USRE50420EActiveUtility

System and method for identifying OTT applications and services

57
Assignee: NETSCOUT SYSTEMS INCPriority: Jun 19, 2019Filed: Aug 5, 2022Granted: May 6, 2025
Est. expiryJun 19, 2039(~12.9 yrs left)· nominal 20-yr term from priority
H04L 41/147H04L 41/149H04L 61/58H04L 61/5007H04L 61/4511H04L 67/60H04L 69/16H04L 65/60H04L 63/166H04L 63/0823H04L 43/026H04L 43/062H04L 67/02
57
PatentIndex Score
0
Cited by
13
References
24
Claims

Abstract

A computer implemented method for determining the identity of an Over-the Top (OTT) application or service being accessed over the Internet from a HTTP, HTTPS or QUIC connection request received in a network monitoring device. Determine if one or more entries are present in the received connection request have an IP address that matches a known server IP address. A determination is then made as to whether if the received connection request is one of a HTTP, HTTPS or QUIC connection request, and if this cannot be determined than determine if a subject field in the received connection request is available. And determine if a candidate domain name is available from IP cache created from one or more of the above steps if a subject field is not available in the received connection request. Identify and categorize OTT applications associated with the received connection request if it is determined: the connection is either a HTTP, HTTPS or QUIC connection type; a subject field is available; or a candidate domain name is available utilizing a lookup table that is periodically updated with new OTT applications.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer implemented method for determining the identity of identifying an Over-the Top (OTT) application or service being accessed over the Internet, comprising the steps:
 receiving a connection request in a network monitoring device; 
 inspecting IP Internet Protocol (IP) packets in the received connection request; 
 generating a  5 -tuple consisting of: a source IP source address and a destination addresses IP address; a layer  4  transport protocol (e.g. comprising TCP or UDP), and a transport protocol source and destination ports contained in the received connection request wherein the generated  5 -tuple is compared with entries in a connection table to determine if the received connection request is a new or existing connection request, whereby if there is no existing entry, then a new entry is created matching the generated  5 -tuple associated with the received connection request; 
 storing a domain name as a candidate domain name based on a domain name entry in cache memory including the domain name paired with an IP address that matches the destination IP address;  
 determining if one or more entries are present in the received connection request have an IP address that matches a known server IP address; 
 determining if the received connection request is a HTTP connection request; 
 determining if the received connection request is a HTTPS or QUIC quick user datagram protocol (UDP) Internet connections (QUIC) connection request; 
 determining if a subject field in the received connection request is available if no determination is made as to whether if the received connection request is either a HTTP, HTTPS or QUIC connection request; 
 determining if a, based on the received connection request being determined to not be an HTTP, HTTPS, or QUIC connection request, and the subject field is not available in the received connection request, that the candidate domain name is available from IP cache created from one or more of the above steps if no determination is made as to whether the received connection request is either a HTTP, HTTPS or QUIC connection request and no subject field is available in the received connection request the cache memory; and 
 identifying and categorizing OTT applications associated with the received connection request if it is determined based on at least one of: 
 the connection is either request being a HTTP, HTTPS, or QUIC connection type; 
 athe subject field isbeing available; or 
 athe candidate domain name isbeing available by utilizing a lookup table that is periodically updated with new OTT applications. 
 
     
     
       2. The computer implemented method of  claim 1 , wherein receiving a connection request includes further comprising determining if a transport layer protocol is TCP and the a destination TCP port in the connection request matches known ports to carry HTTP, HTTPS or QUIC requests. 
     
     
       3. The computer implemented method of  claim 1 , further including extracting URI uniform resource identifier (URI) and HTTP header fields from the connection request if it is determines the connection request is HTTP connection request. 
     
     
       4. The computer implemented method of  claim 1 , further including detecting an SNI a service name indication (SNI) extension in a ClientHello handshake message if it is determined the received connection request is a the HTTPS or QUIC connection request. 
     
     
       5. The computer implemented method of  claim 4 , further including extracting the SNI from the ClientHello handshake message. 
     
     
       6. The computer implemented method of  claim 1  where determining if the subject field is available includes inspecting an “End Entity” X.509 format Server Certificate in the TLS handshake ServerHello message. 
     
     
       7. The computer implemented method as recited in  claim 1  wherein if determined there is a domain name entry with a matching IP address for the received connection request, the IP address of the destination server of the received connection request is stored as a candidate domain name. 
     
     
       8. The computer implemented method as recited in of claim  7   1 wherein if determined the destination IP address associated with the received connection request cannot be directly mapped to a known domain name then, the destination IP address is compared with a list of IP address ranges registered as public IP addresses. 
     
     
       9. The computer implemented method as recited in of  claim 8  wherein the Public IP address ranges are managed and allocated by an International Regional Internet Registry (RIR) whereby each RIR publishes a database listing associated with unique IP addresses ranges on the public internet a publicly available portion of the internet. 
     
     
       10. The computer implemented method as recited in of  claim 1 , further including inspecting Domain Name System (DNS) queries between browsers and their designated DNS servers. 
     
     
       11. The computer implemented method as recited in  claim 10  wherein a Host field in the received connection request is an IP address. 
     
     
       12. The computer implemented method as recited in  claim 10  wherein a Host field in the received connection request is a domain name. 
     
     
       13. The computer implemented method as recited in of  claim 10  further including performing a DNS name-resolution query to obtain an IP address for a target HTTP/HTTPS server whereby a DNS server provides a response containing a domain name being queried and one or more IP addresses associated with the queried domain name. 
     
     
       14. The computer implemented method as recited in of  claim 13  wherein visible DNS name-resolution responses are inspected and utilized to add IP address/domain name mapping pairs to the IP cache cache memory. 
     
     
       15. The computer implemented method as recited in of  claim 14  wherein TLS transport layer security (TLS) handshake SNI entries are utilized to update the IP cache cache memory. 
     
     
       16. The computer implemented method as recited in of  claim 1  when if determined wherein if an application is being provided via an HTTP connection request, then one or more of the HTTP Host, Referrer, URI and Content-Type fields is extracted from the a HTTP packet header to identify the application. 
     
     
       17. The computer implemented method as recited in of  claim 4  wherein if determined an application is being provided via an the HTTPS or QUIC connection request, then the a Service Name Identifier (SNI) field in the a TLS handshake is utilized as a proxy for the a HTTP Host field. 
     
     
       18. The computer implemented method and system as recited in of  claim 17  wherein:
 if the SNI field is present, a corresponding IP address/domain name mapping pair is added to the IP cache memory; 
 if the SNI field is not populated in the TLS handshake then the “Subject” or “Subject Alternate Name” fields in the TLS server certificate are inspected; 
 if determined the destination IP address of a network connection cannot be directly mapped to a domain name than then the destination IP address is compared with a list of IP address ranges registered as public IP addresses; and 
 if the SNI field is not populated in a TLS handshake than then the “Subject” or “Subject Alternate Name” fields in the TLS server certificate are inspected. 
 
     
     
       19. One or more non-transitory computer-readable media storing computer readable program code that, when executed by one or more processors, effectuate operations comprising:
 receiving a connection request in a network monitoring device;   inspecting Internet Protocol (IP) packets in the received connection request;   generating a 5-tuple consisting of: IP source and destination addresses; a layer 4 transport protocol comprising TCP or UDP, and a transport protocol source and destination ports contained in the received connection request wherein the generated 5-tuple is compared with entries in a connection table to determine if the received connection request is a new or existing connection request, whereby if there is no existing entry, then a new entry is created matching the generated 5-tuple associated with the received connection request;   storing a domain name as a candidate domain name based on a domain name entry in cache memory including the domain name paired with an IP address that matches the destination IP address;   determining if the received connection request is a HTTP connection request;   determining if the received connection request is a HTTPS or quick user datagram protocol (UDP) Internet connections (QUIC) connection request;   determining if a subject field in the received connection request is available;   determining, based on the received connection request being determined to not be an HTTP, HTTPS, or QUIC connection request, and the subject field is not available in the received connection request, that the candidate domain name is available from the cache memory; and   identifying OTT applications associated with the received connection request based on at least one of:   the connection request being a HTTP, HTTPS, or QUIC connection type:   the subject field being available; or   the candidate domain name being available by utilizing a lookup table that is periodically updated with new OTT applications.   
     
     
       20. The one or more non-transitory computer readable media of  claim 19 , wherein the operations further comprise determining if a transport layer protocol is TCP and a destination TCP port in the connection request matches known ports to carry HTTP, HTTPS or QUIC requests. 
     
     
       21. The one or more non-transitory computer readable media of  claim 19 , wherein the operations further comprise extracting uniform resource identifier (URI) and HTTP header fields from the connection request if the connection request is HTTP connection request. 
     
     
       22. The one or more non-transitory computer readable media of  claim 19 , wherein the operations further comprise detecting a service name indication (SNI) extension in a handshake message if the received connection request is the HTTPS or QUIC connection request. 
     
     
       23. The one or more non-transitory computer readable media of  claim 19 , wherein the operations further comprise inspecting Domain Name System (DNS) queries between browsers and their designated DNS servers. 
     
     
       24. The one or more non-transitory computer readable media of  claim 19 , wherein the operations further comprise performing a DNS name-resolution query to obtain an IP address for a target HTTP/HTTPS server.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.