Dynamic Application-Layer Protocol Analysis

The port-based methods relying on the well-known service ports are the simplest approach for identification of a particular application. The emerging problem comes from new applications that do not use the native port numbers or they are using other protocols, such as HTTP, as tunneling. It is well known that the identification by such a port-based heuristic is found to be no longer accurate. An example of this is the under estimation up to 70% of the popular Kazaa P2P traffic .The fact on port-based identification emphasizes that is imperative to use a deeper inspection into payload and into protocol-specific semantics to offer a more reliable detection.

HaloNS uses the application information in the payload content to define protocol-specific signatures and then checks whether a flow carries these byte-string patterns in payloads. In more details, a signature is a "fingerprint" describing any unique set of features (or patterns) of input data for the packet inspection. Each of these patterns has its type (e.g., hex value and string) and value domain. HaloNS utilizes protocol analyzers to check whether a traffic stream follows application-level semantics to determine the type of traffic. With the specific knowledge of an application, a protocol analyzer uses a set of detection heuristics for the data it receives and dissects the data to extract the information when necessary. For example, the HTTP analyzer helps to ensure the traffic through port 80 adheres to the HTTP specification for detecting the tunneling of instant messaging and P2P software. HaloNS recognizes the importance for the behavior detection to have the capability of analyzing every application instance continuously and analyzing the parent connections to identify its children connections. For example, many protocols (e.g., H.323) establish connections and negotiate service parameters on well-known TCP ports and then establish another ephemeral connection to transfer the following data. Thus, we need to track the control connections on "well-known" ports that spawn "ephemeral" data connections on arbitrary ports.

HaloNS intelligent libraries identify the application behaviors classified in application classes, behavior classes, and protocols.

Solutions

Recognizing the dynamic nature of protocol changes, HaloNS switches from the traditional static data analysis path to a dynamic one inside the detection engine. Traditional port-based detection engines decide at the time when they receive the first packet of each connection, which analyses to perform. For example, given a TCP SYN packet with destination port 80, the traditional detection engine will usually perform IP, TCP, and HTTP analysis for all subsequent packets of this flow. HaloNS, on the other hand, relies on a per-connection data structure for representing the data path, which tracks what the system learns regarding what analysis to perform for the flow. If, for example, the payload of a packet on port 80/tcp--initially analyzed as HTTP--looks like an IRC session instead, we replace the HTTP analysis with IRC analysis. HaloNS provides flexibility by associating a tree structure ( non-collision hash tables) with each connection representing the data path through various analysis components for all information transmitted on that connection.

In summary, HaloNS performs superior application and protocol behavior analysis than any other detection engine available now in the industry!

Like SafeMedia on Facebook

HaloNS & HaloCS Are Registered Trademarks of SafeMedia Corp.
Copyrighted© 2009 - 2012 SafeMedia Corp. All Rights Reserved.
Phone: (888) 235-7260 | (561) 288-1140 Fax: (866) 950-8653
Privacy Policy     Terms Of Use