US2017134257A1PendingUtilityA1

Application control

45
Assignee: FORTINET INCPriority: Nov 25, 2014Filed: Jan 19, 2017Published: May 11, 2017
Est. expiryNov 25, 2034(~8.4 yrs left)· nominal 20-yr term from priority
H04L 63/1408H04L 47/2475H04L 41/12H04L 69/03H04L 67/104H04L 47/2483H04L 43/12
45
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods for controlling applications on a network are provided. According to one embodiment, a network security device detects a suspect application protocol used in connection with network traffic exchanged between a source peer and a destination peer. The network security device sends a probing request to the destination peer based on the suspect application protocol. The suspect application protocol is confirmed when a response is received from the destination peer in accordance with the suspect application protocol.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 intercepting, by a network security device, network traffic passing through the network security device, wherein the network traffic is being exchanged between a source peer and a destination peer;   detecting, by the network security device, a suspect application protocol used in the network traffic;   sending, by the network security device, a probing request to the destination peer of the network traffic based on the suspect application protocol;   receiving, by the network security device, a response from the destination peer;   determining, by the network security device, if the response from the destination peer represents a valid response based on the suspect application protocol;   when said determining is affirmative, then confirming, by the network security device, the suspect application protocol as an application protocol actually being used by the network traffic; and   performing, by the network security device, an action on the network traffic based on the confirmed application protocol.   
     
     
         2 . The method of  claim 1 , wherein said detecting a suspect application protocol comprises:
 conducting, by the network security device, a heuristic detection of an application protocol used in the network traffic by a plurality of application protocol identifying engines defined in a heuristic rule; and   identifying, by the network security device, the suspected application protocol by combining results of the plurality application protocol identifying engines based on the heuristic rule.   
     
     
         3 . The method of  claim 2 , wherein the plurality of application protocol identifying engines comprises one or more port-based protocol analysis engines, signature-based protocol analysis engines and behavioral-based protocol analysis engines. 
     
     
         4 . The method of  claim 1 , wherein said detecting a suspect application protocol further comprises:
 conducting an initial detection of the suspect application protocol by one of a plurality of application protocol identifying engines;   when the initial detection of the application protocol fails, then conducting a heuristic detection of the application protocol by multiple application protocol identifying engines of the plurality of application protocol identifying engines defined in a heuristic rule; and   determining the suspect application protocol by combining detection results of the multiple application protocol identifying engines.   
     
     
         5 . The method of  claim 1 , further comprising:
 when said determining is affirmative, then concluding, by the network security device, that the destination peer provides a service of the suspect application protocol; and   performing, by the network security device, an action on the destination peer.   
     
     
         6 . The method of  claim 1 , wherein the probing request comprises one or more of:
 a user authentication request;   a handshaking message;   a ping message; and   a control message.   
     
     
         7 . The method of  claim 1 , wherein the suspect application protocol comprises a protocol category or a specific application layer protocol. 
     
     
         8 . The method of  claim 1 , wherein the suspect application protocol comprises a peer-to-peer (P2P) protocol. 
     
     
         9 . The method of  claim 4 , wherein the network security device includes a rule that limits a total number of probing requests sent within a predetermined or configurable time period. 
     
     
         10 . The method of  claim 9 , wherein the rule defines a total number of probing requests capable of being sent to each peer in the predetermined or configurable time period, a total number of probing requests capable of being sent in the predetermined or configurable time period and a threshold for certainty of the initial detection. 
     
     
         11 . A network security device comprising:
 a non-transitory storage device having tangibly embodied therein instructions representing an application control sensor; and   one or more processors coupled to the non-transitory storage device and operable to execute the application control sensor to perform a method comprising:
 intercepting network traffic passing through the network security device, wherein the network traffic is being exchanged between a source peer and a destination peer; 
 detecting a suspect application protocol used in the network traffic; 
 sending a probing request to the destination peer of the network traffic based on the suspect application protocol; 
 receiving a response from the destination peer; 
 determining if the response from the destination peer represents a valid response based on the suspect application protocol; 
 when said determining is affirmative, then confirming the suspect application protocol as an actual application protocol being used by the network traffic; and 
 performing an action on the network traffic based on the confirmed application protocol. 
   
     
     
         12 . The network security device of  claim 11 , wherein said detecting a suspect application protocol comprises:
 conducting a heuristic detection of an application protocol used in the network traffic by a plurality of application protocol identifying engines defined in a heuristic rule; and   identifying the suspected application protocol by combining results of the plurality application protocol identifying engines based on the heuristic rule.   
     
     
         13 . The network security device of  claim 12 , wherein the plurality of application protocol identifying engines comprises one or more port-based protocol analysis engines, signature-based protocol analysis engines and behavioral-based protocol analysis engines. 
     
     
         14 . The network security device of  claim 11 , wherein said detecting a suspect application protocol further comprises:
 conducting an initial detection of the suspect application protocol by one of a plurality of application protocol identifying engines;   when the initial detection of the application protocol fails, then conducting a heuristic detection of the application protocol by multiple application protocol identifying engines of the plurality of application protocol identifying engines defined in a heuristic rule; and   determining the suspect application protocol by combining detection results of the multiple application protocol identifying engines.   
     
     
         15 . The network security device of  claim 11 , wherein the method further comprises:
 when said determining is affirmative, then concluding, by the network security device, that the destination peer provides a service of the suspect application protocol; and   performing, by the network security device, an action on the destination peer.   
     
     
         16 . The network security device of  claim 11 , wherein the probing request comprises one or more of:
 a user authentication request;   a handshaking message;   a ping message; and   a control message.   
     
     
         17 . The network security device of  claim 11 , wherein the suspect application protocol comprises a protocol category or a specific application layer protocol. 
     
     
         18 . The network security device of  claim 11 , wherein the suspect application protocol comprises a peer-to-peer (P2P) protocol. 
     
     
         19 . The network security device of  claim 14 , wherein the network security device includes a rule that limits a total number of probing requests sent within a predetermined or configurable time period. 
     
     
         20 . The network security device of  claim 19 , wherein the rule defines a total number of probing requests capable of being sent to each peer in the predetermined or configurable time period, a total number of probing requests capable of being sent in the predetermined or configurable time period and a threshold for certainty of the initial detection.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.