System and Method for Identifying Ott Applications and Services

1. A computer implemented method for determining the identity of identifying an Over-the Top (OTT) application or service being accessed over the Internet, comprising the steps: receiving a connection request in a network monitoring device; inspecting IP Internet Protocol (IP) packets in the received connection request; generating a 5-tuple consisting of: a source IP source address and a destination addresses IP address; a layer 4 transport protocol (e.g. comprising TCP or UDP), and a transport protocol source and destination ports contained in the received connection request wherein the generated 5-tuple is compared with entries in a connection table to determine if the received connection request is a new or existing connection request, whereby if there is no existing entry, then a new entry is created matching the generated 5-tuple associated with the received connection request; storing a domain name as a candidate domain name based on a domain name entry in cache memory including the domain name paired with an IP address that matches the destination IP address; determining if one or more entries are present in the received connection request have an IP address that matches a known server IP address; determining if the received connection request is a HTTP connection request; determining if the received connection request is a HTTPS or QUIC quick user datagram protocol (UDP) Internet connections (QUIC) connection request; determining if a subject field in the received connection request is available if no determination is made as to whether if the received connection request is either a HTTP, HTTPS or QUIC connection request; determining if a, based on the received connection request being determined to not be an HTTP, HTTPS, or QUIC connection request, and the subject field is not available in the received connection request, that the candidate domain name is available from IP cache created from one or more of the above steps if no determination is made as to whether the received connection request is either a HTTP, HTTPS or QUIC connection request and no subject field is available in the received connection request the cache memory; and identifying and categorizing OTT applications associated with the received connection request if it is determined based on at least one of: the connection is either request being a HTTP, HTTPS, or QUIC connection type; a the subject field is being available; or a the candidate domain name is being available by utilizing a lookup table that is periodically updated with new OTT applications.

2. The computer implemented method of claim 1, wherein receiving a connection request includes further comprising determining if a transport layer protocol is TCP and the a destination TCP port in the connection request matches known ports to carry HTTP, HTTPS or QUIC requests.

3. The computer implemented method of claim 1, further including extracting URI uniform resource identifier (URI) and HTTP header fields from the connection request if it is determines the connection request is HTTP connection request.

4. The computer implemented method of claim 1, further including detecting an SNI a service name indication (SNI) extension in a ClientHello handshake message if it is determined the received connection request is a the HTTPS or QUIC connection request.

5. The computer implemented method of claim 4, further including extracting the SNI from the ClientHello handshake message.

6. The computer implemented method of claim 1 where determining if the subject field is available includes inspecting an “End Entity” X.509 format Server Certificate in the TLS handshake ServerHello message.

7. The computer implemented method as recited in claim 1 wherein if determined there is a domain name entry with a matching IP address for the received connection request, the IP address of the destination server of the received connection request is stored as a candidate domain name.

8. The computer implemented method as recited in of claim 7 1wherein if determined the destination IP address associated with the received connection request cannot be directly mapped to a known domain name then, the destination IP address is compared with a list of IP address ranges registered as public IP addresses.

9. The computer implemented method as recited in of claim 8 wherein the Public IP address ranges are managed and allocated by an International Regional Internet Registry (RIR) whereby each RIR publishes a database listing associated with unique IP addresses ranges on the public internet a publicly available portion of the internet.

10. The computer implemented method as recited in of claim 1, further including inspecting Domain Name System (DNS) queries between browsers and their designated DNS servers.

11. The computer implemented method as recited in claim 10 wherein a Host field in the received connection request is an IP address.

12. The computer implemented method as recited in claim 10 wherein a Host field in the received connection request is a domain name.

13. The computer implemented method as recited in of claim 10 further including performing a DNS name-resolution query to obtain an IP address for a target HTTP/HTTPS server whereby a DNS server provides a response containing a domain name being queried and one or more IP addresses associated with the queried domain name.

14. The computer implemented method as recited in of claim 13 wherein visible DNS name-resolution responses are inspected and utilized to add IP address/domain name mapping pairs to the IP cache cache memory.

15. The computer implemented method as recited in of claim 14 wherein TLS transport layer security (TLS) handshake SNI entries are utilized to update the IP cache cache memory.

16. The computer implemented method as recited in of claim 1 when if determined wherein if an application is being provided via an HTTP connection request, then one or more of the HTTP Host, Referrer, URI and Content-Type fields is extracted from the a HTTP packet header to identify the application.

17. The computer implemented method as recited in of claim 4 wherein if determined an application is being provided via an the HTTPS or QUIC connection request, then the a Service Name Identifier (SNI) field in the a TLS handshake is utilized as a proxy for the a HTTP Host field.

18. The computer implemented method and system as recited in of claim 17 wherein: if the SNI field is present, a corresponding IP address/domain name mapping pair is added to the IP cache memory; if the SNI field is not populated in the TLS handshake then the “Subject” or “Subject Alternate Name” fields in the TLS server certificate are inspected; if determined the destination IP address of a network connection cannot be directly mapped to a domain name than then the destination IP address is compared with a list of IP address ranges registered as public IP addresses; and if the SNI field is not populated in a TLS handshake than then the “Subject” or “Subject Alternate Name” fields in the TLS server certificate are inspected.

19. One or more non-transitory computer-readable media storing computer readable program code that, when executed by one or more processors, effectuate operations comprising: receiving a connection request in a network monitoring device; inspecting Internet Protocol (IP) packets in the received connection request; generating a 5-tuple consisting of: IP source and destination addresses; a layer 4 transport protocol comprising TCP or UDP, and a transport protocol source and destination ports contained in the received connection request wherein the generated 5-tuple is compared with entries in a connection table to determine if the received connection request is a new or existing connection request, whereby if there is no existing entry, then a new entry is created matching the generated 5-tuple associated with the received connection request; storing a domain name as a candidate domain name based on a domain name entry in cache memory including the domain name paired with an IP address that matches the destination IP address; determining if the received connection request is a HTTP connection request; determining if the received connection request is a HTTPS or quick user datagram protocol (UDP) Internet connections (QUIC) connection request; determining if a subject field in the received connection request is available; determining, based on the received connection request being determined to not be an HTTP, HTTPS, or QUIC connection request, and the subject field is not available in the received connection request, that the candidate domain name is available from the cache memory; and identifying OTT applications associated with the received connection request based on at least one of: the connection request being a HTTP, HTTPS, or QUIC connection type: the subject field being available; or the candidate domain name being available by utilizing a lookup table that is periodically updated with new OTT applications.

20. The one or more non-transitory computer readable media of claim 19, wherein the operations further comprise determining if a transport layer protocol is TCP and a destination TCP port in the connection request matches known ports to carry HTTP, HTTPS or QUIC requests.

21. The one or more non-transitory computer readable media of claim 19, wherein the operations further comprise extracting uniform resource identifier (URI) and HTTP header fields from the connection request if the connection request is HTTP connection request.

22. The one or more non-transitory computer readable media of claim 19, wherein the operations further comprise detecting a service name indication (SNI) extension in a handshake message if the received connection request is the HTTPS or QUIC connection request.

23. The one or more non-transitory computer readable media of claim 19, wherein the operations further comprise inspecting Domain Name System (DNS) queries between browsers and their designated DNS servers.

24. The one or more non-transitory computer readable media of claim 19, wherein the operations further comprise performing a DNS name-resolution query to obtain an IP address for a target HTTP/HTTPS server.