Search

EP-4738777-A1 - DETERMINING NETWORK USAGE CATEGORIES FOR NETWORK TRAFFIC FLOWS

EP4738777A1EP 4738777 A1EP4738777 A1EP 4738777A1EP-4738777-A1

Abstract

An encrypted data transmission between a connected device and an access point is monitored (102) during a time window to obtain network data. One or more network traffic flows are detected (108) based on the network data. One or more application-agnostic network usage categories for the one or more network traffic flows are determined (110) based on the network data, wherein one or more unknown applications executing on the connected device cause the encrypted data transmission to be categorized as the one or more network usage categories.

Inventors

  • CHEN, SHIMON

Assignees

  • Cujo LLC

Dates

Publication Date
20260506
Application Date
20241105

Claims (14)

  1. A computer-implemented method comprising: monitoring (102) an encrypted data transmission between a connected device and an access point during a time window to obtain network data; detecting (108) one or more network traffic flows based on the network data; and determining (110) one or more application-agnostic network usage categories for the one or more network traffic flows based on the network data, wherein one or more unknown applications executing on the connected device cause the encrypted data transmission to be categorized as the one or more application-agnostic network usage categories.
  2. The method of claim 1, wherein the network data comprises raw data packets (104) of the encrypted data transmission over the time window, and determining (110) the one or more application-agnostic network usage categories for the one or more network traffic flows based on the network data further comprises: performing (118) an individual packet analysis of the raw data packets.
  3. The method of any preceding claim, wherein the network data comprises aggregated data (106) of the encrypted data transmission per network traffic flow over the time window, and determining (110) the one or more application-agnostic network usage categories for the one or more network traffic flows based on the network data further comprises: performing (120) a flow analysis of the aggregated data.
  4. The method of any preceding claim, wherein each of the one or more application-agnostic network usage categories is defined by one or more of a type of data (112) of the single unknown application transferred via the encrypted data transmission, a nature of a communication (114) of the single unknown application transferred via the encrypted data transmission, a single network usage category for the single unknown application causing the encrypted data transmission, and a set of behaviors (116) of the single unknown application detected in the encrypted data transmission.
  5. The method of any preceding claim, wherein the one or more application-agnostic network usage categories comprise one or more of the following: a real time video streaming network usage category, an on-demand video streaming network usage category, a remote desktop network usage category, an online gaming network usage category, a cloud gaming network usage category, a voice over Internet Protocol network usage category, a video conference network usage category, a file download network usage category, a file upload network usage category, and a web browsing network usage category.
  6. The method of any preceding claim, further comprising: determining (122) that two or more network traffic flows having a same application-agnostic network usage category are caused by one unknown application.
  7. The method of any preceding claim, further comprising: determining (124) that two or more network traffic flows having at least two different application-agnostic network usage categories are caused by two or more unknown applications; and determining (126) that the at least two different application-agnostic network usage categories are inter-related regarding a use case of the connected device.
  8. The method of any preceding claim, further comprising: determining (128) an application-agnostic main active network usage category for the connected device based on the network data.
  9. The method of any preceding claim, further comprising: determining (130) priorities for the one or more application-agnostic network usage categories within the encrypted data transmission between the connected device and the access point.
  10. The method of any preceding claim, further comprising: collecting (132) network usage analytics based on the one or more application-agnostic network usage categories within the encrypted data transmission between the connected device and the access point.
  11. The method of any preceding claim, further comprising: determining (134) a network infrastructure optimization based on the one or more application-agnostic network usage categories within the encrypted data transmission between the connected device and the access point.
  12. An apparatus (300) comprising means for carrying out the method of any preceding claim 1-11.
  13. A computer program product (310) comprising instructions which, when executed by an apparatus, cause the apparatus to carry out the method of any preceding claim 1-11.
  14. A computer-readable medium (312) comprising a computer program (310) with instructions which, when executed by an apparatus, cause the apparatus to carry out the method of any preceding claim 1-11.

Description

FIELD The invention relates to a method, apparatus, computer program product, and computer-readable medium. BACKGROUND Internet service providers (ISP) are constantly striving to optimize their infrastructure and configurations to achieve an optimal quality of experience (QoE) for their customers with given cost constraints. Hence, the nature of network traffic needs to be understood as different types of traffic (for example real-time video streaming, online gaming, and buffered video streaming) have different infrastructure needs. As network data encryption becomes more widespread, it is becoming harder for ISPs to understand the type of traffic being transmitted. Clearly, more sophistication is desirable in regard to determining network usage categories for network traffic flows. SUMMARY According to an aspect of the disclosure, there is provided subject matter of independent claims. One or more examples of implementations are set forth in more detail in the accompanying drawings and the detailed description. BRIEF DESCRIPTION OF DRAWINGS Some examples will now be described with reference to the accompanying drawings, in which: FIG. 1 is a flowchart illustrating examples of a method;FIG. 2A and FIG. 2B are block diagrams illustrating example implementation environments for the method;FIG. 3A and FIG. 3B are block diagrams illustrating examples of a cybersecurity apparatus;FIG. 4 is a block diagram illustrating an example of a connected device;FIG. 5 is a block diagram illustrating an example of a computing resource;FIG. 6A and FIG. 6B are block diagrams illustrating examples of a customer-premises equipment as an access point; andFIG. 7 illustrates further examples of the method. DETAILED DESCRIPTION The following description discloses examples. Although the specification may refer to "an" example in several locations, this does not necessarily mean that each such reference is to the same example(s), or that the feature only applies to a single example. Single features of different examples may also be combined to provide other examples. Words "comprising" and "including" should be understood as not limiting the described examples to consist of only those features that have been mentioned as such examples may contain also features and structures that have not been specifically mentioned. The examples and features, if any, disclosed in the following description that do not fall under the scope of the independent claims should be interpreted as examples useful for understanding various examples and implementations of the invention. Any flowcharts discussed herein are necessarily discussed in some sequence for purposes of illustration, but unless otherwise explicitly indicated, the examples are not limited to any particular sequence of steps. The use herein of ordinals in conjunction with an element is solely for distinguishing what might otherwise be similar or identical labels, such as "first message" and "second message," and does not imply an initial occurrence, a quantity, a priority, a type, an importance, or other attribute, unless otherwise stated herein. The term "about" used herein in conjunction with a numeric value means any value that is within a range of ten percent greater than or ten percent less than the numeric value. As used herein and in the claims, the articles "a" and "an" in reference to an element refers to "one or more" of the element unless otherwise explicitly specified. The word "or" as used herein and in the claims is inclusive unless contextually impossible. As an example, the recitation of A or B means A, or B, or both A and B. The word "data" may be used herein in the singular or plural depending on the context. The use of "and/or" between a phrase A and a phrase B, such as "A and/or B" means A alone, B alone, or A and B together. Encrypted data transmission between a connected device and an access point may be caused by one or more applications executing on the connected device. The encrypted data transmission of a single connected device may contain a plurality of network traffic flows. It would be beneficial for a network operator or a cybersecurity operator to determine a network usage category for the network traffic flow. An application executing on the connected device causes the network usage categories for the encrypted data transmission. The determination is made more difficult by the encrypted data, and the encrypted metadata such as Encrypted Client Hello, or ECH, and Domain Name System (DNS) over Hypertext Transfer Protocol Secure (HTTPS), or DoH. The determination between many potential network usage categories in the dirty real-world conditions is harder than in a binary classification research project. Furthermore, several applications may be running in parallel, each with a different network usage category. FIG. 1 is a flowchart illustrating examples of a method. The method performs operations related to determining network usage categories for network traffi