Netify - Legacy Application Stats Data Feed

Legacy Application Stats

The Netify Legacy Application Stats Data Feed provides network intelligence data that is typically used for:

Investigating application behavior
Analyzing protocol and port patterns
Managing geographic app performance
Extending app-based machine learning models
Enhancing cybersecurity tools

For those of you still using the legacy Application IPs dataset, you can find technical details below. Please contact us to migrate to the new version of the dataset.

Getting Started

You can find general Netify API information on Authentication, Response Codes, and other topics in the menu. You can also find JSON format information on our standard data objects: IP object, application object, etc.

Postman Documentation

Description

Understanding the behavior of applications on a network can provide the insights required to improve overall user experience. The Network Intelligence stats can be customized to meet your requirements. Data can be used for:

Optimizing application behavior
Analyzing protocol and port data
Managing geographic distribution

Browse Online

The following is a sample of applications that were detected on 13.245.40.146.

Application	Category	Byte %	Flow %	Bytes / Flow
Twilio	VoIP/Conferencing	< 1	2.3	121,000
Autodesk	Business	< 1	< 1	452,000
Peloton	Recreation	< 1	< 1	125,000
TeamSnap	Sports	< 1	< 1	1,900

API Quick Reference

Some applications use tens of thousands of server IP addresses to deliver images, videos, and metadata. Payloads can be up to 100 MB per application, so we do not provide an index for this endpoint.

Route	https://feeds.netify.ai/api/v2/stats/applications/{application_tag}
Authentication	x-api-key
Pagination	not applicable

Data Payload

The Netify Application Stats Data Feed is an API that provides the following application details:

Application Information and logos
Domains
Network CIDRs
Stats IPs
Application stats

We break down each of these items in the following sections.

JSON Overview

"data": {
    { Application Property },
    [ Domain List ],
    [ CIDR List ],
    [ Stats IP List ],
    [ Protocol Port Stats ],
}

Application Attribute

The application block in the JSON payload provides general information about the given application: label, description, logos, tag name and more. See the application attribute documentation for more information on the JSON payload details.

"application": {
    "id": 120,
    "tag": "netify.twitter",
    "label": "Twitter",
    "full_label": "Twitter",
    "description": "Twitter is a ...",
    "home_page": {
        "url": "https://twitter.com",
        "text": "Twitter"
    },
    "category": {
        "id": 24,
        "tag": "social-media",
        "label": "Social Media"
    },
    "active": true,
    "favicon": "https://static.netify.ai/...",
    "icon": "https://static.netify.ai/...",
    "logo": "https://static.netify.ai/...",
    "favicon_source": "app",
    "icon_source": "app",
    "logo_source": "app"
}

Domain List

The domain list contains all the domain definitions used to detect an application. For example, the following is a sample of domains used to match the Twitter application:

t.co
twimg.com
twitter.com
twimg.com.akahost.net
twitter.map.fastly.net
etc.

These domains are used to identify application network traffic flows via Netify DPI processing. The hostnames coming from TLS SNI, TLS certificate common names, HTTP headers, DNS requests, DNS hinting, and any hostname that pops out of deep packet inspection are compared to the domain lists.

Please note: for companies with large portfolios of applications, the subdomains can be important differentiators. For example, the googleapis.com domain is part of the Google domain list, but the youtubei.googleapis.com domain is part of Google-owned YouTube domain list.

If a domain belongs to a platform, the metadata is attached to the payload. See the Domain Object documentation for more information on the JSON payload details.

Domain List JSON Overview

"domain_list": [
    {
        "id": 2737771,
        "label": "twimg.com.akahost.net",
        "category": {
            "id": 24,
            "tag": "social-media",
            "label": "Social Media"
        },
        { Platform Object }
    }

Domain List JSON Example

"domain_list": [
    {
        "id": 2737771,
        "label": "twimg.com.akahost.net",
        "category": {
            "id": 24,
            "tag": "social-media",
            "label": "Social Media"
        },
        "platform": {
            "id": 1002,
            "tag": "akamai",
            "label": "Akamai",
            "category": {
                "id": 2,
                "tag": "cdn",
                "label": "CDN"
            },
        }
    },

CIDR List and Type

Some applications run across large network blocks. For example, Microsoft Teams connects to specific network blocks for video conferencing. In these cases, the cidr_list and cidr_type properties will appear in the dataset. The cidr_type will be one of the following three values:

dedicated
hosted
multiproduct

Dedicated: CIDRs in this category are dedicated to serving the application. For example, Telegram CIDRs are not used by any other application -- it's all Telegram.

Hosted: CIDRs in this category are hosting other applications. For example, the Amazon AWS CIDRs can be used to identify all of AWS, but many applications are hosted on his network.

Multiproduct: CIDRs in this category belong to one organization, but are shared amongst different products. For example, the Apple CIDR list will have traffic from the following applications: iCloud, Apple Mail, Apple TV, etc.

If an application does not have any defined CIDR blocks, the cidr_type and cidr_list keys will not exist.

CIDR List and Type JSON Example

"cidr_type": "dedicated",
"cidr_list": [
    {
        "network": "8.25.194.0/23",
        "version": "ipv4"
    },
    {
        "network": "8.25.196.0/23",
        "version": "ipv4"
    },
    ...

The network CIDR list is derived from data provided directly from application vendors, Netify-derived network traffic analysis, and autonomous system number (ASN) definitions. These networks are fairly static, but there are at least a few changes to network CIDR lists every week.

Stats IP List

The stats IPs associated with the application are provided in the stats_ip_list part of the payload. The data is derived from Netify DPI network traffic analysis. See adjacent sample.

If an IP belongs to a platform, the metadata is attached to the payload. However, to minimize the size of the payload, a subset of the fields in the platform are provided. See the Platform Object documentation for more information.

Though most IP addresses serving applications are fairly static, IPs do get re-used. For example, most Amazon CloudFront CDN IPs for a specific application can change every week or so. This Application Stats data feed includes historical statistics (90 days) on IPs, including those IPs that are now used by a different application. If you are looking for a list of active IPs, please visit the Application IPs Data Feed page.

Shared IPs

It is very common for applications to use shared IPs. Here are three common shared IP scenarios:

Content delivery networks
Third party platforms, e.g. a third-party mail services
Multi-app organizations, e.g. the YouTube and Gmail apps both use shared Google infrastructure

IP List JSON Overview

"stats_ip_list": [
    {
        "address": "13.33.166.245",
        "version": "ipv4",
        "shared": false,
        "shared_score": 5,
        { Platform Object (minified) }
    }
}

IP List JSON Example

"stats_ip_list": [
    {
        "address": "13.33.166.245",
        "version": "ipv4",
        "shared": false,
        "shared_score": 5,
        "platform": {
            "id": 1006,
            "tag": "amazon-cloudfront",
            "label": "Amazon CloudFront",
            "category": {
                "id": 2,
                "tag": "cdn",
                "label": "CDN"
            },
            ...
        }
    },

The shared and shared_score provide information on IP sharing. Every IP is given a score from 0 (dedicated) to 100 (shared). This score is published in the shared_score field. If the score is above 50, the shared flag is set to true. Details on the scores are provided in the table below.

Score	Description
-1	Analysis has not been completed.
0-10	Dedicated IP detected: dedicated network ASNs, IP certificate matches, reverse DNS matches.
10-20	Dedicated IP detected, high probability.
20-40	Dedicated IP detected, but possibility of sharing detected through heuristics / machine learning.
40-60	Gah. This often happens when IPs are churned (dedicated to one app, then later dedicated to a different app).
60-80	Shared IP detected, but possibility that it is dedicated.
80-90	Shared IP detected, high probability.
90-100	Shared IP detected: raw Netify intelligence data confirms sharing.

Protocol Port Stats

The protocol_port_stats field provides some basic statistics about the protocols used by the application. Most apps use standard HTTP and HTTPS to communicate with server and web sites. However, IoT devices, TVs, mobile apps, and other examples use other ports and protocols. Here's an example from Blizzard's gaming environment:

Protocol	Port	Flow Percent
HTTP	TCP 80	82
HTTPS	TCP 443	11%
HTTP	TCP 1119	6%
StarCraft	TCP 1119	< 1%
HTTP	TCP 3724	< 1%

You can customize the statistics available for applications. Please contact us for details.

"protocol_port_stats": [
    {
        "protocol_port": {
            "ip_protocol": {
                "id": 6,
                "label": "TCP"
            },
            "protocol": {
                "id": 196,
                "tag": "https",
                "label": "HTTPS"
            },
            "port": 443
        },
        "stats": {
            "flow_percent": "97.28",
            "byte_percent": "99.98",
            "average_bytes_per_flow": 175000
        }
    },
    ...
]