The Art of Application Classification

Application classification refers to the real-time identification of traffic flows as being part of a specific protocol or application. Timely and accurate classification of network traffic is commonly known as network visibility. Network visibility is the fundamental first step that enables network administrators and security specialists to write and implement meaningful security and traffic engineering policies, for example, “block Netflix traffic during work hours”.

A classifier refers to a system or device that examines traffic in real-time and produces one or many matching classification results. A pure classifier performs the classification task only and produces a report. A classifier used in network security typically takes the result and performs one or more actions on the traffic flow. The action can be as simple as “allow” or “deny”, or more complex, as in “logging user action and reducing the user's bandwidth usage”. From a security standpoint, it is vital to perform the desired enforcement action as early as possible. For example, the classifier should conclude that a user is uploading files to Dropbox using as few packets as possible in order to avoid leakage of confidential information. In this case, the policy on the classification result, “Dropbox Upload”, may include the actions, “Log the user who is uploading to Dropbox”, and “Terminate the upload”.

A classifier needs information that sufficiently describes each ...