Detection of an application in network traffic may be instrumental in providing computer security. For example, detection of an application allows one to take prophylactic actions in the event that the application is potentially dangerous. Detection of an application may also be helpful for overall monitoring and evaluation of network traffic.
Unfortunately, certain applications are constructed to avoid detection. For example, port hopping techniques are used to avoid port analyses used to identify an application. Cryptography may be used to avoid application detection through magic byte sequence detection and/or deep packet inspection. Peer-to-peer communications may be used to avoid application detection through server IP network address range analyses.
Similar to the identification of applications on a network, it is often equally beneficial to identify users on a network. Just as many applications evade detection and classification through a variety of techniques, users, too, may intentionally employ methods that obscure their identity. Common techniques include encryption, anonymizing proxy servers, traffic tunneling and remote desktop sessions.
In view of the foregoing, it would be desirable to provide new techniques to classify patterns (e.g., applications and users) in a networked environment.