Network monitoring tools monitor communications that occur in a network. For example, network monitoring tools may monitor network information, such as an Internet Protocol (IP) source address, IP destination address, transport protocol (like TCP or UDP) source port, destination port and number of bytes sent/received. As computing devices create network communication data that travels through the network, the network monitoring tools collect and store this network information at predefined time intervals. However, while network monitoring tools monitor network communications between computing devices, network monitoring tools do not monitor applications within the computing device that cause the computing device to generate the network communication data. As a result, when an anomaly in the network occurs, conventional network monitoring tools may identify a computing device that causes the anomaly but not applications which generate the network communications data.
This lack of transparency may create issues ranging from computing device security to computing device performance. For instance, when conventional network monitoring tools identify an anomaly in the network due to a cyber-attack or an application that can be traced to a particular computing device in the network, there is not a way to identify which application on the computing device is the cause of the anomaly. Instead, a system administrator or a forensic analyst are forced to manually search through a plethora of applications executing on the computing device and try to guess and identify the application of interest. The issue is further exacerbated when the application that causes the anomaly in the network stops executing on the computing device and can no longer be identified at the time the system administrator or the network analyst search through the computing device, or when the application that causes the anomaly in the network executes for brief periods of time and uses different ports during multiple brief executions.
Embodiments of the disclosure and their advantages are best understood by referring to the detailed description that follows. It should be appreciated that like reference numerals are used to identify like elements illustrated in one or more of the figures, wherein showings therein are for purposes of illustrating embodiments of the disclosure and not for purposes of limiting the same.