1. Field of the Invention
The present invention relates to computer-based networks and their components. More particularly, the present invention relates to use, operation and control of the network.
2. Description of the Prior Art
Interconnected computing systems having some sort of commonality form the basis of a network. A network permits communication or signal exchange through packet forwarding among computing systems of a common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be interconnected together to establish internetworks. For purposes of the description of the present invention, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.
The process by which the various computing systems of a network or internetwork communicate is generally regulated by agreed-upon signal exchange standards and protocols embodied in network interface cards or circuitry and software, firmware and microcoded algorithms. Such standards and protocols were borne out of the need and desire to provide interoperability among the array of computing systems available from a plurality of suppliers. Two organizations that have been responsible for signal exchange standardization are the Institute of Electrical and Electronic Engineers (IEEE) and the Internet Engineering Task Force (IETF). In particular, the IEEE standards for internetwork operability have been established, or are in the process of being established, under the purview of the IEEE 802 committee on Local Area Networks (LANs) and Metropolitan Area Networks (MANs). The IEEE standards include many well defined methods of wired, fiber optic and Radio Frequency (RF or wireless) methods of network communications and are well known to those skilled in the art.
Access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted largely based on the identity of the user and/or the network attached functions. For the purpose of the description of the present invention, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further purposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication or other form of confirmation of the offered attached function identity, the attached function may access network services at the level permitted for that identification. For purposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, computer applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of conducting the business of the enterprise employing the network as an enterprise asset.
A network administrator grants particular permissions to particular attached functions by establishing network use policies which are enforced at various points in the network. A network policy is an action (or nonaction) to be undertaken based on the existence or occurrence of a defined condition or event. An “event” for purposes of describing the present invention, is a detectable or discernible occurrence that may be considered to have an impact on network operations or performance. Events may be defined by the network administrator. Some events warrant the undertaking of an action to respond, address or otherwise account for those events. Events that warrant the undertaking of some action may be referred to herein as “triggers.” Examples of events that may be trigger events include, but are not limited to, time outs, link changes up or down, link speed changes, user changes, device changes, device additions, network service changes, access device changes, location changes, Intrusion Detection System (IDS) or Firewall events, application access requests, priority change requests, protocol changes, the addition of a wireless access user, policy changes made, bandwidth changes, routing link changes, changes of monitored conditions, local and remote policy changes and network system changes. More generally for purposes of the description of the present invention, a “trigger” is any detected or observed event, activity, occurrence, information or characteristic identified in a network system by the network administrator as being of interest for the purpose of making a modification to an assigned set of policies. The types of triggers that define usage restrictions may be of any type of interest to the network administrator. Network policies are generally directed to administration, management, and/or control of access to or usage of network services. A network policy may also be a policy abstraction that is the translation of one or more network policies to a different level of abstraction. For example, multiple network use policies may be bundled into a higher-level abstract network policy for ease of handling and naming; a network policy set is simply a policy composed of one or more policies.
The network policies are typically defined in and regulated through a network policy server device of the network infrastructure controlled by the administrator. The established policies are transmitted to network interface devices of the network infrastructure, referred to herein as packet forwarding devices, at a point of connection to an attached function. That connection point is referred to herein as a port of the packet forwarding device. As part of the authentication process, a particular set of policies are established by the administrator for that attached function. That is, the port at which that attached function is attached to the packet forwarding device is configured to effect those policies, often by installing other policies or installing or enabling a set of rules for the policy. For example, QoS, bandwidth, and priority levels may be set at certain values for one identified attached function and at different levels for another attached function.
A network session is the establishment of an association between an attached function and one or more network services through the network infrastructure. The session includes a series of electronic signal exchanges referred to as packets and one or more packets to the same destination is typically referred to as a flow. It is to be understood that a network system may be embodied in the combination or interrelation between one or more attached functions and one or more network infrastructure devices. At the outset of a network session, often in relation to the authentication of the attached function seeking to initiate the session, an association is created between the session and one or more network services, constrained by one or more network policies established by the administrator through a network control manager device such as the network policy server and carried out or enforced by one or more of the packet forwarding devices of the network infrastructure.
Access to network services may be limited by conditions other than attached function user authentication. For example, an attached function seeking usage of a discrete network system through virtual private networking may be isolated from certain network services simply because private network entry is made through a public portal such as the internet. It is also understood that in certain settings offering wireless connectivity, network usage may be limited upon detection of attached function attempts to seek unauthorized access to specified restricted network services. However, these isolated efforts at network user control based on something other than user identification authentication are insufficient for complete network control and security. What is needed is a comprehensive and integrated system for controlling network usage for all users and devices at all times and to allow users to access the network services from alternate or unknown devices or device types. Additionally, authorized users may at times use the network in unauthorized ways, so what is needed is a way to identify, limit and enforce uses of all accesses independently to allow proper uses to continue and limit unauthorized uses or simply uses that go against administrator set network policies. The limitations to use also need to be structured in ways the network administrators and authoritative personnel can structure, organize, communicate, administer and enforce the access and use of the network. Network policy or a policy driven network is one organizational approach to abstract the control of the network to users, roles and network services. Policy based networking has, however, not been able to provide limits to use based on the applications being used in the network since the method, placement, compute power and granularity of use has not been built into the network fabric before now. The identification of who, where and what applications are running in the network system can then lead to control and allocation of network resources to support the needs as allowed and administered.
Events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, denying access to the network, denying access to the service, once access to the network is allowed, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying or modifying network-related information. Intrusion Detection Systems are used to monitor the traffic associated with network sessions in an effort to detect harmful activity. However, IDS functions normally only monitor traffic and analyze the traffic flow for harm, they do not analyze other information nor do they generate or enforce policies. They are designed to observe the packets, the state of the packets, and patterns of usage of the packets entering or within the network infrastructure for harmful behavior. There is some limited capability to respond automatically to a detected intrusion including through intrusion prevention systems. However, these detection systems are configured to search for specific patterns of signals that represent harmful activity. The benefit of the IDS is dependent on the effectiveness of the library of signatures used to detect harmful transmissions.
IDSs frequently implement a signature language that includes functionality allowing a security analyst to describe harmful activity on the network. Such signature languages are fairly complex in order to deal with application layer encodings, handle evasion techniques leveraged by attackers, reduce false positives and generally provide a reliable way to describe the characteristics of current network harm efforts. Applications that may be harmful to the network or at least that can slow down network processes that are not of sufficient importance to the enterprise can be difficult to reliably characterize or “fingerprint” due to efforts to evade such characterizations. Encrypted Bittorrent and Skype are examples of such applications that are difficult to fingerprint. It would be desirable to have a network function that can fingerprint applications in an effective manner. To the extent any IDS has some form of application detection functionality, it is limited to evaluating for malicious activity. The network administrator, in order to be more effective in protecting network services and maximizing network efficiency, would prefer to have characterization of as many applications used on the network as possible, regardless of whether any of the applications are malicious.
From the security and usage efficiency perspectives, the network systems industry has had some difficulty keeping pace with the explosion in the number and types of applications used on networks. This revolution is being powered by new models for application availability embodied by Bring Your Own Device (BYOD) and Cloud Computing environments. The networking model that has been in existence along with the infrastructure that maintains availability and applies policy has not kept pace with the rapid increase in applications. It is desirable to have a network infrastructure architecture that is configured to keep pace with the expansion of application usage on the network.
For purposes of describing the present invention, an “application”, which may also be referred to herein as a “computer application” to be characterized (including, for example, by fingerprinting and such other mechanisms as described herein) is any computer code that communicates over the network interface or uses communication-enabling devices of the network as part of it operation. An application is a computer program designed to perform an action. The application can run on any type of computing device including, but not limited to, a server of a network, a desktop computer, a laptop, a tablet, PDA or a smart phone. An application, for purposes of the present invention, includes system computer programs that run computing devices, utility computer programs that perform maintenance and upkeep of computing devices and networks of computing devices, programming tools used to create computer programs, as well as high-level functional computer programs that perform tasks and carry out activities initiated by end users on computing devices. As noted, operating systems are also considered to be applications with respect to the present invention as they may be characterized based on inferences made using operating system specifics from their communications. In addition, network infrastructure device themselves use the network for routing protocols and other traffic such as network management which we will also consider to be applications or uses of the network as demonstrated by adding traffic to the network system. Further, “application fingerprinting” or “application identification” is the act of collecting network traffic and parsing it according to a packet or flow signature set or by statistics, heuristics, history, installed applications base, or other mechanisms, including custom mechanisms. It may include the use of classification techniques used in layer 2 and layer 3 switches and routers. This characterization application identification represents all applications and uses communicated on the network system directly or indirectly. The term “applications running on the network” or variants of that term are used herein to describe those applications that are used, accessed or otherwise engaged through one or more devices of the network infrastructure.
The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. The seven layers in reverse order are: Application (layer 7), Presentation (layer 6), Session (layer 5), Transport (layer 4), Network (layer 3), Data Link (layer 2) and Physical (layer 1). The present invention is directed to management of signal exchanges through these OSI layers and they may be referred to herein from time to time.
The Application layer supports computer program applications and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail and other network software services. Telnet and FTP are applications that exist entirely in the application level. Tiered application architectures are part of this layer. The Presentation layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. The Session layer establishes, manages and terminates connections between applications. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues or “flows” between the applications at each end of an exchange between attached functions, between attached functions and network infrastructure devices and between network infrastructure devices. It deals with session and connection coordination. The Transport layer provides transparent transfer of data between end systems and is responsible for end-to-end error recovery and flow control. The Network layer provides switching and routing functionalities, creating logical paths, sometimes referred to as virtual circuits, for transmitting data from node to node, Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing. The Data Link layer encodes and decodes data packets into bits. It furnishes transmission protocol knowledge and management and handles errors in the physical layer, flow control and frame synchronization. The Data Link layer is divided into two sub layers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub layer controls how a computer on the network gains access to the data link and controls permission to transmit on it. The LLC layer controls frame synchronization, flow control and error checking. The Physical layer conveys the bit stream—electrical impulse, light or radio signal—through the network links (wires, fiber, RF) at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier, including semiconductor components, wires, cables, cards and other physical structures.