1. Field of the Invention
Embodiments of the present invention generally relate to a method for mapping traffic to applications in a network environment. More specifically, the present invention discloses an efficient method for constructing application signatures.
2. Description of the Related Art
An accurate mapping of traffic to applications is important for a broad range of network management and measurement tasks including traffic engineering, performance/failure monitoring, and security. In the Internet, applications have traditionally been identified using well-known default server network-port numbers in the TCP or UDP headers. However this approach has become increasingly inaccurate because many applications use non-default or ephemeral port numbers, or use well-known port numbers associated with other applications.
Alternatively, a more accurate technique entails utilizing specific application-level features in the traffic content to guide the identification. More specifically, this signature-based application classification approach parses packets for application-level information and tries to match the content of a TCP/UDP connection against common signatures found in the target application. However, existing approaches to application signature identification may involve a labor-intensive process combining information from available documentation, with information gleaned from analysis of packet-level traces to develop potential signatures, and using multiple iterations to improve the accuracy and computation overheads. Such a painstaking manual approach will scale poorly if applied to the growing range of diverse Internet applications.
Therefore, there is a need in the art for a method and apparatus for automatically constructing application signatures.