1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for classifying computer network traffic.
2. Description of the Background Art
Network application control technologies allow network administrators to visualize and control computer network traffic based on the applications that generate the traffic, rather than merely on source and destination addresses and port numbers. Some computer security vendors provide network application control products that attempt to apply pattern matching to traffic on the wire in order to identify the type of the traffic, and apply logging or policy enforcement based on the type of the traffic as configured by the administrator. Examples of computer security vendors that offer network application control products are firewall vendors (e.g., Palo Alto Networks, Fortinet, and Cisco) and packet shaping vendors (e.g., Bluecoat).
One problem with pattern matching based traffic classification is that a signature must be generated by a person or automated process and then assigned an application identifier or type before traffic of that type can be controlled. Because new network-enabled applications are introduced continuously, there is always some amount of network traffic that cannot be classified. Conventional approaches to this problem involve applying a blanket allow or deny policy to all unclassified network traffic, or generating custom generated signatures based on traditional firewall characteristics pending escalation to the vendor to generate a more accurate signature. For example, custom generated signatures may combine the destination port and protocol (tcp/udp) with a restricted set of traffic (e.g., restricted by source zone, source IP address, destination zone, and destination IP address). Even when such custom generated signatures are sufficient, the network administrator still needs to perform detective work to determine if the traffic really should be allowed or blocked.