Filter for network intrusion and virus detection

Abstract

Methods and apparatus to perform string matching for network packet inspection are disclosed. In some embodiments there is a set of string matching slice circuits, each slice circuit of the set being configured to perform string matching steps in parallel with other slice circuits. Each slice circuit may include an input window storing some number of bytes of data from an input data steam. The input window of data may be padded if necessary, and then multiplied by a polynomial modulo an irreducible Galois-field polynomial to generate a hash index. A storage location of a memory corresponding to the hash index may be accessed to generate a slice-hit signal of a set of H slice-hit signals. The slice-hit signal may be provided to an AND-OR logic array where the set of H slice-hit signals is logically combined into a match result.

Description

FIELD OF THE DISCLOSURE[0001]This disclosure relates generally to the field of network processing. In particular, the disclosure relates to a novel filter architecture to accelerate string matching in packet inspection for network applications such as intrusion detection / prevention and virus detection.BACKGROUND OF THE DISCLOSURE[0002]In modem networks, applications such as intrusion detection / prevention and virus detection are important for protecting the networks and / or network users from attacks. In such applications network packets are often inspected to identify problematic packets by finding matches to a known set of data patterns. Matching every byte of an incoming data stream against a large database of patterns (e.g. up to hundreds of thousands) is very compute-intensive. Programs have used techniques such as finite-state machines and filters to find matches to known sets.[0003]A Bloom filter, conceived by Burton H. Bloom in 1970, is a probabilistic structure for determinin...

AI Technical Summary

Benefits of technology

The patent text describes a new filter architecture that can accelerate the process of matching strings of data in network packets for applications such as intrusion detection and virus detection. The filter apparatus is made up of multiple slice circuits that perform string matching steps in parallel with each other. Each slice circuit includes an input window, a hash function, and a storage location in memory. The input window stores some number of bytes of data from the input data stream, and the hash function generates a hash index based on the data. A slice-hit signal is generated for each slice circuit if there is a match between the data and a pre-defined pattern. The slice-hit signals are then combined using an AND-OR logic array to generate the match result. The new filter architecture provides a faster and more efficient way to match strings of data in network packets.

Problems solved by technology

Matching every byte of an incoming data stream against a large database of patterns (e.g. up to hundreds of thousands) is very compute-intensive.

Designing a filter for a specific problem may be tedious, and at high data rates it is difficult or impossible for state-of-the art processors to implement the design at rates even close to line-rate.

To date, more generalized reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection / prevention and virus detection have not been fully explored.

Images