H3C UAAE Technology White Paper

 

Key words: Application recognition, application protocol models, intelligent application protocol decision, application definition language, UAAE

Abstract: The H3C UAAE technology comprises the universal protocol/application definition language, model-based application protocol recognition, and intelligent protocol/application decision. It is used to accurately recognize protocols and applications.

Acronyms:

Acronym

Full spelling

BT

BitTorrent

FTP

File Transfer Protocol

HTTP

Hypertext Transfer Protocol

NAT

Network Address Translation

P2P

Peer to Peer

UAAE

Universal Application Apperceiving Engine

VoIP

Voice over IP

 



Overview

Concepts

Application management

Application management refers to comprehensive and transparent management of applications, such as application intrusion defense, application bandwidth management, and application auditing management, based on in-depth, intelligent application recognition.

Application recognition

Application recognition refers to the process of identifying different applications carried on the same application protocol based on the characteristics of the applications.

Application protocol recognition

Application protocol recognition refers to the process of using different recognition mechanisms to recognize application protocols based on the models to which the application protocols belong.

Background

The development of network applications brings new challenges to network security management, as follows.

l          Some new, more complicated security hazards are hidden inside applications and are thus inseparable from the applications. For example, Web service-based vulnerabilities and attacks that exploit them are rapidly growing. How to recognize these attacks has now become an urgent matter for network security management.

l          Traffic of some uncontrolled applications on the network consumes the bandwidths meant for other applications. For example, on an enterprise network, P2P-based downloads and recreational applications may consume large bandwidth, adversely affecting the overall productivity of the enterprise. Accurately recognizing these types of applications is now becoming more and more important.

Underpinning both application-based attack recognition and application-based bandwidth management is application recognition. And because application protocols are the running environments of applications, the accurate recognition of applications depends on the accurate recognition of application protocols.

Currently, the great majority of application protocols use variable TCP/UDP ports, which is vastly different from earlier days when most application protocols use fixed TCP/UDP ports. Relying on merely the recognition of fixed ports or content signatures, traditional application recognition systems fail to combine in-depth packet content detection with protocol resolution and detection verification, not to mention stateful detection of application or attack behaviors in specific environments. As a result, these systems cannot effectively recognize applications or protocols. Therefore, it is necessary to develop new application protocol recognition technologies. The accurate recognition of application protocols is the foundation of in-depth, comprehensive, and accurate management of applications.

To more accurately recognize protocols and applications, H3C introduces the UAAE technology.

Benefits

The H3C UAAE technology comprises the universal protocol/application definition language, model-based application protocol recognition, and intelligent protocol/application decision. H3C UAAE delivers the following benefits:

l          With the universal protocol/application definition language, H3C UAAE can dynamically upgrade the application recognition database and is thus able to recognize new applications.

l          With the model-based recognition mode, H3C UAAE recognizes protocols and applications by model, perfectly balancing the efficiency and accuracy of the recognition system; for the application protocols recognized for a packet using different recognition methods, H3C UAAE chooses the one recognized by the method with the highest priority.

l          On the basis of accurately recognizing application protocols, H3C UAAE performs in-depth, intelligent recognition of applications, detects and defends against attacks in actual application environments, and places applications and application behaviors under explicit and manageable contexts, thus implementing accurate application bandwidth management and transparent application auditing management.

H3C UAAE Implementation

H3C UAAE Architecture

Figure 1 H3C UAAE architecture

 

l          The universal definition language, together with protocol definition, protocol signature state machine definition, application definition, and application signature state machine definition, constitutes the foundation of the H3C UAAE implementation. H3C UAAE uses the universal definition language to define protocols, protocol signature state machines, applications, and application signature state machines, which greatly facilitates the expansion and upgrade of new protocols and applications.

l          H3C UAAE resolves the protocols of packets and then performs signature recognition. It analyzes the signature recognition results while combining the current recognized application environments or traces the signature state machines according to the signature recognition results of multiple packets, thus accurately recognizing protocols and applications.

Intelligent Recognition

With model-based protocol recognition as the core mechanism, the intelligent recognition module of H3C UAAE intelligently works with protocol resolution, application environment analysis, state tracing, and signature recognition, as shown in Figure 2.

Figure 2 Protocol recognition, protocol resolution, signature recognition, application environment analysis, and state tracing

 

According to the protocol recognition results, H3C UAAE analyzes data before submitting it for signature recognition; the signature recognition result is analyzed and verified in the application environment of the data; depending on the recognition model, some signature recognition results further trigger H3C UAAE to trace the signature state machines and perform state-based application recognition. The functions of the modules are as follows:

l          Model-based protocol recognition and intelligent decision: Recognize protocols by model according to the layers to which the protocols belong and screen the recognition results by priority, which makes the protocol recognition more efficient and accurate.

l          Protocol resolution: Resolve protocols by layer and decode the protocol payload.

l          Signature recognition: On the basis of protocol recognition, recognize the protocol signatures based on protocol payload.

l          Application environment analysis: Screen the signature recognition results in actual application environments.

l          State tracing: For a protocol that can be recognized only after signature recognition is performed on multiple packets of the protocol, the state tracing module can perform state management on the signature recognition results of the protocol payload of some packets.

H3C UAAE performs model-based recognition over various application protocols and, on the basis of that, intelligently screens the recognition results by priority, as shown in Figure 3.

Figure 3 H3C UAAE model-based protocol recognition and intelligent decision

 

Model-based Protocol Recognition

The model-based application protocol recognition of H3C UAAE is not performed on a flat layer. Rather, it is layered according to the characteristics of application protocols. For example, H3C UAAE recognizes the HTTP protocol carried on TCP by fixed port or signature state machine, and recognizes protocols carried on HTTP by signature state machine. This layered recognition mode further improves the accuracy of model-based application protocol recognition. The following part describes model-based recognition methods separately.

Fixed port protocol recognition

For protocols with fixed port numbers smaller than 1024, their ports are usually relatively stable, and they can be rapidly recognized by port. In addition, if you are familiar with the layout of applications on your network, you can also associate specific ports with specific application protocols. H3C UAAE provides the rapid fixed port protocol recognition mode, and in the mean time, uses the intelligent protocol decision function to correct protocols mistakenly reported by the fixed port protocol recognition mode, thus balancing the efficiency and accuracy of the protocol recognition system.

Negotiation protocol recognition

As shown in Figure 4, currently, more and more protocols use control channels together with data channels to communicate. A protocol may use a control channel to negotiate one or multiple data channels for data exchange. The data channels typically use random TCP/UDP ports negotiated through the control channel. Such protocols include FTP and VoIP. H3C UAAE uses the multi-channel association recognition technology to accurately recognize these types of protocols.

Figure 4 Negotiation protocol recognition

 

Tunnel protocol recognition

As shown in Figure 5, the deployment of firewalls and NAT devices results in many application layer tunnels, which reflect the nesting among application protocol layers. For example, an HTTP tunnel appears as a connection on port 80, but it can carry data for any application. Essentially, a tunnel is a channel. You need to accurately recognize the application protocols of the payload on a tunnel. With the special recursive tunnel recognition model, H3C UAAE is able to recognize application protocols running on HTTP tunnels.

Figure 5 Tunnel protocol recognition

 

Signature and signature state machine protocol recognition

Protocols that use fixed ports may be reassigned ports. For example, HTTP typically uses the well-known port 80, but it sometimes also uses port 8000 or port 8080. You may even assign a random port to it. In addition, the port number ranges of some P2P protocols like BT, eMule, and Thunder are changeable. In the above two scenarios, the fixed port-based recognition mode may result in incorrect or inaccurate recognition of application protocols. H3C UAAE is able to recognize application protocols based on the protocol signature of a single packet as well as by tracing the signature state machines according to different protocol signatures in multiple packets, thus adequately solving the above-mentioned problem.

Protocol plug-in recognition

With an extendable architecture, H3C UAAE can easily expand protocol plug-ins. For specific protocols, H3C UAAE can accurately recognize them based on the protocol plug-in recognition results.

Intelligent Decision

To accurately recognize an application protocol, H3C UAAE can use a single recognition method or multiple recognition methods combined. When multiple application protocols are recognized for a packet by using different recognition methods, H3C UAAE uses the intelligent decision mechanism to choose an application protocol for the packet.

On the basis of model-based protocol/application recognition, H3C UAAE sequences recognition and authentication methods by priority. The recognition result of a high-priority recognition method dynamically and intelligently replaces that of a low-priority recognition method. In this way, the accuracy of application recognition results is greatly improved.

For example, the traditional fixed port-based application recognition system recognizes all traffic on port 80 as HTTP traffic. For the Skype protocol logging in through TCP port 80, H3C UAAE recognizes the session as an HTTP session during the TCP handshake stage based on the port. H3C UAAE further inspects the content of the session and, once recognizing the login behavior signature of Skype, recognizes the session as the Skype login protocol after a priority-based intelligent decision process.

Expanding and Upgrading H3C UAAE

Figure 6 Expandable and upgradeable application and behavior recognition capabilities

 

Recent few years witness a rapid growth in the number of network applications, and more importantly, an increasing speed in the growth. In addition, according to some analysis, applications such as VoIP and P2P keep adjusting and changing their communications protocols to evade traffic policing.

With an expandable architecture, H3C UAAE supports using a universal definition language to define new application protocols, upgrade the application recognition database, and expand new application plug-ins. In this way, H3C UAAE is able to recognize even the latest protocols and applications, and accommodate the changes on the application networks.

The following ways are available for upgrading the application recognition database of H3C UAAE:

l          A professional H3C application analysis team is responsible for tracking the changes in network applications and providing the latest application recognition database for you. You can manually upgrade or let the system automatically upgrade the application recognition database, thus timely promoting the application recognition capabilities of your device.

l          H3C UAAE provides Web interfaces where you can define specific application protocols by configuring fixed ports and signatures.

 

 

 

 

 

 

 

 

 

 

 

 

Copyright ©2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.