Network communications often include network packet flows associated with applications running on a wide variety of network-connected devices. For example, within network communication systems, applications running on personal computers, mobile devices, and/or other processing platforms may form one or more communication connections with a variety of network-connected systems, and each of these connections can include multiple packet flows. Network management systems are often used to control various parameters associated with packet flows for applications running within a monitored network communication system, such as for example, priority of related packets, bandwidth usage, and/or other flow parameters for the network communication system. The ability to identify applications operating within the network communication system can facilitate this management of packet flows within network communication systems.
FIG. 1 (Prior Art) is block diagram of an embodiment 100 for a application signature generator for previously known applications. A new application execution module 102 runs a known application for which a signature is desired, and network transmissions 104 are generated by this known application during its operation. A packet monitor 108 collects network packets 106 associated with the operation of the known application. The parameter extractor 112 receives the collected packets 110 and processes them to extract parameters associated with lower network layers within the OSI (Open Systems Interconnect) model including: Layer 1 (L1: physical layer), Layer 2 (L2: data link layer), Layer 3 (L3: network layer), and Layer 4 (L4: transport layer). The resulting lower level data 114 from these lower level network layers (L1-L4) is then provided to application signature generator 116, which operates to generate an application signature for the known application. This new signature 118 is then stored in an application signature database 120. While such signature generation can be useful in detecting future application activity, the application must already be known for the execution module 102 to run the application and create the network transmissions used to generate a new signature for the application. As such, this technique is not particularly useful for new or unknown applications entering a network.
FIG. 2 (Prior Art) is a block diagram of an embodiment 200 for application signature generation based upon pre-classified training data. A network traffic monitor 206 monitors packets 204 from network traffic 202 and provides packet data 208 to the application signature generator 210 without regard to the state of the communications represented by the data extracted from the packets. The application signature generator 210 utilizes the stateless packet data 208 and pre-classified training data 212, which has been previously generated, to generate an application signature. While such application signature generation based upon pre-classified training data can be useful in detecting future network activity by applications, the complexity and diversity of new network applications as well as the need for pre-generated and pre-classified training data makes it difficult to detect and identify new or unknown applications entering a network.