Systems and methods for controlling applications on a network are provided. According to one embodiment, a network security device intercepts network traffic and conducts a heuristic detection of an application protocol used in the network traffic by multiple application protocol identifying engines defined in a heuristic rule. According to another embodiment, the network security device confirms a suspect application protocol as an actual application protocol used in the network traffic by sending a probing request to the destination peer of the network traffic based on the suspect application protocol. The suspect application protocol is confirmed if an appropriate response is received from the destination peer.