Field
Embodiments of the present invention generally relate to the field of computer networks. In particular, various embodiments relate to methods and systems for identifying network applications based on heuristic rules and active probing.
Description of the Related Art
There has been a constant increase in peer-to-peer (P2P) applications running over the Internet during the past few years. P2P file sharing applications constitute a significant share of the total traffic of the Internet. When a P2P application is running on a computer within a private network and sharing files with other peers, it may consume a significant amount of bandwidth of the private network. P2P file sharing may also cause copyright or network security problems. In order to control the P2P applications or other applications running on a private network, traffic going through the private network may be inspected by a gateway or firewall that controls the private network. A network application may be identified by port-based analysis, pattern-based analysis and/or behavioral-based analysis.
Port-based analysis is a method for identifying protocols by matching port numbers of data packet with that defined in known protocols. However, port-based analysis may fail to identify a protocol if a random or dynamic port is used by a network application.
Pattern-based analysis is a method for identifying network protocols by inspecting the data payloads of the data packets according to some previously defined application signatures. The firewall may perform regular expression matching on the application layer data, in order to determine whether a special application is being used. Some P2P software has regular updates and changes the underlining P2P library which might generate new traffic patterns. The protocol-based analysis may fail if the signatures of the P2P software are not up to date. Moreover, some P2P applications tend to tunnel around P2P controls placed in their way by encrypting the traffic. Pattern-based analysis for identifying P2P becomes much more difficult because payloads of the data packets have to be decrypted.
Behavioral-based analysis is a method for identifying network protocols by tracing the traffic behaviors of clients without examining the payloads of the packets. Behavioral-based analysis of network protocols may include the trend of packet size changes, specific traffic patterns and the like. As some P2P software purposely obfuscate their traffic pattern in order to evade detection, behavioral analysis may also fail to identify P2P applications.
Therefore, there is a need for improving application identification of network traffic.