Enterprises have become increasingly dependent on computer network infrastructures to provide services and accomplish mission-critical tasks. Indeed, the performance, security, and efficiency of these network infrastructures have become critical as enterprises increase their reliance on distributed computing environments and wide area computer networks.
To facilitate monitoring, management and control of network environments, a variety of network devices, applications, technologies and services have been developed. For example, certain data flow rate control mechanisms have been developed to provide a means to control and optimize efficiency of data transfer as well as allocate available bandwidth among a variety of business enterprise functionalities. For example, U.S. Pat. No. 6,038,216 discloses a method for explicit data rate control in a packet-based network environment without data rate supervision. Data rate control directly moderates the rate of data transmission from a sending host, resulting in just-in-time data transmission to control inbound traffic and reduce the inefficiencies associated with dropped packets. Bandwidth management devices allow for explicit data rate control for flows associated with a particular traffic classification. For example, U.S. Pat. No. 6,412,000, above, discloses automatic classification of network traffic for use in connection with bandwidth allocation mechanisms. U.S. Pat. No. 6,046,980 discloses systems and methods allowing for application layer control of bandwidth utilization in packet-based computer networks. For example, bandwidth management devices allow network administrators to specify policies operative to control and/or prioritize the bandwidth allocated to individual data flows according to traffic classifications. In addition, certain bandwidth management devices, as well as certain routers, allow network administrators to specify aggregate bandwidth utilization controls to divide available bandwidth into partitions. With some network devices, these partitions can be configured to provide a minimum bandwidth guarantee, and/or cap bandwidth, as to a particular class of traffic. An administrator specifies a traffic class (such as FTP data, or data flows involving a specific user or network application) and the size of the reserved virtual link—i.e., minimum guaranteed bandwidth and/or maximum bandwidth. Such partitions can be applied on a per-application basis (protecting and/or capping bandwidth for all traffic associated with a network application) or a per-user basis (controlling, prioritizing, protecting and/or capping bandwidth for a particular user). In addition, certain bandwidth management devices allow administrators to define a partition hierarchy by configuring one or more partitions dividing the access link and further dividing the parent partitions into one or more child partitions.
Furthermore, network security is another concern, such as the detection of computer viruses, as well as prevention of Denial-of-Service (DoS) attacks on, or unauthorized access to, enterprise networks. Accordingly, firewalls and other network devices are deployed at the edge of such networks to filter packets and perform various operations in response to a security threat. In addition, packet capture and other network data gathering devices are often deployed at the edge of, as well as at other strategic points in, a network to allow network administrators to monitor network conditions, to evaluate network performance, and to diagnose problems.
Many of the systems and technologies discussed above incorporate or utilize traffic classification mechanisms to perform their respective functions. Identification of traffic types associated with data flows traversing a network generally involves the application of matching criteria or rules to explicitly presented or readily discoverable attributes of individual packets, or groups of packets, against an application signature which may comprise a protocol identifier (e.g., TCP, HTTP, UDP, MIME types, etc.), a port number, and even an application-specific string of text in the payload of a packet. Indeed, the rich Layer 7 classification functionality of Packetshaper® bandwidth management devices offered by Packeteer®, Inc. of Cupertino, Calif. is an attractive feature for network administrators, as it allows for accurate identification of a variety of application types and, thus, granular monitoring and control of network traffic.
An increasing number of network applications, however, employ data compression, encryption technology, and/or proprietary protocols that obscure or prevent identification of various application-specific attributes, often leaving well-known port numbers as the only basis for classification. In fact, as networked applications become increasingly complex, data encryption and/or compression has become a touted security or optimization feature. Indeed, data encryption addresses the concern of security and privacy issues, but it also makes it much more difficult for intermediate network devices, such as network monitors and bandwidth managers, to identify the applications that employ them. In addition, traffic classification based solely on well-known port numbers can be problematic, especially where a network application uses dynamic port number assignments or incorrectly uses a well-known port number, leading to misclassification of the data flows. In addition, classifying such encrypted network traffic as unknown (or encrypted) and applying a particular rate or admission policy to unknown traffic classes undermines the granular control otherwise provided by bandwidth management devices and, further, may cause legitimate, encrypted traffic to suffer as a result.
Furthermore, the increasing adoption of standardized communications protocols also presents challenges to network traffic classification mechanisms. The increasing use of Web services networking protocols, for instance, makes granular classification of network traffic more difficult, since the data flows corresponding to a variety of different web services applications all use the same standard web services and other network protocols, such as HTTP, SMTP, NNTP, SOAP, XML and the like. For example, a Web service typically allows a consuming application to access the service using one to a plurality of different bindings based on standard network protocols, such as HTTP and SMTP. Accordingly, the packet headers in the messages transmitted to the web service, as well as the packet headers associated with any response, across a wide variety of web services will typically include less meaningful information in the lower layers of the headers associated with the network communication protocol stack. For example, as discussed above, a well-formed SOAP message using an HTTP binding will typically identify port number 80, the well-known port number for HTTP traffic. As a result of this standardization, it will become increasingly difficult to ensure that critical network services are protected and rogue services, which also employ Web service networking protocols, are restricted as the differentiation between services and applications moves up the network communications protocol stack. Moreover, as the information that distinguishes one Web service from another moves up the protocol stack, it becomes more difficult to configure the matching attributes required to classify each Web service.
Traffic classification mechanisms have to adapt to address these circumstances. For example, U.S. application Ser. No. 10/938,435 discloses network traffic classification mechanisms that classify network traffic based on the behavioral attributes of the data flows. U.S. application Ser. No. 10/720,329 discloses the classification of data flows based on heuristic behavior pattern matching. These classification mechanisms differ from traditional classification mechanisms which classify traffic based on explicitly presented attributes of individual data packets.
In light of the foregoing, a need in the art exists for methods, apparatuses and systems that facilitate the classification of network traffic. Embodiments of the present invention substantially fulfill this need.