US RE50,420 E1
System and method for identifying OTT applications and services
Anil K. Singhal, Carlisle, MA (US); Narendra Byrapuram, Westford, MA (US); Rajeev Nadkarni, Chelmsford, MA (US); Mahesh Srinivasagowda, Acton, MA (US); Nilesh Tayade, Pune, IN (US); and Anthony Peter Joch, Waterloo, CA (US)
Assigned to NetScout Sytems, Inc., Westford, MA (US)
Filed by NetScout Systems, Inc., Westford, MA (US)
Filed on Aug. 5, 2022, as Appl. No. 17/882,358.
Application 17/882,358 is a reissue of application No. 16/905,628, filed on Jun. 18, 2020, granted, now 10,992,777, issued on Apr. 27, 2021.
Claims priority of provisional application 62/863,692, filed on Jun. 19, 2019.
Int. Cl. H04L 9/40 (2022.01); H04L 65/60 (2022.01); H04L 67/02 (2022.01); H04L 69/16 (2022.01)
CPC H04L 63/0823 (2013.01) [H04L 63/166 (2013.01); H04L 65/60 (2013.01); H04L 67/02 (2013.01); H04L 69/16 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer implemented method for determining the identity of [ identifying ] an Over-the Top (OTT) application or service being accessed over the Internet, comprising the steps:
receiving a connection request in a network monitoring device;
inspecting IP [ Internet Protocol (IP) ] packets in the received connection request;
generating a 5-tuple consisting of: [ a source ] IP source [ address ] and [ a ] destination addresses [ IP address] ; a layer 4 transport protocol (e.g. [ comprising ] TCP or UDP ), and a transport protocol source and destination ports contained in the received connection request wherein the generated 5-tuple is compared with entries in a connection table to determine if the received connection request is a new or existing connection request, whereby if there is no existing entry, then a new entry is created matching the generated 5-tuple associated with the received connection request;
[ storing a domain name as a candidate domain name based on a domain name entry in cache memory including the domain name paired with an IP address that matches the destination IP address; ]
determining if one or more entries are present in the received connection request have an IP address that matches a known server IP address;
determining if the received connection request is a HTTP connection request;
determining if the received connection request is a HTTPS or QUIC [ quick user datagram protocol (UDP) Internet connections (QUIC) ] connection request;
determining if a subject field in the received connection request is available if no determination is made as to whether if the received connection request is either a HTTP, HTTPS or QUIC connection request;
determining if a [ , based on the received connection request being determined to not be an HTTP, HTTPS, or QUIC connection request, and the subject field is not available in the received connection request, that the ] candidate domain name is available from IP cache created from one or more of the above steps if no determination is made as to whether the received connection request is either a HTTP, HTTPS or QUIC connection request and no subject field is available in the received connection request [ the cache memory] ; and
identifying and categorizing OTT applications associated with the received connection request if it is determined [ based on at least one of] :
the connection is either [ request being ] a HTTP, HTTPS [ , ] or QUIC connection type;
a [ the ] subject field is [ being ] available; or
a [ the ] candidate domain name is [ being ] available [ by ] utilizing a lookup table that is periodically updated with new OTT applications.