| CPC H04L 63/1441 (2013.01) [G06N 3/04 (2013.01); G06N 3/08 (2013.01); H04L 63/1416 (2013.01)] | 20 Claims |
|
1. A computer-implemented method, at least a portion of which is performed by one or more computer processors, the computer-implemented method comprising:
capturing target payload data and target time data from a target flow of network packets between a target client application and a target server application, the target payload data indicating lengths of payloads of the network packets in the target flow, the target time data indicating time periods between arrivals of the network packets in the target flow;
generating a target image from the target payload data and the target time data by
normalizing the target payload data,
normalizing the target time data,
combining the normalized target payload data with the normalized target time data into a set of combined data points,
placing the set of combined data points in a matrix beginning at a center of the matrix and moving outward from the center of the matrix, and
converting the matrix into the target image by converting each data point in the matrix into a pixel of the target image; and
determining, based on the target image, an output including an extent to which the target image matches one of a plurality of predetermined images in order to determine a likelihood that the target client application and/or the target server application matches one of a plurality of predetermined client applications and/or one of a plurality of predetermined server applications.
|