Application Behavior Analysis by Stateful Automata Mechanism

Abstract

A sufficient visibility into the behaviors of network applications from the Internet traffic is essential to the content security, traffic management, and measurement. This paper presents a methodology to perform a reliable traffic classification and distinguish activities of specific applications. Our approach uses the flow-based state machine to model a given network application and its behaviors (even with the encryption) and combines the signature matching, protocol analysis, and statistical test in order to make use of the strength of the three approaches. We further discuss the system design and the implementation of our framework,including the detection heuristics and system details. These systems are already deployed at the borders of network environments of several enterprises and organizations. At last, we demonstrate the effectiveness of the approach by applying it to identify various applications and malicious traffic. This study on application behaviors shows that it is possible to allow the expected activities of programs but disallow others between the endpoint users.