This Application relates generally to systems for managing and processing information, and specifically to an architecture and techniques for managing network-based applications accessed by computer systems and other devices.
With the advent of modern computers and computer networks, users have been provided with a faster electronic means of communicating with each other. Browser applications, such as Internet Explorer from Microsoft Corporation and Firefox from the Mozilla Foundation, can allow users to browse the world-wide web, obtain news information, share photos or music, or the like, through computer networks, such as the Internet. In another example, e-mail and instant messaging can allow users to interact, for example, in real-time communications.
Computer networks can often include hundreds or thousands of network hosts. A network host can be a computer or other hardware device that runs software applications and originates and/or receives network traffic. Network administrators may often be responsible for maintaining these network hosts in proper running order. The network administrators may incorporate a variety of methodologies and devices in an attempt to ensure that any computer network under their supervision operates securely and reliably. To that end, network administrators may often set rules or establish network policies for users, groups, and devices about the types of software applications and network traffic allowed on a network.
Network applications may include software applications on a network host that are responsible for originating and/or receiving network traffic, referred to as network flows. Some network applications may be well-behaved and conform with a network's rules and policies. Other network applications may be poorly-behaved, installing without a user's or network administrator's permission, hiding themselves and their operation, and violating a network's rules and policies. Examples of poorly-behaved network applications may include computer viruses, worms, spyware, and malware applications. Additionally, some more legitimate applications, such as instant messaging applications, file-sharing or other types of peer-to-peer network applications, voice-over IP (VOIP) communication applications, and multimedia applications may be responsible for network flows that can circumvent network policies and jeopardize network security and reliability.
Often, poorly-behaved network applications can attempt to conceal their network flows to avoid detection and disregard network policies. Common evasion techniques may include using non-standard network protocols, dynamic port and channel selection, which limits the effectiveness of monitoring and blocking network ports to control network traffic; HTTP/HTTPS tunneling, which hides network flows in normally-permitted web traffic; Peer-to-Peer onion routing, which selects destination addresses for peer-to-peer routing at random to circumvent destination address blocking; and encryption of network packet data, which prevents network monitors from examining the contents of network packets to identify the type of network flow.
For example, some common peer-to-peer VOIP applications can circumvent network policies in a number of ways. The peer-to-peer VOIP application may dynamically selected different ports and channels for communication. If UDP is blocked, the application can fall back on TCP/IP. Additionally, the peer-to-peer VOIP application may tunnel its data over open ports 80 or 443, which are normally intended for HTTP or SSL traffic. A peer-to-peer VOIP application may dynamically select supernodes in its peer-to-peer network to circumvent destination address detection and blocking. Additionally, data may be encrypted to prevent detection using packet inspection.
Some attempts at controlling network applications generally include monitoring the content, size, and source and destination addresses of network flows as they pass through a gateway or other point in the network. However, due to the above described evasion techniques, these attempts at controlling network applications may have too little information to reliably detect poorly-behaved network applications. Additionally, these attempts at controlling network applications may further have too little information about who initiate an unauthorized network flow.
Accordingly, what is desired is to solve problems relating to managing network-based applications accessed by computer systems and other devices, some of which may be discussed herein. Additionally, what is desired is to reduce drawbacks related to detecting and identifying network-based application that initiate network flows, some of which may be discussed herein.