entry in the stage 1 pattern matching database.
[0036] At block 311, the application flow predictor scans the mirrored packets of the traffic flow in which the predictor protocol message was detected for a match in the selected predictor protocol database.
[0037] At block 313, the application flow predictor determines whether a match(es) is found in the selected database. If not, then operational flow ends. For instance, the scanning for multiple patterns in parallel may return a match indication or set of match indications. Using FTP as an example, after stage 1 scanning detects a FTP port command message “227 Entering Passive Mode” which will communicate address and port that the FTP server will use for the data transfer the stage 2 scanning will find the patterns associated with the flow identifying information. If a match is found, then operational flow proceeds to block 315.
[0038] At block 315, the application flow predictor extracts the predicted flow information based on the matching entry . The match(es) in the selected predictor protocol database predicts at least one subsequent flow (e.g., an RTP flow for an audio stream after the SIP setup) will begin to traverse the inspection point. The matching entry can indicate location of the flow information (e.g., locations of network address and port) within the predictor protocol message. Embodiments may separately indicate location of flow information based on a match in a predictor protocol database. For example, a match in the predictor protocol XYZ pattern matching database causes the application flow predictor to lookup the location information of network address and port in a separate table. A predictor protocol may allow for multiple flows to be indicated within a conforming message. For instance, a SIP message body can contain a SDP description for multiple flows with multiple connections and multiple media sessions. Again referring to an FTP example, the application flow predictor can extract the flow identifying information by forming network address and port with detected parts of a FTP port command message. With the command message formatted as PORT-COMMAND-CODE (II, 12, 13, 14, pl, p2), the application flow predictor can form the network address with II.12.13.14 and the port as (pl * 256) + p2. With a more specific example of detecting a port command
9
SUBSTITUTE SHEET ( RULE 26)
message “227 Entering Passive Mode (192,168,20,101,117,254),” the application flow predictor can form the network address 192. 168.20. 101 and compute the port as 30206.
[0039] At block 317, the application flow predictor creates a mapping 318 of predicted flow information to an identifier of the predictor protocol. The application flow predictor can use the predictor protocol identifier that was indicated in the stage 1 scan result. Using the FTP example above, the application flow predictor creates a mapping 192.168,20. 101 :30206 <-> FTP.
[0040] At block 321, the application flow predictor (or another process in the control plane of the inspection point) communicates the mapping to the data plane. This can be communicated with inter-process communication, via an interface between the control plane and data plane, etc.
[0041] Variations
[0042] While the description refers to detecting or identifying a signaling protocol message in a traffic flow before branching to stage 2 scanning, embodiments are not so limited. Signaling protocol was selected as a representative type of predictor protocol since it often precedes ALG application traffic, (e.g., a SIP message precedes a RTP audio stream).
[0043] The flowcharts are provided to aid in understanding the illustrations and are not to be used to limit scope of the claims. The flowcharts depict example operations that can vary within the scope of the claims. Additional operations may be performed; fewer operations may be performed; the operations may be performed in parallel; and the operations may be performed in a different order. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by program code. The program code may be provided to a processor of a general purpose computer, special purpose computer, or other programmable machine or apparatus.
[0044] As will be appreciated, aspects of the disclosure may be embodied as a system, method or program code/instructions stored in one or more machine-readable media. Accordingly, aspects may take the form of hardware, software (including firmware, resident software, micro-code, etc.), or a combination of software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” The functionality presented as individual modules/units in the example illustrations can be organized differently in
10
SUBSTITUTE SHEET ( RULE 26)
accordance with any one of platform (operating system and/or hardware), application ecosystem, interfaces, programmer preferences, programming language, administrator preferences, etc.
[0045] Any combination of one or more machine readable medium(s) may be utilized. The machine readable medium may be a machine readable signal medium or a machine readable storage medium. A machine readable storage medium may be, for example, but not limited to, a system, apparatus, or device, that employs any one of or combination of electronic, magnetic, optical, electromagnetic, infrared, or semiconductor technology to store program code. More specific examples (a non-exhaustive list) of the machine readable storage medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a machine readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. A machine readable storage medium is not a machine readable signal medium.
[0046] A machine readable signal medium may include a propagated data signal with machine readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A machine readable signal medium may be any machine readable medium that is not a machine readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
[0047] Program code embodied on a machine readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
[0048] The program code/instructions may also be stored in a machine readable medium that can direct a machine to function in a particular manner, such that the instructions stored in the machine readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
[0049] Figure 4 depicts an example computer system with a data plane and a control plane that includes an application flow predictor. The computer system includes a control plane 401
11
SUBSTITUTE SHEET ( RULE 26)
and a data plane 413. The control plane 401 includes a processor 403 (possibly including multiple processors, multiple cores, multiple nodes, and/or implementing multi-threading, etc.). The computer system includes memory 405. The memory 405 may be system memory or any one or more of the above already described possible realizations of machine-readable media. The control plane 401 also includes an application identification engine 407 which includes an application flow predictor 411. The processor 403 may implement the application identification engine 411 (e.g., execute instructions of the program code). The application identification engine 407 may be an application specific integrated circuit that is coupled with the processor 403 but distinct from the processor 403. A communication channel 410 communicatively couples the control plane 401 to the data plane 413. The data plane 413 includes line cards 416A, 416B which communicate via a switch fabric 419. The line card 416A includes packet forwarding engines (PFEs) 417A, 417B. The line card 416B includes PFEs 417C, 417D. The application identification engine 407 differentiates network traffic mirrored from at least one of the PFEs 417A-417D and scans the differentiated flows against a primary database for application identification. If a predictor protocol message is detected in a flow from the application identification, the application flow predictor 411 scans the flow for pattern matches that predict a forthcoming traffic for an application/ data protocol (e.g., a cloud-based conferencing application or protocol) and extracts predicted flow identifying information to create a mapping between the predictor protocol and the predicted flow. The control plane 401 then communicates the mapping to the appropriate PFE for policy selection and enforcement.
[0050] Embodiments are not limited to deployment in a network device with line cards as depicted in Figure 4. Embodiments may be deployed as a virtual firewall or cloud-based firewall, for example.
[0051] Terminology
[0052] Use of the phrase “at least one of’ preceding a list with the conjunction “and” should not be treated as an exclusive list and should not be construed as a list of categories with one item from each category', unless specifically stated otherwise. A clause that recites “at least one of A, B, and C” can be infringed with only one of the listed items, multiple of the listed items, and one or more of the items in the list and another item not listed.
12
SUBSTITUTE SHEET ( RULE 26)
Claims
1. A method comprising: selecting a first signaling protocol pattern database from a plurality of signaling protocol pattern databases based, at least in part, on detecting a message of the first signaling protocol in a first network traffic flow, wherein the plurality of signaling protocol pattern databases was built with patterns corresponding to a plurality of different signaling protocols; scanning, in a control plane, the first network traffic flow for a pattern match in the first signaling protocol pattern database; based on the scanning indicating a pattern match in the first signaling protocol pattern database, extracting first application traffic flow identifying information for an application or data protocol indicated in a payload of the first network traffic flow corresponding to the pattern match; associating an identifier of the first signaling protocol with a first application traffic flow identifier that is based on the first application traffic flow identifying information to generate a first mapping; communicating the first mapping to a data plane from the control plane; and selecting, in the data plane, a first of a plurality of policies based on the first mapping.
2. The method of claim 1 further comprising detecting the message of the first signaling protocol in the first network traffic flow, wherein detecting the message comprises: scanning, in the control plane, the first network traffic flow for a pattern match in a first pattern matching database which was built with patterns identifying applications and application layer protocols; and based on the scanning for a pattern match in the first pattern matching database indicating a pattern match in the first pattern matching database, determining whether the patern match in the first patern matching database indicates a signaling protocol, wherein detecting the message of the first signaling protocol in the first network traffic flow is based on determining that the patern match in the first patern matching database is for the first signaling protocol.
3. The method of any of the preceding claims, wherein extracting the first network traffic flow identifier from the first network traffic flow is based on indication of an
13
SUBSTITUTE SHEET ( RULE 26)
offset returned with the indication of the pattern match, in particular wherein the first network traffic flow identifier comprises a network address and a port.
4. The method of any of the preceding claims further comprising mirroring the first network traffic flow to the control plane from the data plane, building the first signaling protocol pattern database with patterns from session description protocol descriptions in the first signaling protocol message, and/or applying the first policy to network traffic corresponding to the first network traffic flow identifier.
5. The method of any of the preceding claims further comprising extracting second application traffic flow identifying information for the application or data protocol indicated in the pay load of the first network traffic flow based on the scanning indicating a second pattern match in the signaling protocol pattern database and forming the first application flow identifier with the first and second application traffic flow identifying information.
6. One or more non-transitory, machine-readable medium having program code stored thereon, the program code comprising instructions to: scan, in a control plane, payloads of a first transport layer traffic flow for a pattern match in a first pattern database; detect a session establishment message of a first application level protocol based on indication of a pattern match in the first pattern database; select a second pattern database based on detection of the session establishment message of the first application level protocol, wherein the second pattern database was built with patterns of the first application level protocol; scan the payloads for a pattern match in the second pattern database; based on scanning indicating a first pattern match in the second pattern database, create a first mapping between an identifier of the first application level protocol and a first application traffic flow identifier determined from at least a first of the payloads corresponding to the first pattern match; and communicate the first mapping to a data plane from the control plane.
7. The non-transitory machine-readable medium of claim 6, wherein the program code further comprises instructions to select, in the data plane, a first of a plurality of
14
SUBSTITUTE SHEET ( RULE 26)
policies based on the first mapping and to apply the first policy to network traffic corresponding to the first application traffic flow identifier that is subsequent to the first transport layer traffic flow.
8. The non-transitory machine-readable medium of claims 6 or 7, wherein the program code further comprises instructions to extract the first application traffic flow identifier from the first payload, wherein the instructions to extract the first application traffic flow identifier from the first payload comprise instructions to: extract a network address from the first payload based on the scanning indicating the first pattern match in the second pattern database; and extract a port from the first payload based on an indication of a second pattern match in the second pattern database, wherein the network address and the port form the first application traffic flow identifier.
9. The non-transitory machine-readable medium of any of claims 6 - 8, wherein the second pattern database is a regular expression database.
10. An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, scan payloads of a first network traffic flow for a pattern match in a first pattern database; detect a session establishment message of a first application level protocol based on scanning indicating a pattern match in the first pattern database; select a second pattern database from a plurality of pattern databases based on detection of the session establishment message, wherein the plurality of pattern databases was built with patterns of application level protocols; scan the first network traffic flow for one or more matches in the second pattern database; based on the scan for matches in the second pattern database indicating at least a first match in the second pattern database, create a first mapping between an identifier of the first application level protocol and an identifier of a first predicted traffic flow determined based, at least in part, on the first match; and communicate the first mapping to a data plane.
15
SUBSTITUTE SHEET ( RULE 26)
11. The apparatus of claim 10, wherein the machine-readable medium further has instructions executable by the processor to cause the apparatus to extract the first application traffic flow identifier from at least a first payload in the first network traffic flow corresponding to the first match.
12. The apparatus of claim 11, wherein the instructions to extract the first application traffic flow identifier from the first payload comprise instructions to: extract a network address from the first payload based on the scan for matches int he second pattern database indicating the first match in the second pattern database; and extract a port from the first payload based on an indication of a second match in the second pattern database, in particular wherein the network address and the port form the first application traffic flow identifier, and optionally wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to determine offsets to extract the network address and the port based, at least in part, on the first match.
13. The apparatus of claim 10, wherein the first application level protocol is the session initiation protocol.
14. The apparatus of claim 10, wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to create a second mapping between the identifier of the first application level protocol and an identifier of a second predicted traffic flow determined based, at least in part, on a second match in the second pattern database.
16
SUBSTITUTE SHEET ( RULE 26)
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US202263367029P | 2022-06-24 | 2022-06-24 | |
| US63/367,029 | 2022-06-24 | ||
| US17/819,708 US20230421488A1 (en) | 2022-06-24 | 2022-08-15 | Application traffic flow prediction based on multi-stage network traffic flow scanning |
| US17/819,708 | 2022-08-15 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2023249679A1 true WO2023249679A1 (en) | 2023-12-28 |
Family
ID=86271315
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/US2023/016575 WO2023249679A1 (en) | 2022-06-24 | 2023-03-28 | Application traffic flow prediction based on multi-stage network traffic flow scanning |
Country Status (1)
| Country | Link |
|---|---|
| WO (1) | WO2023249679A1 (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
| US20200259792A1 (en) * | 2015-11-17 | 2020-08-13 | Zscaler, Inc. | Cloud-based Intrusion Prevention System |
| US20200259793A1 (en) * | 2015-11-17 | 2020-08-13 | Zscaler, Inc. | Stream scanner for identifying signature matches |
-
2023
- 2023-03-28 WO PCT/US2023/016575 patent/WO2023249679A1/en unknown
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200259792A1 (en) * | 2015-11-17 | 2020-08-13 | Zscaler, Inc. | Cloud-based Intrusion Prevention System |
| US20200259793A1 (en) * | 2015-11-17 | 2020-08-13 | Zscaler, Inc. | Stream scanner for identifying signature matches |
| CN107872456A (en) * | 2017-11-09 | 2018-04-03 | 深圳市利谱信息技术有限公司 | Network intrusion prevention method, apparatus, system and computer-readable recording medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9800491B1 (en) | Application based packet forwarding | |
| US9929920B2 (en) | System and method for efficient classification and processing of network traffic | |
| EP3195535B1 (en) | Chaining of network service functions in a communication network | |
| US9800697B2 (en) | L2/L3 multi-mode switch including policy processing | |
| CN105591973B (en) | Application identification method and device | |
| US7881291B2 (en) | Packet classification acceleration using spectral analysis | |
| US7779255B2 (en) | Multi-level security systems | |
| EP1802023B1 (en) | System and method for controling ngn service-based firewall | |
| JP4782827B2 (en) | High-speed network traffic analysis | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| US20090067419A1 (en) | Transmission control apparatus and method | |
| US20200351309A1 (en) | Security policy enforcement and visibility for network architectures that mask external source addresses | |
| US20140237137A1 (en) | System for distributing flow to distributed service nodes using a unified application identifier | |
| US9800567B2 (en) | Authentication of network nodes | |
| US20230421488A1 (en) | Application traffic flow prediction based on multi-stage network traffic flow scanning | |
| CN100586104C (en) | A route-based talk initialization protocol transparent transmission network address conversion method | |
| WO2023249679A1 (en) | Application traffic flow prediction based on multi-stage network traffic flow scanning | |
| RU2014114254A (en) | GATEWAY AND APPROPRIATE METHOD, COMPUTER PROGRAM AND MEDIA | |
| WO2022127625A1 (en) | Sip network element multi-address learning method and apparatus, and signaling monitoring system | |
| CN105991373B (en) | A kind of application protocol recognition methods and device | |
| CN106549969A (en) | Data filtering method and device | |
| Mohammadkhan et al. | Protocols to support autonomy and control for NFV in software defined networks | |
| Grob et al. | Combining Case-Based Reasoning with Complex Event Processing for Network Traffic Classification | |
| CN116582307A (en) | Firewall configuration method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23720198 Country of ref document: EP Kind code of ref document: A1 |