Enterprises have become increasingly dependent on computer network infrastructures to provide services and accomplish mission-criticat tasks. Indeed, the performance, security, and efficiency of these network infrastructures have become critical as enterprises increase their reliance on distributed computing environments and wide area computer networks. To that end, a variety of network devices have been created to provide data gathering, reporting, and/or operational functions, such as firewalls, gateways, packet capture devices, bandwidth management devices, application traffic monitoring devices, and the like. For example, the TCP/IP protocol suite, which is widely implemented throughout the world-wide data communications network environment called the Internet and many wide and local area networks, omits any explicit supervisory function over the rate of data transport over the various devices that comprise the network. While there are certain perceived advantages, this characteristic has the consequence of juxtaposing very high-speed packets and very low-speed packets in potential conflict and produces certain inefficiencies. Certain loading conditions degrade performance of networked applications and can even cause instabilities which could lead to overloads that could stop data transfer temporarily. In response, certain data flow rate control mechanisms have been developed to provide a means to control and optimize efficiency of data transfer as well as allocate available bandwidth among a variety of business enterprise functionalities. For example, U.S. Pat. No. 6,038,216 discloses a method for explicit data rate control in a packet-based network environment without data rate supervision. Data rate control directly moderates the rate of data transmission from a sending host, resulting in just-in-time data transmission to control inbound traffic and reduce the inefficiencies associated with dropped packets. Bandwidth management devices allow for explicit data rate control for flows associated with a particular traffic classification. For example, U.S. Pat. No. 6,412,000, above, discloses automatic classification of network traffic for use in connection with bandwidth allocation mechanisms. U.S. Pat. No. 6,046,980 discloses systems and methods allowing for application layer control of bandwidth utilization in packet-based computer networks. For example, bandwidth management devices allow network administrators to specify policies operative to control and/or prioritize the bandwidth allocated to individual data flows according to traffic classifications. In addition, network security is another concern, such as the detection of computer viruses, as well as prevention of Denial-of-Service (DoS) attacks on, or unauthorized access to, enterprise networks. Accordingly, firewalls and other network devices are deployed at the edge of such networks to filter packets and perform various operations in response to a security threat. In addition, packet capture and other network data gathering devices are often deployed at the edge of, as well as at other strategic points in, a network to allow network administrators to monitor network conditions.
Enterprises network topologies can span a vast array of designs and connection schemes depending on the enterprise's resource requirements, the number of locations or offices to connect, desired service levels, costs and the like. A given enterprise often must support multiple LAN or WAN segments that support headquarters, branch offices and other operational and office facilities. Indeed, enterprise network design topologies often include multiple, interconnected LAN and WAN segments in the enterprise's intranet, and multiple paths to extranets and the Internet. Enterprises that cannot afford the expense of private leased-lines to develop their own WANs, often employ frame relay, or other packet switched networks, together with Virtual Private Networking (VPN) technologies to connect private enterprise sites via a service provider's public network or the Internet. Some enterprises also use VPN technology to create extranets with customers, suppliers, and vendors. These network topologies often require the deployment of a variety of network devices at each remote facility. In addition, some network systems are end-to-end solutions, such as application traffic optimizers using compression tunnels, requiring network devices at each end of a communications path between, for example, a main office and a remote facility.
Given the vast array of enterprise network topologies and the reliance on open computer networks, enterprises are confronted with a number of potential problems. For example, Denial-of-Service (DoS) attacks are a common concern among network administrators. For example, a distributed denial-of-service (DDOS) attack is one in which a multitude of compromised hosts attack a single target, such as a web server, by transmitting large numbers of packets to deny service for legitimate users of the targeted system. Specifically, the veritable flood of incoming messages to the targeted system essentially forces it to shut down, thereby denying services of the system to legitimate users. U.S. application Ser. No. 10/843,185, incorporated by reference above, describes various types of DDOS attacks and the problems created by them. In addition to posing a problem for the targeted end systems, these DoS attacks also create problems for network devices, such as application traffic management systems, disposed at the edge of enterprise networks and/or at a point in the communications path between a compromised end system and a targeted system. For example and referring to FIG. 1, assume for didactic purposes, that end systems 42 on network 40 have been comprised and have initiated a DoS attack against targeted system 43. As discussed above, the compromised end systems 42 transmit a large number of ICMP or SYN packets, for example, to the targeted system 43. An application traffic management device 30, for example, encounters these packets and, pursuant to its configuration, processes the packets as part of its application traffic management functions. Processing the inordinate number of packets from the compromised end systems, however, quickly overwhelms the capacity of the network device 30, such as the system bus, and central processing unit (CPU), requiring that a large number of packets be dropped.
To address these concerns various technologies have been developed. For example, U.S. application Ser. No. 10/676,383 discloses network traffic data collection mechanisms that can be configured to allow a network administrator to identify unusual traffic patterns from hosts that would point at probable computer virus infections. In addition, U.S. application Ser. No. 10/843,185 discloses packet load shedding mechanisms that protect a network device in the presence of many infected hosts, allowing it to continue performing its intended function, such as providing QoS for network applications. U.S. application Ser. No. 10/720,329 discloses methods for heuristically analyzing the behavior of end systems against known behavior profiles to classify applications. While these mechanisms operate effectively relative to their intended objectives and facilitate identification of possibly infected hosts (or other network applications), often times the workfLow entailed involves many manual steps with few tools available to automatically apply network controls to contain the traffic emanating from these infected hosts. In addition, traditional classification mechanisms, which generally operate on explicitly presented attributes of the packets themselves (e.g., protocol identifiers, header fields, etc.), are often difficult to apply to network traffic emanating from infected hosts as the signatures (and behavior profiles) of such viruses are not known and change rapidly. Other problematic network technologies are peer-to-peer file sharing systems that are beginning to employ sophisticated encryption mechanisms to evade detection. One possible solution is the use of adaptive response mechanisms that, upon detection of a given type of network traffic or network loading condition, re-configure the network traffic classification mechanisms to identify and control the traffic. U.S. application Ser. No. 10/295,391, for example, discloses mechanisms that monitor for suspicious activity and change the configuration of a network device in response to the monitored activity. These approaches, however, can be problematic in application traffic management systems, for example, as it is often computationally expensive to re-configure network traffic classification configuration, especially in real-time while the system is operating to manage network traffic.
In light of the foregoing, a need in the art exists for methods, apparatuses and systems that facilitate the classification and control of network traffic based on conditions orthogonal to explicit attributes of packets or the interface on which a packet was encountered, such as the behavior of the nodes corresponding to the network traffic, the loading conditions of a network device in the communications path of the flows, and the metrics associated with the communications path, such as round-trip time, network delay, etc. Embodiments of the present invention substantially fulfill these needs.