Classification of network applications typically involves inspection of packet payloads. Indeed, a common use of bandwidth management devices is to identify, and limit the bandwidth being consumed by, unruly, bandwidth-intensive applications, such as peer-to-peer applications (e.g., Bitorrent, eMule, etc.), and/or other unauthorized applications. Indeed, the rich Layer 7 classification functionality of Packetshaper® bandwidth management devices offered by Blue Coat Systems®, Inc. of Sunnyvale, Calif. is an attractive feature for network administrator, as it allows for accurate identification of a variety of application types. This traffic classification functionality, in many instances, uses a combination of known protocol types, port numbers and application-specific attributes contained in packet payloads to differentiate application traffic traversing the network.
An increasing number of peer-to-peer applications, however, employ data compression, encryption technology, and/or proprietary protocols that obscure or prevent identification of various application-specific attributes, often leaving well-known port numbers as the only basis for classification. In fact, as networked applications get increasingly complicated, data encryption has become a touted feature. Indeed, encryption addresses the concern of security and privacy issues, but it also makes it much more difficult to identify unauthorized applications using encryption, such as the peer-to-peer applications Azureus, BitComet and Limewire. In addition, traffic classification based solely on well-known port numbers can be problematic, especially where the application uses dynamic port number assignments or an application incorrectly uses a well-known port number, leading to misclassification of the data flows. Furthermore, relying only on well-known port numbers often does not allow for classifying traffic on more granular levels when two or more network applications tend to use the same port numbers. In addition, classifying encrypted network traffic as “unknown” and applying a particular rate or admission policy to unknown traffic classes undermines the granular control otherwise provided by bandwidth management devices and, further, may cause legitimate, encrypted traffic to suffer as a result.