|||||||||||||||||||||||||||||||||l|||||||||l|||||||||||||||||||||||||||||||
`
`USOU2664048B1
`
`(12) United States Patent
`Yung et at.
`
`(10) Patent No.:
`
`(45} Date of Patent:
`
`US 7,664,048 Bl
`Feb. 16, 2010
`
`(54) HEURISTIC BEHAVIOR PATTERN
`MATCHING OF DATA FLOWS IN EN HAN CED
`NETWORK TRAFFIC (.II.ASSII'"I(L'A’I‘I()N
`
`(75}
`
`Inventors: Weng-Chin Ynng. Folsom. (TA (US):
`Mark Hill. Los Altos. CA (US): Anne
`Cesa Klein. C‘upertino, CA (US)
`
`(23) Assignee: Packeteer, Inc.. C upertino. CA (US)
`
`( ’1‘
`
`) Notice:
`
`Subject to any disclaimer. the term of this
`patent is extended or adjusted under 35
`U.S.C‘. 154(b) by 820 days.
`
`(21) Appl.No.: 10,020,329
`
`(22)
`
`Filed:
`
`Nov. 24, 2003
`
`(51)
`
`[52)
`
`Int. (11.
`(2006.01)
`11041. 12/26
`[1.8. (.‘l.
`....................... 3202253: 3202235: 3202252:
`2092224
`
`3202223.
`[58) Field ofClassifieation Search
`3202224. 229, 230. 231. 236.1, 238, 235.
`3202253. 252: 2092224. 226. 233. 235. 246
`See application file for complete search history.
`
`(56)
`
`References Cited
`U .S. PATENT DOCUMENTS
`
`4.914.650 A
`5.828.846 A
`6.003.022 A
`6.023.456 A
`6.038.216 A ’°‘
`6.046.980 A "‘
`6.122.620 A ’1‘
`6.144.636 A ’°
`6.219.050 B1
`6.285.660 Bl
`6.363.056 B1
`6.392.359 131
`6.584.462 Bl
`6.591.299 B2 ‘1'
`6.625.648 Bl
`6.628.938 Bl
`
`4:1990 Sriram
`10.-'l998 Kirby
`1221999 Bawdcn
`2-"2000 Chapman
`320-"231
`3-2000 Packer
`422000 Packer .................. 320-"230
`
`932000 Bennett cl a1.
`209.3236
`
`11-2000 Aimoto etal.
`320-"229
`4:"2001 Schafl'er
`922001 Ronen
`322002 Beigi
`522002 Chandra
`622003 llaught
`222003 Riddle et a].
`9-2003 Schwaller
`9-'2003 Rachabathuni
`
`................ 2092224
`
`6.681.232 Bl
`6.690.918 BZ
`6.201.359 Bl
`6.233.352 Bl
`6.298.263 Bl
`6.894.922 Bl
`
`1.52004 Sistaniaadeh
`2-"2004 Evans
`322004 Calabre‘z
`522004 Yamada
`922004 Kimltra
`5-2005 i’haal
`
`2.010.611 81*
`2.120.931 Bl
`
`332006 Wiryaman el al.
`[Or-"2006 Cheriton
`
`209.3232
`
`2.154.416 Bl
`2.155.502 Bl
`7.193.968 131
`2.215.632 131
`2.224.629 132
`
`12-2006 Savage
`12-2006 Galloway
`3-2002 Kapoor
`522002 Ferguson
`522002 Solomon
`
`(Continued)
`
`O‘i‘llliR PUBLICATIONS
`
`Pazos. CM. et a1.. “Flow Control and Bandwidth Management in
`Next Generation Internets” IFFE. Jun. 22. 1998.109 123~132.*
`
`(Continued)
`
`Primary Examiner—Donald L Mills
`(24) .Iltrorirqt’. Agent. or I'i'rm- Baker Bolts I...L.1".
`
`(52)
`
`ABSTRACT
`
`Methods. apparatuses and systems facilitating enhanced clas—
`sification of network traflic that extends beyond analysis of
`explicitly presented packet attributes and holistically ana-
`lyzes data flows. and in some implementations. related data
`flows against known application behavior patients to classify
`the data flows. Implementations ol‘ the present invention
`facilitate the classification or encrypted or compressed net-
`work tra file. or where the higher layer in formation in the data
`flows are formatted according to a non-public or proprietary
`protocol.
`
`3] Claims, 11 Drawing Sheets
`
`
`Palwm Male]:
`
`
`Blast! on Suspected
`
`Applicatiufl Type
`
`
`360
`
`
` 362
`
`
`Yes
`
`
`Packet Size
`
`Match Entry in
`Pattern?
`
`366
`Does Packet
`
`Sim matte-11 Neill
`
`Entry in Pattern?
`
`VMWARE 1007
`VMWARE 1007
`
`

`

`US 7,664,048 B1
`Page 2
`
`US. PATENT DOCUMENTS
`
`ӣ292.53 1
`1296.2 88
`7.3 24.44?
`7.385 .9 24
`7.554.983
`200230122427
`200230143901
`2003003 53 85
`ZUUSFOI 12764
`200301852 10
`
`Bl
`Bl
`Bl
`Bl
`Bl
`Al
`Al
`Al
`Al
`Al
`
`11.9007 Hill
`113200? Hill
`IQDDS Morford
`6.52008 Riddle
`6.0009 Muppala
`9:“2002 Kamentsky
`10.9002 Ltlpo
`2.2003 Walsh
`6.0003 Gaspard
`10:200.“, McCormack
`
`2004:"0125815 Al
`2006.500450l4 Al
`
`7:“2004 Shima‘zu
`332006 Charzinski
`
`OTHER PUBLICATIONS
`
`Yo. Guanhua ct al.. “Using explicit congestion notification in stream
`control lransmisson provided in networks”. IEEE. May 1982. 2003.
`pp. 704-709!
`Yung. US. App]. No. 103917.952. entitled: Examination ofconnec-
`lion handshake to enhance classification of encrypted network lraffic.
`Aug. 2004.
`
`* cited by examiner
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheetl of 11
`
`US 7,664,048 B1
`
`50
`
`El
`
`
`
`
`
`HIHHH
` Traffic: Monitoring
`
`Device
`
`40
`
` Traffic
`Classification
`
`Engine
`
`
`
`Fig._1
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 2 of 11
`
`US 7,664,048 B1
`
`Computer
`
`50
`
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 3 of 11
`
`US 7,664,048 B1
`
`Administrator
`Interface
`
`150
`
`
`
`137
`
`Traffic
`_
`_
`Classrficatlon
`.
`Engme
`
`Measurement
`
`Engme
`
`
`
`Flow
`Database
`
`Management
`Information Base
`
`
`
` 138
`
`
`
`
`
`
`
`
`134
`
`139
`
`Host
`Database
`
`Traffic Discovery
`Module
`
`Data Packet
`In
`
`Packet
`Flow Control
`Processor
`Module
`Out
`
`
`
`Data Packet
`
`131
`
`132
`
`Fig.___3
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 4 of 11
`
`US 7,664,048 B1
`
`.
`Recelve Data
`
`
`
`Packet
`
`102
`
`106
`
`Flow
`
`Construct
`
`Object?Flow Object
`
`108
`
`
`
` New Data
`Flow?
`
`
`1 10
`
`No
`
`Fetch/Update
`Flow Object
`
`
`
`
`211
`
`
`115
`
`Identify
`Traffic Class
`
`114
`
`Variables
`
`Record Flow
`
`Measurement
`
`Flag Packet Data
`for Traffic
`Discovery
`
`1 16
`
`118
`
`'
`Flg'_4
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 5 of 11
`
`US 7,664,048 B1
`
`302
`
`Yes
`
`lst Packet of
`New Flow?
`
`322
`
`Increment
`Related Flow
`
`N0
`304
`
`Continue Pattern
`
`
`
`
`
`
`
`Pattern Match
`Related Flow
`
`
`
`Exhausted fer
`Count >
`
`
`
`Flow?
`Threshold?
`
`
`
`305
`
`Matching for
`Flow?
`
`No
`
`Return Previous
`Classification
`
`
`
`Count
`
`Classify as
`Unknown
`
`312
`
`No
`
`Pattern Match
`based on SuSpected
`Application Type
`
`Classify as
`Suspected
`Application
`
`
`
`Identify
`Suspected
`Application
`
`
`Classify as Unknown;
`End Pattern Match
`
`For Flow
`
`
`
`Process Flow For
`Related Flow
`
`No
`
`Tracking
`
`
`Fig._5A
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 6 of 11
`
`US 7,664,048 B1
`
`l
`
`Identify
`
`Q n C‘fiDDffiA
`UuulJuu qu
`
`I
`
`Application
`
`Select First Application
`7
`
`330
`
`P11310001
`Advance to Next
`
`Match
`A h
`t.
`Application?
`pp ca 10m
`
`
`
`
`342
`
`344
`
`
`
`1 st Packet
`Size Matches
`
`
`Pattem‘?
`
`
`
`Compute Packet
`Data Entropy
`Value
`
`Yes
`
`Return "No
`
`Match"
`
`3 4 6
`
`Entmpy Value
`Match
`
`Pattern?
`
`Flg.__5B
`
`
`
`Yes
`
`340
`
`Return Suspected
`
`Application
`
`

`

`US. Patent
`
`Feb. 16,2010
`
`Sheet 7 of l]
`
`US 7,664,048 B1
`
`Related Flow
`
`Tracking
`
`
`
`
`
`Record Arrival Time
`
`of 1 st Packet; Host
`Address and SuSpected
`Application
`
`New Host
`
`
`
`Address!Suspected
`Application Pair?
`
`
`356
`
`
`Related Flow Count
`
`=0; Last Flow Time
`= lst Packet Time
`
`
`
`
`
`
`
`bfw lst
`
`
`Is a.
`
`Packet Time and
`
`Last Flow Time >
`
`Limit?
`
`Fig._5C
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 8 of 11
`
`US 7,664,048 B1
`
`Pattern Match
`
`
`
`
`Based on Suspected
`
`360
`
`Yes
`
`Packet Size
`
`Match Entry in
`
`Application Type
`Pattern?
`
`362
`
`Does Packet
`
`Entry in Pattern?
`
`
`
`Size match Next
`
`
`
`
`
`364
`
`Fig._5D
`
`Return N0
`
`Match
`
`366
`
`
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 9 of 11
`
`US 7,664,048 B1
`
`Client Device
`
`
`
`
`Network
`
`Resource
`
`
`
`Computer
`Network
`
`
`Fig._6
`
`
`
` Computer
`
`Tunnel Proxy
`Server
`
`Network
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 10 OH].
`
`US 7,664,048 B1
`
`Receive Data
`
`202
`
`Packet
`
`
`
`212
`
`f/
`
`Control
`
`N0
`
`Construct
`
`204 Yes
`
`
`
`
`Fetch/Update
`Control Block
`
`218
`
`Write Traffic
`
`
`
`
`Class & Policies
`
`into Control Block
`
`219
`
`Identify
`Traffic Class
`
`2-14
`
`No
`
`220
`
`222
`
`F1g 7
`
`_
`
`224
`
`Flag Packet Data
`for Traffic
`
`
`
`Discovery
`'
`
`Pass Packet to
`
`Flow Control
`
`Module (P)
`
`Record Flow
`Measurement
`
`Variables
`
`

`

`US. Patent
`
`Feb. 16, 2010
`
`Sheet 11 OH].
`
`US 7,664,048 B1
`
`Pass to
`Classification
`
`102
`
`Traffic Class
`
`Identified?
`
`
`
`Engine
`
`
`
`Flag for Traffic
`Discovery
`
`Yes
`
`
`Traffic Class
`Identified By
`Auto-Discovery?
`
`
`Matching
`
`Classification
`
`Pass to Pattern
`
`Mechanism
`
`
`
`Fig. 8
`
`

`

`US 1,664,048 B]
`
`l
`HEURISTIC BEHAVIOR PATTERN
`MA'I‘CI-IING OF DATA FLOWS IN ENHANCED
`NETWORK TRAFFIC CLASSIFICATION
`
`CROSS-REFERENCE TO RELATED
`APPI .ICATIONS AND PA'I‘liNTS
`
`This application makes reference to the following com-
`monly owned U.S. patent applications and patents. which are
`incorporated herein by reference in their entirely for all pur-
`poses:
`US. patent application Ser. No. 081762.828 now U .8. Pat.
`No. 5.802.106 in the name of Robert 1... Packer. entitled
`“Method for Rapid Data Rate Detection in a Packet Commu—
`nication Environment Without Data Rate Supervision:“
`U .S. patent application Ser. No. 081970.693 new U.S. Pat.
`No. 6.018.516. in the name of Robert L. Packer. entitled
`“Method for Minimizing Unneeded Retransmission of Pack-
`ets in a Packet Communication Environment Supporting a
`Plurality of Data link Rates:”
`U .S. patent application Ser. No. 081742.994 now U .3. Pat.
`No. 6.038.216. in the name of Robert L. Packer. entitled
`“Method for Explicit Data Rate Control in a Packet Continu-
`nication Environment without Data Rate Supervision."
`U.S. patent application Ser. No. 091977.642 now U.S. Pat.
`No. 6.046.980.
`in the name of Robert L. Packer. entitled
`“System for Managing Flow Bandwidth U tiliaation at Net-
`work. Transport and Application I .ayers in Store and Forward
`Networ
`
`US. patent application Ser. No. 091106.924 new U.S. Pat.
`No. 6.115.357. in the name ofRobert L. Packer and Brett D.
`Galloway. entitled “Method for Pacing Data Flow in a Packet-
`based Network;"
`U .S. patent application Ser. No. 091046.776 now U.S. Pat.
`No. 6.205.120. in the name of Robert I... Packer and Guy
`Riddle. entitled “Method for Transparently Determining and
`Setting an Optimal Minimum Required TCP Window Size:"
`U .S. patent application Ser. No. 091479.356 now U.S. Pat.
`No. 6.285.658.
`in the name of Robert L. Packer. entitled
`“System for Managing Flow Bandwidth Utilization at net-
`work. 'I‘ransport and Application Layers in Store and Forward
`Netwm-k:"
`
`U .S. patent application Ser. No. 091198.090 now U .8. Pat.
`No. 6.412.000. in the name of Guy Riddle and Robert L.
`Packer. entitled “Method for Automatically Classifying Traf-
`fic in a Packet Connnunications Network;"
`U.S. patent application Ser. No.091l98.051. in the name of
`Guy Riddle. entitled “Method forAutomatically Determining
`a 'I'ralIic Policy in a Packet Communications Network?”
`U.S. patent application Ser. No. 091206.772. in the name of
`Robert I.. Packer. Brett 1). ('ialloway and Ted 'l'hi. entitled
`“Method tor Data Rate Control for Heterogeneous or Peer
`Internetworking:"
`U .S. patent application Ser. No. 101039.992. in the name of
`Michael 1. Quinn and Mary L. Laier, entitled “Method and
`Apparatus for Fast hookup of Related Classification Entities
`in a Tree-Ordered Classification Ilierarchyf’
`U .S. patent application Ser. No. 101108.085. in the name of
`Wei-Lung Lai. Jon Eric Okholm. and Michael .1. Quinn.
`entitled “Output Scheduling Data Structure Facilitating Hier-
`archical Network Resource Allocation Schemez“
`
`U.S. patent application Ser. No. 101155.936 now U.S. Pat.
`No. 6,591,299. in the name of Guy Riddle, Robert L. Packer,
`and Mark Hill. entitled “Method ForAutomatically Classify—
`ing Traffic Willi Enhanced Hierarchy In A Packet Communi-
`cations Network.“
`
`10
`
`3t]
`
`4t]
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`
`US patent application Ser. No. 10123 6. l 49. in the name of
`Brett Galloway and George Powers. entitled “Classification
`Data Structure enabling Multi-Dimensioml Network Traffle
`Classification and Control Schemes.”
`U. S. patent application Ser. No. 101295.391. in the name of
`Mark Hill, Guy Riddle and Robert Purvy. entitled “Methods.
`Apparatuses. and Systems Allowing for Bandwidth Manage—
`ment Schemes Responsive to Utilization Characteristics
`Associated with Individual Users."
`U. S. patent application Ser. No. 101334.467. in the name of
`Mark I-Iilt. entitled “Methods. Apparatuses and Systems
`Facilitating Analysis of the Performance of Network Traffic
`Classification Configurationsf'
`U. S. patent application Ser. No. 101453.345, in the name of
`Scott l-lankins. Michael R. Morford. and Michael .1. Quinn.
`entitled “Flow-Based Packet Capture;“ and
`U.S. patent application Ser. No. 10161 1.573. in the name of
`Roopesh Varier. David Jacobson. and Guy Riddle. entitled
`“Network Traffic Synchronization Mechanism.”
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer networks and.
`more particularly. to enhanced network traffic classification
`mechanisms that allow for identification of encrypted data
`flows. or data flows where attributes necessary to proper
`classification are otherwise obscured or unknown.
`
`BACKGROUND OF THE INVENTION
`
`Efficient allocation of network resources. such as available
`network bandwidth. has become critical as enterprises
`increase reliance on distributed computing environments and
`wide area computer networks to accomplish critical tasks.
`The widely~used Transport Control Protocol (1'CP)11ntemet
`Protocol (1?) protocol suite. which implements the world—
`wide data communications network environment called the
`Internet and is employed in many local area networks. omits
`any explicit supervisory function over the rate of data trans-
`port over the various devices that comprise the network.
`While there are certain perceived advantages. this character-
`istic has the consequence of juxtaposing very high~speed
`packets and very low—speed packets in potential conflict and
`produces certain inefficiencies. Certain loading conditions
`degrade performance of networked applications and can even
`cause instabilities which could lead to overloads that could
`
`stop data transfer temporarily.
`In order to understand the context ol‘certain embodiments
`of the invention. the following provides an explanation of
`certain technical aspects of a packet based telecommunica—
`tions network environment. Internetr'lntranet technology is
`based largely on the TCP11P protocol suite. At the network
`level. 1P provides a “datagram” delivery service—that is. IP is
`a protocol allowing for delivery of a datagraltt or packet
`between two hosts. By contrast. TCP provides a transport
`level service on top of the datagram service allowing for
`guaranteed delivery ofa byte stream between two 11’ hosts. In
`other words. 'I‘CP is responsible for ensuring at the transmit-
`ting host that message data is divided into packets to be sent,
`and for reassembling. at the receiving host. the packets back
`ittto the complete message.
`TCP has “flow control" mechanisms operative at the end
`stations only to limit the rate at which a TC P endpoint will
`emit data. but it does not employ explicit data rate control.
`The basic flow control mechanism is a “sliding window“. a
`window which by its sliding operation essentially limits the
`amount of tuiacknowledged transmit data that a transmitter is
`
`

`

`US ?,664,048 B]
`
`3
`allowed to emit. Another flow control mechanism is a cons
`gestion window, which is a refinement of the sliding window
`scheme involving a conservative expansion to make use ol‘the
`full, allowable window.
`The sliding window flow control mechanism works in con-
`junction with the Retransmit Timeout Mechanism (RIO),
`which is a timeout to prompt a retransmission of tuiacknowl—
`edged data. The timeout length is based on a running average
`of the Round Trip Time (RT'1') for acknowledgment receipt,
`it: if an acknowledgment is not received within {typically}
`the smoothed RTT+4*mean deviation, then packet loss is
`inferred and the data pending acknowledgment is re-trans-
`mitted. Data rate flow control mechanisms which are opera-
`tive end—to—end without explicit data rate control draw a
`strong inference of congestion from packet loss (inferred,
`typically. by R'I‘O). TCI’ end systems. for example, will
`“back-off.”—i .e.. inhibit transmission in increasing multiples
`of the base RTI' average as a reaction to consecutive packet
`loss.
`
`A crude form of bandwidth management in 'l'CPfIP net-
`works (that is, policies operable to allocate available band—
`width from a single logical link to network flows) is accom—
`plished by a combination of TCP end systems and routers
`which queue packets and discard packets when some conges-
`tion threshold is exceeded. The discarded and therefore unac-
`
`knowledged packet serves as a feedback mechanism to the
`TCP transmitter. Routers support various queuing options to
`provide for some level of bandwidth management. These
`options generally provide a rough ability to partition and
`prioritize separate classes of tralfic. llowever, configuring
`these queuing options with any precision or without side
`effects is in fact very difficult, and in some cases. not possible.
`Seemingly simple things. such as the length of the queue,
`have a profound effect on traffic characteristics. Discarding
`packets as a feedback mechanism to TCP end systems may
`cause large. uneven delays perceptible to interactive users.
`Moreover. while routers can slow down inbound network
`traffic by dropping packets as a feedback mechanism to a TC1’
`transmitter. this method ofien results in retransmission ofdata
`packets. wasting network traffic and, especially.
`inbound
`capacity ofa Wide Area Network (WAN) link. In addition.
`routers can only explicitly control outbound traffic and cannot
`prevent inbound traffic from over—utilizing a WAN link. A 5%
`load or less on outbound traffic can correspond toa 100% load
`on inbound traffic. due to the typical imbalance between an
`outbound stream of acknowledgments and an inbound stream
`of data.
`
`In response, certain data flow rate control mechanisms
`have been developed to provide a means to control and opti—
`mize efficiency of data transfer as well as allocate available
`bandwidth among a variety of business enterprise function"
`alities. For example, U.S. Pat. No. 6,038,216 discloses a
`method for explicit data rate control in a packet-based net-
`work environment without data rate supervision. Data rate
`control directly moderates the rate of data transmission from
`a sending host. resulting in justwin—time data transmission to
`control inbound traffic and reduce the inefficiencies associ—
`
`ated with dropped packets. Bandwidth management devices
`allow for explicit data rate control for flows associated with a
`particular traffic classification. For example. U.S. Pat. No.
`6.412.000. above. discloses automatic classification of net-
`work tralfic for use in comicction with bandwidth allocation
`mechanisms. U.S. Pat. No. 6,046,980 discloses systems and
`methods allowing for application layer control of bandwidth
`utilization in packet-based computer networks. For example,
`bandwidth management devices allow network administra-
`tors to specify policies operative to control andi’or prioritize
`
`10
`
`3t]
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`
`the bandwidth allocated to individual data lows according to
`traffic classifications. In addition, certain bandwidth manage-
`ment devices. as well as certain routers. allow network admin-
`istrators to specify aggregate bandwidth utilization controls
`to divide available bandwidth into partitions. With sotne net-
`work devices. these partitions can be configured to ensure a
`minimum bandwidth andfor cap bandwidth as to a particular
`class of traffic. An administrator specifies a traffic class (such
`as File Transfer Protocol (FTP) data, or data flows involving
`a specific user} and the size of the reserved virtual Iink-—i.c..
`minimum guaranteed bandwidth andfor maximum band-
`width. Such partitions can be applied on a per-application
`basis {protecting andfor capping bandwidth for all
`traffic
`associated with an application) or a per—user basis (control—
`ling, prioritizing. protecting andfor capping bandwidth for a
`particular user). In addition. certain bandwidth management
`devices allow administrators to define a partition hierarchy by
`configuring one or more partitions dividing the access link
`and further dividing the parent partitions into one or more
`child partitions. While the systems and methods discussed
`above that allow for traffic classification and application of
`bandwidth utilization controls on a per—traflic-classifimtion
`basis operate effectively for their intended purposes, they
`possess certain limitations. As discussed more fully below,
`identification of traffic types associated with data flows tra-
`versing an access link involves the application of matching
`criteria or rules to explicitly presented or readily discoverable
`attributes of individual packets against an application signa—
`ture which may comprise a protocol identifier {e.g.. TCP.
`I-lyper'l‘exl 'l‘ranspon Protocol (HTTP), User Datagram Pro-
`tocol (UDP), Multipurpose Internet Mail Extensions (MI ME]
`types. etc). a port number. and even an application-specific
`string of text in the payload ofa packet. After identification of
`a traffic type corresponding to a data flow, a bandwidth man-
`agement device associates and subsequently applies band—
`width utilization controls (e.g., a policy or partition} to the
`data flow corresponding to the identified traficic classification
`or type. Accordingly. simple changes to an application. such
`as a string of text appearing in the payload or the use of
`encryption text may allow the application to evade proper
`classification and corresponding bandwidth utilization con-
`trols or admission policies.
`Indeed, a common use of bandwidth management devices
`is to limit the bandwidth being consumed by unruly. band-
`width-intensive applications, such as peer-to-peer applica-
`tions (e.g.. Kazaa. Napster. etc). andfor other unauthorized
`applications. Indeed. the rich Layer 7 classification function-
`ality of Packetshaper-‘RJ bandwidth management devices
`offered by Packeteer®. Inc. cf'Cupertino. Calif. is an attrac—
`tive feature for network administrator. as it allows for accu—
`rate identification ofa variety of'application types. This traffic
`classification functionality, in many instances, uses a combi-
`nation of known protocol types, port numbers mid applica-
`tion-specific attributes to differentiate between various appli-
`cation traflic traversing the network. An increasing number of
`such peerwto-peer applications. however. employ data com~
`pression, encryption technology, andfor proprietary protocols
`that obscure or prevent identification of various application—
`specific attributes. often leaving well-known port numbers as
`the only basis for classification. In fact, as networked appli-
`cations get increasingly complicated. data encryption has
`become a touted feature. lndeed. encryption addresses the
`concern of security and privacy issues, but it also makes it
`much more difficult to identify unauthorized applications
`using encryption, such as the peer—to‘peer applications
`“l-iarthstation 5“ and “Winny.” In addition. traffic classifica-
`tion based solely on well-known port numbers can be prob-
`
`

`

`5
`
`6
`
`US ?,664,048 B]
`
`lematic. especially where the application uses dynamic port
`number assignments or an application incorrectly uses a well-
`known port number, leading to misclassification of the data
`flows. In addition. classifying such encrypted network traffic
`as “unknown" and applying a particular rate or admission
`policy to unknown tralfic classes undermines the granular
`control otherwise provided by bandwidth management
`devices and. further. may cause legitimate. encrypted traffic
`to suffer as a resttlt.
`
`In addition, network savvy users (such as students in a
`campus or tmiversity environment) have also become aware
`that bandwidth management devices have been deployed to
`limit or restrict unauthorized peer-to-poer application traffic.
`As a result, users often attempt to bypass or thwart the band—
`width management scheme effected by such bandwidth mam
`agement devices by creating communications tunnels [proxy
`tunnels) through which unauthorized or restricted network
`traffic is sent. The attributes discemible from the content of
`these tunneled data flows. however. often reveal little infor-
`
`mation about its true nature. For example. commercial I--I'l'fP
`tunnel services (such as loopholesoftwarecom, Totachnet.
`and http—tunnelcom. etc.) allow users to send all network
`traffic in the form of HTTP traffic through a I-l'I'I‘P tunnel
`between a tunnel client and an l-I'f'l'P proxy servermaintained
`by the tunnel services provider. FIG. 6 illustrates the func-
`tional ity and operation ofa typical HTTP proxy tunnel. Client
`device 42 includes a client application (such as a peer-to-peer
`application 71) and a ttlnnel client 72. The client application
`sends data to the tunnel client 72 which tttnnels the data over
`l-I’I'I‘Pto a tunnel proxy server 74. The tunnel proxy server 74
`then forwards the data to the intended destination (here. net-
`work resource ?5]. and vice versa. Such l-I'I'TP tunnels typi-
`cally feature encryption; accordingly. a bandwidth manage-
`ment device 30. encountering the tunneled traffic in this form.
`may not detect the exact nature of the traffic and.
`in fact.
`classify such data flows as legitimate or regular HTTP traffic.
`Accordingly. these tunneling mechanisms and other tecln
`niques for evading bamdwidth utilization controls imple-
`mented by bandwidth management devices present new chal-
`lenges to network administrators and bandwidth management
`device manufacturers desiring to effectively control unautho-
`rized or restricted network traffic.
`
`In light of the foregoing, a need in the art exists for meth—
`ods. apparatuses and systems that facilitate the classification
`of encrypted or compressed network traffic. A need further
`exists for methods. apparatuses and systems that facilitate the
`classification ofnetwork traffic associated with a non-public.
`proprietary protocol or application. Embodiments of the
`present invention substantially fulfill these needs.
`
`SUMMARY OF "II-II)? INVIiN’l‘ION
`
`The present invention provides methods. apparatuses and
`systems facilitating enhanced classification of network traf-
`fic. As discussed above. typical mechanisms that classify
`network traffic analyze explicitly presented or readily discov-
`erable attributes of individual packets against an application
`signature. such as a combination of protocol identifiers, port
`numbers and text strings. The present
`invention extends
`beyond analysis ofsttch explicitly presented packet attributes
`and holistically analyzes the data flows. and in some imple-
`mentations. the behavior ofhost or end systems as expressed
`in related data flows against known application behavior pat—
`terns to classify the data flows. Implementations of the
`present invention facilitate the classification of encrypted or
`compressed network traffic. or where the higher layer infor-
`mation in the data flows are fon'nattod according to a non-
`
`the
`In one embodiment.
`public or proprietary protocol.
`enhanced classification ftutctionality analyzes the behavioral
`attributes of encrypted data flows against a knowledge base of
`known application behavior patterns to classify the data
`flows.
`In one embodiment.
`the enhanced classification
`mechanisms described herein operate seamlessly with other
`Layer 7 traffic classification mechanisms that operate on
`attributes of the packets themselves. Implementations of the
`present invention can be incorporated into a variety of net-
`work devices. such as traffic monitoring devices. packet cap-
`ttlre devices. firewalls. and bandwidth management devices.
`
`10
`
`DIESCRIP'I'ION ()1: TI Il'i DRAWINGS
`
`FIG. I is a functional block diagram showing a traffic
`monitoring device according to an embodiment ofthe present
`invention.
`
`FIG. 2 is a functional block diagram illustrating a computer
`network environment including a bandwidth management
`device according to an embodiment of the present invention.
`FIG. 3 is a functional block diagram setting forth the func—
`tionality in a bandwidth management device according to an
`embodiment of the present invention.
`FIG. 4 is a flow chart diagram providing a method. accord-
`ing to an embodiment oftlie present invention. directed to the
`processing of packets in a traffic monitoring device.
`FIGS. 5A thru SD are flow chart diagrams illustrating
`methods. according to an embodiment ofthe present inven—
`tion. directed to classifying data flows based 011 one or more
`observed behavioral attributes.
`
`FIG. 6 is a functional block diagram illustrating a proxy
`tunnel which may be used in attempts to evade appropriate
`classification and circumvent the bandwidth utilization con-
`
`trols implemented by bandwidth management devices.
`FIG. 7 is a flow chart diagram providing a method directed
`to enforcing bandwidth utilization controls on data flows.
`FIG. 8 is a flow chart diagram showing how the application
`behavior pattern matching functionality can be applied in
`combination with other network traffic classification pro-
`cesses.
`
`DESCRIPTION OF PREFERRED
`EMBODIMENT(S)
`
`FIG. 1 illustrates a basic network environment in which an
`
`embodiment of the present invention operates. FIG. 1 shows
`a first network device 40 (such as a hub. switch. router. andfor
`a variety of combinations of such devices implementing a
`LAN or WAN] interconnecting two end~systems (here. client
`computer 42 and server 44). FIG. 1 also provides a second
`network device 22. such as a router. operably connected to
`network cloud 50. which in one implementation could be an
`open. wide-area network. As FIG. 1 shows, traffic monitoring
`device 30 comprises traffic monitoring module '75. and first
`and second network interfaces 7]. 72, which operably con-
`nect traffic monitoring device 30 to the communications path
`between first network device 40 and second network device
`
`22. Traffic monitoring module 75 generally refers to the func—
`tionality implemented by traffic monitoring device 30. In one
`embodiment. traffic monitoring module 75 is a combination
`of hardware and software. such as a central processing unit.
`memory. a system bus, an operating system and one or more
`software modules implementing the fiinctionality described
`herein. In one embodiment. traffic monitoring module 75
`includes a packet processor 82. and a traffic classification
`engine 86. In one embodiment. the packet processor 82 is
`operative to process data packets. such as storing packets in a
`
`3o
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`

`

`US ?,664,048 B]
`
`7
`
`buffer structure, detecting new data flows, and parsing the
`data packets for various attributes {such as source and desti-
`nation addresses, and the Like) and maintaining one or more
`measurement variables or statistics in connection with the
`
`flows. The traffic classification engine 86. as discussed more
`fully below, is operative to classify data flows based on one or
`more attributes associated with the data flows. Traffic classi—
`
`.3
`
`fication engine 86 is also operative to classify data flows
`based on a heuristic comparison of certain observed behav-
`ioral attributes of the data flows relative to a set of at least one
`
`10
`
`known application behavior pattern.
`The fiinctionality of traffic monitoring device 30 can be
`integrated into a variety ofnetwork devices that classify net-
`work traffic, such as firewalls. gateways, proxies, packet cap—
`ture devices [see US. application Ser. No. Nit-153.345), net—
`work traffic monitoring andfor bandwidth management
`devices. that are typically located at strategic points in corn-
`puter networks. in one embodiment. first and second network
`interfaces 71. 72 are implemented as a combination of hard-
`ware and software, such as network interface cards and asso-
`ciated software drivers. In addition, the first and second net—
`work interfaces 71, 72 can be wired network interfaces. such
`as Ethernet interfaces. andfor wireless network interfaces.
`such as 802.1 1. Blue'lboth, satellite-based interfaces, and the
`like. As FIG. 1 illustrates. traffic monitoring device 30. in one
`embodiment. includes persistent memory 76. such as a hard
`disk drive or other suitable memory device. such writable CD.
`DVD, or tape drives.
`As FIGS. 1 and 2 show, the traffic monitoring device 30 (or
`bandwidth management device 130), in one embodiment, is
`disposed on the link between a local area network 4t! and
`router 22. In other embodiments, multiple traffic monitoring
`devices can be disposed at strategic points in a given network
`infrastructure to achieve various objectives. In addition. traf-
`fic monitoring device 30 need not be directly connected to the
`link between two network devices, but may also be connected
`to a mirror port. In addition, the traffic monitoring function—
`ality described herein may be deployed in multiple network
`devices and used in redundant network topologies by inte-
`grating the network trafific synchronization functionality
`described in US application Ser. No.
`l()2’611.573. incorpo-
`rated by rcference above.
`
`3t]
`
`40
`
`A. Network Traffic Monitoring and Enhanced ’l‘raffic Classi-
`fication
`
`45
`
`As discussed herein. traffic monitoring device 30 is opera-
`tive to detect or recognize fiows between end systelns or
`hosts. and classify the data [iows based on one or more flow
`andr‘or behavioral attributes. Traffic monitoring device 30
`may also monitor and store one or more measurement vari—
`ables on an aggregate andl'or pcr-traffic-class basis. As dis-
`cussed below, traffic monitoring device 30 may also be opera-
`tive to identify or discover the traffic classes corresponding to
`data flows traversing an access link and add them to the
`configuration of traffic classification engine 86. As discussed
`above,
`traffi