CHAPTER 7
The Art of Application Classification
Application classification refers to the real-time identification of traffic flows as being part of a specific protocol or application. Timely and accurate classification of network traffic is commonly known as network visibility. Network visibility is the fundamental first step that enables network administrators and security specialists to write and implement meaningful security and traffic engineering policies, for example, “block Netflix traffic during work hours”.
A classifier refers to a system or device that examines traffic in real-time and produces one or many matching classification results. A pure classifier performs the classification task only and produces a report. A classifier used in network security typically takes the result and performs one or more actions on the traffic flow. The action can be as simple as “allow” or “deny”, or more complex, as in “logging user action and reducing the user's bandwidth usage”. From a security standpoint, it is vital to perform the desired enforcement action as early as possible. For example, the classifier should conclude that a user is uploading files to Dropbox using as few packets as possible in order to avoid leakage of confidential information. In this case, the policy on the classification result, “Dropbox Upload”, may include the actions, “Log the user who is uploading to Dropbox”, and “Terminate the upload”.
A classifier needs information that sufficiently describes each ...
Get Security Intelligence: A Practitioner's Guide to Solving Enterprise Security Challenges now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.