US2017134257A1PendingUtilityA1
Application control
Est. expiryNov 25, 2034(~8.4 yrs left)· nominal 20-yr term from priority
H04L 63/1408H04L 47/2475H04L 41/12H04L 69/03H04L 67/104H04L 47/2483H04L 43/12
45
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Systems and methods for controlling applications on a network are provided. According to one embodiment, a network security device detects a suspect application protocol used in connection with network traffic exchanged between a source peer and a destination peer. The network security device sends a probing request to the destination peer based on the suspect application protocol. The suspect application protocol is confirmed when a response is received from the destination peer in accordance with the suspect application protocol.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising:
intercepting, by a network security device, network traffic passing through the network security device, wherein the network traffic is being exchanged between a source peer and a destination peer; detecting, by the network security device, a suspect application protocol used in the network traffic; sending, by the network security device, a probing request to the destination peer of the network traffic based on the suspect application protocol; receiving, by the network security device, a response from the destination peer; determining, by the network security device, if the response from the destination peer represents a valid response based on the suspect application protocol; when said determining is affirmative, then confirming, by the network security device, the suspect application protocol as an application protocol actually being used by the network traffic; and performing, by the network security device, an action on the network traffic based on the confirmed application protocol.
2 . The method of claim 1 , wherein said detecting a suspect application protocol comprises:
conducting, by the network security device, a heuristic detection of an application protocol used in the network traffic by a plurality of application protocol identifying engines defined in a heuristic rule; and identifying, by the network security device, the suspected application protocol by combining results of the plurality application protocol identifying engines based on the heuristic rule.
3 . The method of claim 2 , wherein the plurality of application protocol identifying engines comprises one or more port-based protocol analysis engines, signature-based protocol analysis engines and behavioral-based protocol analysis engines.
4 . The method of claim 1 , wherein said detecting a suspect application protocol further comprises:
conducting an initial detection of the suspect application protocol by one of a plurality of application protocol identifying engines; when the initial detection of the application protocol fails, then conducting a heuristic detection of the application protocol by multiple application protocol identifying engines of the plurality of application protocol identifying engines defined in a heuristic rule; and determining the suspect application protocol by combining detection results of the multiple application protocol identifying engines.
5 . The method of claim 1 , further comprising:
when said determining is affirmative, then concluding, by the network security device, that the destination peer provides a service of the suspect application protocol; and performing, by the network security device, an action on the destination peer.
6 . The method of claim 1 , wherein the probing request comprises one or more of:
a user authentication request; a handshaking message; a ping message; and a control message.
7 . The method of claim 1 , wherein the suspect application protocol comprises a protocol category or a specific application layer protocol.
8 . The method of claim 1 , wherein the suspect application protocol comprises a peer-to-peer (P2P) protocol.
9 . The method of claim 4 , wherein the network security device includes a rule that limits a total number of probing requests sent within a predetermined or configurable time period.
10 . The method of claim 9 , wherein the rule defines a total number of probing requests capable of being sent to each peer in the predetermined or configurable time period, a total number of probing requests capable of being sent in the predetermined or configurable time period and a threshold for certainty of the initial detection.
11 . A network security device comprising:
a non-transitory storage device having tangibly embodied therein instructions representing an application control sensor; and one or more processors coupled to the non-transitory storage device and operable to execute the application control sensor to perform a method comprising:
intercepting network traffic passing through the network security device, wherein the network traffic is being exchanged between a source peer and a destination peer;
detecting a suspect application protocol used in the network traffic;
sending a probing request to the destination peer of the network traffic based on the suspect application protocol;
receiving a response from the destination peer;
determining if the response from the destination peer represents a valid response based on the suspect application protocol;
when said determining is affirmative, then confirming the suspect application protocol as an actual application protocol being used by the network traffic; and
performing an action on the network traffic based on the confirmed application protocol.
12 . The network security device of claim 11 , wherein said detecting a suspect application protocol comprises:
conducting a heuristic detection of an application protocol used in the network traffic by a plurality of application protocol identifying engines defined in a heuristic rule; and identifying the suspected application protocol by combining results of the plurality application protocol identifying engines based on the heuristic rule.
13 . The network security device of claim 12 , wherein the plurality of application protocol identifying engines comprises one or more port-based protocol analysis engines, signature-based protocol analysis engines and behavioral-based protocol analysis engines.
14 . The network security device of claim 11 , wherein said detecting a suspect application protocol further comprises:
conducting an initial detection of the suspect application protocol by one of a plurality of application protocol identifying engines; when the initial detection of the application protocol fails, then conducting a heuristic detection of the application protocol by multiple application protocol identifying engines of the plurality of application protocol identifying engines defined in a heuristic rule; and determining the suspect application protocol by combining detection results of the multiple application protocol identifying engines.
15 . The network security device of claim 11 , wherein the method further comprises:
when said determining is affirmative, then concluding, by the network security device, that the destination peer provides a service of the suspect application protocol; and performing, by the network security device, an action on the destination peer.
16 . The network security device of claim 11 , wherein the probing request comprises one or more of:
a user authentication request; a handshaking message; a ping message; and a control message.
17 . The network security device of claim 11 , wherein the suspect application protocol comprises a protocol category or a specific application layer protocol.
18 . The network security device of claim 11 , wherein the suspect application protocol comprises a peer-to-peer (P2P) protocol.
19 . The network security device of claim 14 , wherein the network security device includes a rule that limits a total number of probing requests sent within a predetermined or configurable time period.
20 . The network security device of claim 19 , wherein the rule defines a total number of probing requests capable of being sent to each peer in the predetermined or configurable time period, a total number of probing requests capable of being sent in the predetermined or configurable time period and a threshold for certainty of the initial detection.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.