CN101116052A - Network interface and firewall device - Google Patents
Network interface and firewall device Download PDFInfo
- Publication number
- CN101116052A CN101116052A CNA2005800442190A CN200580044219A CN101116052A CN 101116052 A CN101116052 A CN 101116052A CN A2005800442190 A CNA2005800442190 A CN A2005800442190A CN 200580044219 A CN200580044219 A CN 200580044219A CN 101116052 A CN101116052 A CN 101116052A
- Authority
- CN
- China
- Prior art keywords
- bag
- semantic
- address
- entry
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A network processing device provides a novel architecture for conducting firewall and other network interface management operations. In another aspect of the invention, a Unified Policy Management (UPM) architecture uses a same memory and processing structure to integrate firewall policy management with routing and switching decisions. In another embodiment, a Reconfigurable Semantic Processor (RSP) uses a parser to identify different syntactic elements that are then used by one or more Semantic Processing Units (SPUs) to carry out different firewall, network interface, routing, switching, and other packet processing operations.
Description
The name that this application requires on July 21st, 2005 to submit to is called the U.S. Patent application No.11/187 of " network interface and firewall box (NETWORK INTERFACE AND FIREWALL DEVICE) ", 049, the name of submitting on July 22nd, 2005 is called the U.S. Provisional Application NO.60/701 of " utilizing pushdown automata to detect the method and the device (METHOD AND APPARATUS FOR DETECTINGSEMANTIC ELEMENTS USING A PUSH DOWN AUTOMATON) of semantic primitive ", the name of submitting on May 9th, 748 and 2005 is called the U.S. Patent application No.11/125 of " intruding detection system (INTRUSION DETECTING SYSTEM) ", 956 right of priority.U.S. Patent application No.11/125,956 require the U.S. Provisional Patent Application No.60/639 of submission on Dec 21st, 2004,002 right of priority, and be the U.S. Patent application No.10/351 of the associating pending trial of submission on January 24th, 2003,030 part continuation application.Above-mentioned application all is included in the content of this paper with way of reference.
Background technology
The opening of the Internet causes having produced the various attack of the machine that the Internet is connected.The packet sequence that these attacks no longer normally move target machine by transmission works.Attack can sorted generalization be following several: make target machine collapse, denial of service (DoS), distributed denial of service (DDoS), and can alter the file or the software of target machine, making that machine is no longer available, destroyed falls or as DoS cloning attack source (clone attack source).
Most attack is initiated being connected on the machine of public the Internet, and enters enterprise by this company with being connected of the Internet.Some enterprises have a more than tie point with the Internet.Therefore, be positioned at two network equipments on the internetwork interface, be called fire wall alternatively, be used to defend these attacks.For example, fire wall can be between public the Internet and the dedicated network, between two Internet service provider (ISP) network, between two LAN or between any other two networks.If firewall box is placed on all tie points of the Internet, will around internal network and machine, form the circumference fire wall so.
Fire wall is shouldered the responsibility that prevents that the unauthorized attack from entering dedicated network and may remove the unauthorized transmission that is derived from dedicated network inside.Other purposes of fire wall can comprise the information of revising in the bag.For example, fire wall can be used as network address translater (NAT), and it is used for changing between public and special-purpose Internet protocol (IP) address.
To today, the fire wall operation realizes mainly as the set of software module that these software modules operate on any embedded processor, as PowerPC or Intel class x86 processor.Problem is that these hardware architectures do not have the processing power that realizes these fire wall operations effectively.Therefore,, also be difficult to wrap each and use the validity that various rules are determined bag, protect or filter out all various attacks by when wrapping, detecting each from source and course to target even be not impossible.
The present invention is devoted to address this problem and the other problems relevant with prior art.
Summary of the invention
Network processes equipment provides a kind of architecture that is used to carry out the fire wall and the novelty of other network interface management operations.In another aspect of this invention, unified tactical management (unified policymanagement, UPM) architecture is utilized identical storer and Processing Structure, and firewall policy management and transmission (routing) and exchange (switching) decision are integrated together.In another embodiment, reconfigurable semantic processor (Reconfigurable Semantic Processor, RSP) utilize analyzer (parser) to discern different syntactic elements, then these syntactic elements are used by one or more semantic processes unit (SPU), carry out different fire walls, network interface, transmission (routing), exchange (switching) and other bag and handle operation.
According to the detailed description to the preferred embodiment of the present invention that the reference accompanying drawing carries out, aforementioned and other purposes of the present invention, feature and advantage will become apparent.
Description of drawings
Fig. 1 is to use the calcspar of the network processes equipment of reconfigurable semantic processor (RSP);
Fig. 2 A is the calcspar that illustrates in greater detail RSP;
Fig. 2 B and 2C illustrate the analytical table (parser table) that uses among the RSP and the more detailed diagram of generation rule table (production rule table);
Fig. 3 illustrates the diagram how Denial of Service attack forbids network processes equipment;
Fig. 4 illustrates the diagram how fire wall makes DoS attack be associated with zones of different (zone);
Fig. 5 is the more detailed diagram of the fire wall shown in Fig. 4;
How the storer that Fig. 6 shows in the fire wall is divided into different generations (generation);
Fig. 7 illustrates the process flow diagram how fire wall moves between different generations shown in Figure 6;
Fig. 8 illustrates the process flow diagram how fire wall among Fig. 5 handles DoS attack;
Fig. 9 be illustrate how to dispose before at the RSP shown in Fig. 2 A so that handle the calcspar of a kind of embodiment of DoS attack;
Figure 10 and 11 is how the RSP that illustrates among Fig. 9 handles the process flow diagram that the DoS candidate wraps;
Figure 12 illustrates the fire wall of independent operating and the calcspar of routing device;
Figure 13 provides the diagram of the bag Processing Structure of unified transmission and firewall policy management (UPM);
Figure 14 illustrates access control list (Access Control List, the sample table purpose diagram in table CAL);
Figure 15 illustrates the process flow diagram how packet handler among Figure 13 provides UPM;
Figure 16 is based on another embodiment that the upper layer packets feature provides the UPM table of forwarding behavior;
Figure 17 illustrates how to use UPM to come according to different URL(uniform resource locator) (UniformResource Locator, the calcspar of an embodiment of value transmission bag URL);
Figure 18 is an embodiment who how to realize unified tactical management in RSP;
Figure 19 illustrates the process flow diagram how RSP among Figure 18 moves;
Figure 20 illustrates RSP how to be used for network address translation (nat) and port address conversion (PortAddress Translation, process flow diagram PAT);
Figure 21 illustrates how to change the more detailed diagram of disposing RSP at NAT/PAT conversion and IP bag;
Figure 22 and 23 illustrates RSP how to carry out NAT/PAT transformation flow figure;
Figure 24 illustrates the how process flow diagram of convert packets between IPv4 and IPv6 of RSP;
Figure 25 illustrates in greater detail RSP how to carry out transformation flow figure between IPv4 and IPv6;
Figure 26 and 27 shows RSP, and how to be used for VPN (virtual private network) (VPN) integrated;
Figure 28 and 29 show can how to use fire wall with the anti-virus license assignment to different sub-networks;
Figure 30 and 31 shows and how a plurality of RSP is linked together so that carry out the distributed fire wall processing;
Figure 32 A shows intruding detection system (IntrusionDetection System, the calcspar of realizing IDS) in dedicated network;
Figure 32 B shows the limitation of traditional intruding detection system;
Figure 32 C shows the embodiment of the IDS among Figure 32, the syntactic element in this IDS recognition data stream and utilize syntactic element to discern threat;
Figure 33 illustrates the calcspar that how to utilize reconfigurable semantic processor (RSP) to realize IDS;
Figure 34 illustrates the process flow diagram how IDS among Figure 33 moves;
Figure 35 is the more detailed logical diagram of the IDS shown in Figure 33;
Figure 36 is the calcspar of the RSP shown in Figure 33;
Figure 37 and 38 shows direct execution analysis device among the RSP, and (how Direct Execution Parser DXP) discerns the bag that comprises email message;
Figure 39 illustrates RSP how will threaten the process flow diagram of filter application in data stream;
Figure 40 illustrates RSP how to carry out the process flow diagram that (session lookup) searched in session;
Figure 41 illustrates how RSP produces token (token) from inlet flow process flow diagram;
Figure 42 A is illustrated in to carry out how the to rally process flow diagram of fragmented packets of RSP before the intrusion detection operation;
Figure 42 B is that how RSP writes down the process flow diagram that TCP wraps before being illustrated in the execution intrusion detection;
How Figure 43 and 44 makes the token that produces from different network processes equipment interrelated if showing central intrusion detection device;
Figure 45 shows and how to use IDS to come modification information or removing information from data stream;
Figure 46 shows pushdown automata (PDA) engine;
Figure 47 is how the PDA engine that illustrates among Figure 46 carries out the semantic constitutional diagram that URL searches for;
Figure 48 illustrates the semantic constitutional diagram that semantic state that how the PDA engine to use similar number is searched for longer character string;
Figure 49 shows the PDA engine and how only to use an additional semantic state to search for additional semantic primitive;
Figure 50-the 54th illustrates the detail drawing how the PDA engine carries out example URL search; And
Figure 55 shows how to realize the PDA engine in reconfigurable semantic processor (RSP).
Embodiment
Fig. 1 show special-purpose Internet protocol (Internet Protocol, IP) network 24, it is connected to public ip network 12 by Network Interface Unit 25A.Public ip network 12 can provide packet switch any wide area network (Wide Area Network, WAN).Dedicated network 24 can be incorporated business's net, (these all need to communicate by letter with public ip network 12 Internet service provider for Internet Service Provider, ISP) network, home network etc.
In dedicated network 24, reconfigurable semantic processor (RSP) 100 moves in any combination of network equipment 25A-25D.Different RSP100 Collection and analysis enters and passes the network traffic (traffic) 22 of dedicated network 24.In this embodiment, the RSP 100A among the network processes equipment 25A is configured to fire wall and the operation of general networks interface as dedicated network 24.Although show network interface described below and other conventional fire wall operation realizations in RSP 100, should be appreciated that the part in these operations can also realize in other traditional Computer Architecture.
In one embodiment, RSP 100A is configured to detect and to prevent denial of service (DoS) attack 16.The exterior PC 14 that is connected to public ip network 12 can produce DoS attack 16, and this attack intension destroys the one or more network processes equipment 25A-25D in the dedicated network 24.All input bags that RSP100A monitoring receives from public ip network 12, and in the discarded packets stream 20 with DoS attack 16 related any bags.Except detection and discarded packets 16, RSP 100A can also carry out other network interfaces operations 26 to the bag 22 of DoS attack 16 deletions that have no basis.For example, RSP 100A can provide virus and malware detection and filtration, network address translation (nat), transmission, statistical study, log and/or at public ip network 12 and other required bag conversion operations of 24 transmission package of private IP network network.To be explained in more detail all these operations following.
In another embodiment, RSP 100 can be installed in other network processes equipment that are arranged in dedicated network 24 inside, perhaps is installed in any other the main access point that enters dedicated network 24.For example, RSP 100B can be arranged in server 25D, so that similar checking, transmission, statistical study etc. are provided.To be described in more detail operating 26 following.Alternatively, a part of package operation 26 can activate in RSP 100B, and can not be activated in RSP 100A.For example, except carry out by RSP 100A any other the bag analysis and filter and bag changes, RSP 100B can carry out statistical study or DoS filtration.
Any other network processes equipment 25B and 25C in the dedicated network 24 can also comprise the one or more RSP 100 that can be configured to carry out any operation of the following stated.The platform of using RSP 100 can also be any wireless device, for example, radio individual digit aid (PDA), wireless phone, wireless router, WAP, wireless client etc., they receive bag or other data stream by wave point, and these wave points have for example cellular CDMA (CDMA) or time division multiple access (TDMA) (TDMA), 802.11, bluetooth etc.
Reconfigurable semantic processor (RSP)
Fig. 2 A shows the calcspar of the reconfigurable semantic processor (RSP) 100 that is used for an embodiment, and this embodiment is used to carry out fire wall and other network interface operations described below.RSP 100 comprises: input buffer 140, and it is used to cushion the packet data streams that receives by input port 120; And output buffer 150, it is used to cushion the packet data streams by output port 152 outputs.
Directly execution analysis device (DXP) 180 controls are to the processing of bag or frame, this bag or frame (for example receive on input buffer 140, input " stream "), (for example export output buffer 150 to, export " stream ") and recycle in recycle impact damper 160 (for example, recycle " stream ").Preferably, input buffer 140, output buffer 150 and recycle impact damper 160 are first-in first-out (FIFO) impact dampers.
The fire wall operation that RSP 100 uses at least three tables to carry out to provide.The code 178 that is used for retrieving generation rule 176 is stored in analytical table (PT) 170.Grammer generation rule 176 is stored in the generation rule table (PRT) 190.The code segment of being carried out by SPU 200 212 is stored in the semantic code table (SCT) 210.Code 178 in the analytical table 170 is with for example ranks form or the storage of content addressable form.In the column format of being expert at, non-termination code (non-terminal code) NT 172 index that worked of analytical table 170, non-termination code NT 172 is provided by internal analysis device storehouse 185.The row of analytical table 170 are by input data values DI[N] 174 index, input data values DI[N] the 174th, extract in the data head from input buffer 140.In the content addressable form, from the non-termination code 172 of analyzer storehouse 185 and from the input data values 174 of input buffer 140 and put (concatenation) and provide input to analytical table 170.
Generation rule table 190 is by code 178 index from analytical table 170.Table 170 and 190 links shown in Fig. 2 A like that, and the generation rule 176 that is applicable to non-termination code 172 and input data values 174 will be directly returned in feasible inquiry of sending to analytical table 170.The generation rule (PR) 176 that DXP 180 usefulness are returned from PRT 190 replaces the non-termination code at analyzer storehouse 185 tops, and continues to analyze the data from input buffer 140.
Also according to the code 178 that produces by analytical table 170, and/or, come index semantic code table 210 according to the generation rule 176 that produces by generation rule table 190.Usually, analysis result allows DXP 180 to detect for the generation rule 176 that provides, and (Semantic Entry Point, SEP) whether routine 212 should be loaded and be carried out by SPU 200 from the semantic entrance of semantic code tabulation 210.
Safeguard that CPU (central processing unit) (MCPU) 56 is connected between SPU 200 and the memory sub-system 215.MCPU 56 carries out any desired function of RSP 100, and it can reasonably be realized with traditional software and hardware.These functions are normally rare, timeless function, can not guarantee to be included among the SCT 210 owing to complicacy.Preferably, MCPU 56 also has the ability that on behalf of MCPU, request SPU200 execute the task.
The name that the detailed design optimization of RSP 100 functional blocks was submitted on January 24th, 2003 is called in the application 10/351,030 of associating pending trial of " reconfigurable semantic processor " and is described, and it is included in the content of this paper by reference.
RSP is used for fire wall and network interface operation
Utilize RSP 100 to realize the above fire wall of describing and other network interfaces operation 26 in Fig. 1, RSP 100 uses syntax rule and semantic entrance (SEP) routine 212.Bag arrives at the input port 120 of RSP equipment 100, utilizes the syntax table entry (grammar tableentry) in the analytical table 170 to analyze, and carries out semantic processes by SEP routine 212.SEP routine 212 will determine:
1. accept the bag present situation, it is passed to output port 152;
2. deletion is wrapped and is not further handled, and not with its forwarding;
3. revise bag, and then send it to output port 152;
4. keep bag, wait for the arrival of other bag of session, then the final processing of decision bag; Perhaps
5. bag is guided to objectives, or direct packets backward by RSP so that carry out other processing.
Syntax rule in the creation analysis table 170 is transmitted and that one of mark is known or suspicious is unusual to SPU 200 to allow acceptable bag.Decision by or the embodiment of grammer of failure comprise that the TCP sign is provided with.The TCP attribute field wherein has 8, and only some combination is effective.In analytical table 170, syntax rule is encoded, be provided with, and refuse unacceptable TCP setting to allow all acceptable TCP.For example, the TCP SYN and the FIN message that are arranged in the identical bag are not effective combinations, and are therefore directly deleted by DXP 180.
Bag that some can not receive or operation can only be judged by the SEP routine of supporting 212.These have mainly included the state of session and agreement.Before sending corresponding TCP SYN message, example will send tcp data useful load section.In this example, SEP routine 212 should not be in the bag of its front from the storer 280 deletion TCP SYN message that are used for the TCP session.
Because directly execution analysis device 180 can be handled directly refusal bag or redirected non-attack packets according to DoS, and does not consume other circulations among the SPU 200, therefore provide more performance in conjunction with SEP code 212 operational analysis device grammers.Traditional fire wall must detect each bag to prevent a lot " poor quality " rules.When finding new attack, this is to ask growth at any time.On the contrary, the analyzer grammer can be write as and only describe and allow credible bag to flow through RSP 100.Therefore, bag inferior is automatically filtered out, or is directly handled by SPU 200.Better adjustment to the bag policer operation so just is provided.
RSP analyzer and generation rule table
Utilize specific embodiment, will understand the operation of RSP 100 better as fire wall or unified tactical management (UPM).In the following embodiments, RSP 100 provides the denial of service (DoS) of TCP bag to filter.Yet, those skilled in the art will appreciate that following notion can be applied in the fire wall operation for any kind of any data stream of utilizing the transmission of any communication protocol at an easy rate.Similarly notion also can be applied in following unified tactical management (UPM) operation at an easy rate.
Fire wall and UPM operation comprise the grammer of analyzing and detecting input traffic, make an explanation with reference to Fig. 2 B and 2C.At first, can be present in simultaneously in analytical table 170 and the generation rule table 190 with the code that a lot of different grammers are associated with reference to Fig. 2 B.For example, code 300 is relevant with the header format analysis that media interviews controls (MAC) are wrapped, and code 302 is relevant with the processing of IP bag, and another group code 304 is relevant with the processing of transmission control protocol (TCP) bag, or the like.Other codes 306 in the analytical table 170 are relevant with following other fire walls in greater detail or denial of service (DoS) operation.
In one embodiment, analytical table 170 also comprise from DXP 180 receive NT symbol 172 and data value DI[n] 174 addressing device (addressor) 310.Addressing device 310 is with NT symbol 172 and data value DI[n] 174 and put, and will and the value of putting 308 be applied to analytical table 170.Although it is useful that conceptive structure with generation rule table 170 is considered as matrix, in this matrix, each the unique combination for NT code 172 and data value 174 has a PR code 178, and the present invention is not limited to this.For different application, can use dissimilar storeies and storage mechanism.
In one embodiment, analytical table 170 is embodied as Content Addressable Memory (CAM), and wherein addressing device 310 uses NT code 172 and input data values DI[n] 174 search the key of PR code 178 as CAM.Preferably, CAM be Ternary Content Addressable Memory with TCAM entry (Ternary CAM, TCAM).Each TCAM entry comprises NT code 312 and DI[n] matching value 314.Each code 312 can have a plurality of TCAM entries.
DI[n] in the matching value 314 each can be set to " 0 ", " 1 " or " X " (expression " haveing nothing to do ").This ability makes PR code 178 only need DI[n] 174 some/pattern of bytes match coding so that analytical table 170 finds a kind of coupling.
For instance, the TCAM of delegation can comprise the NT code NT_TCP_SYN 312A of TCP SYN bag, be subsequently to express possibility to be present in the extra byte 314A of the content in the TCP SYN bag, for example, target ip address and TCP message identifier.The remainder bytes that TCAM is capable can be set to " haveing nothing to do ".Therefore, at the byte DI[N of NT_TCP_SYN 312A and some numbers] when being submitted to analytical table 170, DI[N wherein] first group of byte comprise TCP SYN message identifier, DI[N no matter] remainder bytes what comprises, coupling all can take place.
As explained above, the TCAM in the analytical table 170 has produced and coupling NT 172 and DI[N] 174 the corresponding PR code of TCAM entry 178A.In this embodiment, PR code 178A is associated with TCP SYN bag.PR code 178A can be sent out back DXP 180, perhaps directly sends to PR tabulation 190, and perhaps the both can.In one embodiment, PR code 178A is the line index that produces the TCAM entry of coupling.
Fig. 2 C shows a possible embodiment of generation rule table 190.In this embodiment, addressing device 320 receives PR code 178 from DXP 180 and analytical table 170, and receives NT symbol 172 from DXP 180.Preferably, the NT symbol 172 of reception is the same NT symbol 172 that sends to analytical table 170, and it is used to locate the PR code 178 of reception in analytical table 170.
Addressing device 320 uses the PR code 178 and the NT symbol 172 of these receptions, visits corresponding generation rule 176.In some embodiments, can need addressing device 320, but when using addressing device 320, it can be the part of DXP 180, a part or the intermediate function piece of PRT 190.For example, directly make up under the situation of address, can not need addressing device at analytical table 170 or DXP 180.
The generation rule 176 that is stored in the generation rule table 190 comprises three data segments.These data segments comprise: sign field 177A, SPU entrance (SEP) section 177B and the byte of skipping (skip byte) section 177C.These sections can be the section or the sections of variation length of regular length, preferably, its be " empty end " (null-terminated).Sign field 177A comprises and will be pushed to the termination and/or the nonterminal symbol (Fig. 2 A) at analyzer storehouse 185 tops of DXP.SEP section 177B comprises that SPU200 is used for the SPU entrance (SEP) of process segments of data.In an embodiment described below, other syntactic elements that SEP section 177B can assert with ACL and identify in the present analysis bag are corresponding.
The byte section of skipping 177C comprises the byte value of skipping, and input buffer 140 utilizes this byte value of skipping to increase progressively its buffer pointer, and advances the processing to inlet flow.Being of value to other information of handling generation rule can also store as the part of generation rule 176.
In this embodiment, corresponding by the TCP SYN bag of the identification in the one or more generation rule 176A of generation rule code 178A index and the input buffer 140.SPU code 212 in the semantic code table 210 among SEP section 177B sensing Fig. 2 A, shown in Fig. 4-11, when being carried out by SPU200, its carries out the DoS operation to the TCP SYN bag of identification.
In one embodiment, SPU 200 comprise can parallel running a series of semantic processes elements.SEP section 177B among the generation rule 176A can begin one or more SPU 200, with the identical fire wall operation of the different bags of executed in parallel or the different fire-proof operation of identical bag.Obviously, can use similar operation to detect the bag or the data identification of any other type, these bags or data identification all may be essential for any fire wall, network interface or following UPM operation.
As above mentioned, analytical table 170 can also comprise and relevant or incoherent other grammers of TCP SYN bag.For example, be included in IP grammer 302 in the analytical table 170 can comprise with input buffer 140 in the relevant generation rule code 178 of NT_IP destination address of identification, it is used for combining with the TCP SYN message of identification and handles (referring to following Fig. 4-11) to carry out DoS.
Matched data value 314 in the generation rule code 302 can comprise the target ip address of the network processes equipment that is arranged in the special-purpose network 24 of Fig. 1.If the input data DI[I that is associated with NT_IP code 172] 174 do not have the destination address in the matching value 314 that is included in PR code 302, default generation rule code 178 can be provided to generation rule table 190 so.Default generation rule code 178 can point to the generation rule 176 in the generation rule table 190, and it guides DXP 180 and/or SPU 200 to abandon bag from input buffer 140.
Denial of service (DoS)
How Fig. 3 can jeopardize network processes equipment 406 if showing DoS attack 16.Usually, the purpose of DoS defence is the network processes equipment that prevents in the malicious packet visit dedicated network 24.An embodiment who has discussed with the DoS attack that utilizes a plurality of bags injection network equipments to be associated is below described.Yet, have the malicious attack of the other types that are associated with or seldom malicious packet.For example, other malicious attacks can be or a spot of bags of being correlated with, and it disturbs the normal running of network processes device protocol stack.Be commonly referred to as DoS attack below any of these malicious attack to network processes equipment or network, and all these drops in the scope of native system.
With reference to Fig. 3, the attack equipment 14 that runs on dedicated network 24 outsides usually but must not make dedicated network 24 be full of a plurality of bags 16.In one embodiment, a large amount of transmission control protocols (TCP) synchronously (SYN) bag 400 be sent to destination address in the dedicated network 24 by attacking computing machine 14.In another embodiment, assailant 14 can will wrap the destination address that fragment (fragment) 402 is sent in the dedicated network 24 in a large number.Under any situation, bag 16 all makes one or more network equipments 406 maintenances in the dedicated network 24 wrap 400 state 408 for each different reception TCP SYN, and keeps the state 410 for the bag fragment 402 of every group of received.
No matter when receive new TCP SYN bag 400, all keep new TCP session status 408, and corresponding TCP ACK message 404 is sent it back transmitting apparatus (assailant 14) by network processes equipment 406.But assailant 14 can ignore TCP ACK and reply 404, and sends new TCP SYN message 400 to dedicated network 24 on the contrary always.Assailant 14 can also insert the source address of forging in the TCP SYN message 400, so just make the network equipment 406 that TCPSYN ACK message 404 is sent to another computing machine of being injured, make have to the processing that a large amount of TCP SYN ACK message 404 are carried out of another computing machine burden of being injured then.
Under similar hypothesis, assailant 14 can send the bag fragment 402 with correlated series number.Network processes equipment 406 necessary hold modes 410, each the bag fragment in sequence 402 is received, or finishes up to timeout period.Assailant 14 can intentionally omit bag fragment 402 from sequence.This just requires the network equipment 406 to keep the state 410 of every group of bag fragment in the duration of timeout period, thereby exhausts the processing resource.
Defend the conventional art of the DoS attack of these types to be to limit the speed of importing bag 16.For example, network processes equipment 406 can be discerned the destination address of all TCP SYN bags.When the quantity that receives bag has surpassed set rate, the TCP SYN bag of deletion specific objective address.
Yet, continual monitoring and follow the trail of each DoS attack and used a large amount of device resources.Network processes equipment 406 need be at each input bag of every kind of possible DoS threat monitoring.For example, network processes equipment 406 needs each TCP SYN bag of identification and each bag fragment.This can handle separately thoroughly.But network processing unit 406 also needs to follow the trail of the quantity and the speed of the bag of similar reception, and if desired, just deletion reaches the bag of the similar type of DoS rate limit.A problem is that under current netting twine speed, the current computer architecture does not have the ability of carrying out these DoS operations.
With reference to Fig. 4, by with peculiar methods bag being carried out rate limit, DoS attack is more effectively discerned and defendd to fire wall 420.In following explanation, any bag that may become the part of DoS attack is called DoS candidate bag.Therefore, by fire wall 420 TCP SYN bag is identified as DoS candidate bag.Cut apart fragmented bag and can be used in the possible DoS attack, and therefore also be identified as DoS candidate bag by fire wall 420.
The zone
Tactical management can be given network processes equipment or the different zone of network allocation.For example, these different zones can be associated with different external network and the internal network interface in the network processes equipment.These zones can be considered to be independent of the DoS operation by the network strategy management and arrange.Yet, the different interface area of appointment before an aspect of fire wall 420 is considered by policy manager when analyzing the DoS threat.
For example, first area 1 can be with relevant from the public IP traffic that public network 12 receives by interface 426.Second area 2 can with cross by vpn tunneling 424 that public network 12 receives partly to trust VPN (virtual private network) (VPN) traffic relevant.For example, vpn tunneling 424 can build between dedicated network 24 and the home computer 422.Home computer 422 can be by the employee operations of the entity that moves dedicated network 24.The 3rd zone 3 can with initiate and to trust the IP traffic by the height that interface 428 receives relevant from special-purpose network 24 is inner.
Each zone can be associated with different level of trust, and correspondingly distributes different DoS rate limit.The DoS rate limit refers to allow in the cycle at special time the quantity of the DoS candidate bag (bag that for example, comprises TCP SYN message) of the particular type with same target address by fire wall 420.After reaching rate limit, deletion has any additional packets of identical DoS type and destination address.For example, 1 bag that receives is associated with first degree trust from the zone by interface 426, and this is by never trusted source reception of public network 12 because of these bags.Therefore, compare with other zones, 1 bag that receives is assigned to lower DoS rate limit from the zone.
Receive from known source 422 because infer bag, so zone 2 has the trust of intergrade.Therefore, zone 2 can be assigned than regional 1 high DoS rate limit.For example, in the cycle, compare, can allow relatively large TCPSYN bag by zone 2 with same target address with zone 1 in limiting time.In this embodiment, because all Bao Jun that receive on interface 428 are from the machine that is positioned at dedicated network 24 inside, so zone 3 has high level trust.Therefore, 3 bags that receive can be assigned even higher DoS rate limit in the zone.
According to source address or port information, can discern the zone that is associated with the bag that receives.For example, receive the interface of bag based on relevant source address VLAN ID and/or by it, some other treatment facilities in RSP 100 or the fire wall 420 can be judged with importing and are surrounded by related zone.Then, fire wall 420 is basis and the zone that is surrounded by related identification partly, manages DoS attack.For example, can be according to the associated area that threatens related bag with potential DoS, to these bags count, management and rate limit.So just make fire wall 420 according to the relevant rank of trusting, the DoS resource is dispensed to different interfaces more effectively.
With reference to Fig. 5, an embodiment of the fire wall 420 shown in Fig. 4 comprises processor 442, and processor 442 receives the input bag stream 440 that can comprise DoS and non-DoS candidate bag.At first, in the processor 442 identification bag stream 440 may with the related bag of DoS attack (DoS candidate bag).For example, processor 442 can or comprise that the bag of TCP SYN message is identified as DoS candidate bag with any input bag fragment.
Processor 442 access lists 464 are surrounded by related zone 468 with identification with the DoS candidate who identifies.For example, processor 442 can be complementary port value in the DoS bag that identifies and the port numbers entry 466 in the table 464.Then, the zone 468 that is associated with appropriate ports entry 466 in the processor Identification Lists 464.
Processor 442 uses the destination address 472 of the DoS bag that identifies and the combination of the regional value 468 that is associated, as the address that enters Content Addressable Memory (CAM) 444.CAM444 comprises DoS entry 445, and this DoS entry 445 is combinations of destination address value and regional value.Address location among the CAM444 (location) is as the pointer that enters static random-access memory (SRAM) 450.
Memory location among the SRAM 450 is split to and comprises DoS attack sign 452, timestamp 454, (generation) value 456 and being offset in 458 the field from generation to generation.As long as the quantity at the bag of specific objective address has surmounted predetermined DoS rate limit, DoS attack mark 452 just is set.As above mentioned, the DoS rate limit can be according to 448 customizations of different zones.
No matter when new entry is added into TCAM444, timestamp 454 all is set, and no matter when the cumulative time of timestamp surpass the predetermined DoS time cycle, all reset timestamp 454.Be worth from generation to generation 456 by processor 442 make be used for distributing and management TCAM444, SRAM450 and dynamic RAM (DRAM) 462 in the DoS entry.Off-set value 458 is as the pointer that enters DRAM462.DRAM462 comprises a set of counters 460, and this set of counters 460 is followed the trail of the quantity at the bag of specific objective address that is received by fire wall 420 in the time cycle at DoS.
The new DoS candidate of processor 442 identifications wraps 474, and this candidate's bag can become the part of DoS attack potentially.The destination address 472 and the regional value 468 that are used for the bag 474 of new identification are used as the address that enters CAM444.Because wrapping 474, new DoS candidate will can not mate the entry of any existence, so processor 442 adds the new DoS entry 445 that wraps 474 among the CAM444 to.
Remove the corresponding DoS attack mark 452 of new DoS entry among the CAM444, and timestamp 454 is set to the current time value.As following among Fig. 6 in greater detail, be set to the current any generation that is just operating in the processor 442 with from generation to generation being worth 456.Processor 442 uses address deviant 458, so that the corresponding counter 460 among the DRAM462 is increased to 1.Then, the next one bag in the processor 442 pack processing stream 440.
Do not meet may DoS attack Bao Buhui in the bag stream 440 of standard be identified as the DoS candidate and wrap 441.For example, bag 441 can be conventional IP bag, and this routine IP bag is not the bag fragment and does not comprise TCP SYN message.In this case, processor 442 allows bag 441 by fire wall 420, does not handle and do not carry out further DoS.
Next one bag in the bag stream 440 can be identified as may DoS attack (DoS candidate bag).In this embodiment, the bag of next identification has had the corresponding DoS entry among the CAM444.For example, one or more TCP SYN bag or bag fragments with similar destination address are received by fire wall 420 in the time cycle at identical DoS before.Therefore, in the entry of CAM444 one will be mated in the destination address 472 of bag and zone 468.Then, the address 449 corresponding to the content-addressable memory order 445 that mates is used as the address that enters among the SRAM450.
Processor 442 is at first checked the DoS attack sign 452 among the SRAM450.If be provided with DoS attack sign 452, wrap accordingly in the processor 442 deletion bag streams 440 so.If desired, processor 442 then can stab 454 and from generation to generation be worth 456 update time.
If DoS attack sign 452 is not set, the bag that is associated in the processor 442 permission bag streams 440 is by fire wall 420 so.Processor 442 then upgrades the DoS status information among SRAM450 and the DRAM462.For example, processor 442 increases progressively the corresponding counter 460 among the DRAM 462, and then timestamp 454 is compared with the current time value.If timestamp 454 is not too outmoded, the corresponding value of counter 460 is effective among the DRAM462 so, and compares with the DoS rate limit.If Counter Value 460 is lower than the DoS rate limit, processor 442 continues the next one bag in the pack processing stream 440 so.
When if value compares with the current time, timestamp 454 is too outmoded, and the corresponding count value among the DRAM 460 460 lost efficacy so, and was reset to 0.Also timestamp 454 can be re-set as the current time value.In each predetermined period of time, reset counter 460 so effectively.If the counting 460 that increases progressively among timestamp 454 effective (not too outmoded) and the DRAM 462 is higher than the DoS rate limit, processor 442 is provided with corresponding D oS and attacks sign 452 so.This just makes processor 442 deletions have the similar bag of same target address.
From generation to generation
Be worth from generation to generation the 456 DoS entries that are used for managing CAM444, SRAM450 and DRAM462.With reference to the embodiment of Fig. 6, CAM444 is cut apart in logic and is reached 4 different generation parts 480.Yet this only is an embodiment, and this system can be configured to have any amount of generation part, these from generation to generation part have any configurable size.
By embedding according to the generation 480 and removing the DoS entry, DoS attack is discerned and managed to the processor 442 among Fig. 5 more effectively.With reference to Fig. 5-7, the processor 442 in the operation 490 begins the DoS entry is imported the into current generation 480.These are shown in Figure 6, and wherein 482 inputs of DoS entry were advanced in the current generation 0.In operation 492, for each entry 482 that increases in the current generation 0, processor 442 is removed an entry 484 from the next one generation 1.Guarantee like this to move to the next one during generation at processor 442, CAM444 will have free space always.
DoS entry 482 is Already among the CAM444.In this case, in operation 494, processor 442 will be transformed into the current generation for the generation value 456 of the current distribution of existing DoS entry.For example, when processor during, receive DoS entry 482 in 0 time operation from generation to generation.DoS entry 482 can mate current 2 the existing DoS entry 489 from generation to generation that is dispensed to.In operation 494, processor 442 will have DoS entry 489 now from 2 being transformed into the generation 0 from generation to generation.Should be appreciated that other positions that DoS entry 489 does not physically move among the CAM444, but the generation value 456 among the SRAM 450 is reassigned at 0 o'clock from 2 at processor 442 move to from generation to generation 0 in logic.
To have the DoS entry now and move to the current generation, and just guarantee in CAM444, to exist the DoS entry of the activation of long duration can not abandoned by processor 442.For example, DoS attack can continue elongated segment period.The bag that is used for each up-to-date reception of identical DoS attack will make the existing DoS entry of CAM 444 be updated to current generation value.Guarantee to represent the DoS entry of the DoS attack of activation to be retained among the CAM444 like this, and with other older DoS attacks of not growing into, perhaps no longer the DoS entry of the DoS attack that activates of representative is removed from CAM444.
In operation 496, when processor 442 decisions should be converted to the next generation 480.Different incidents can cause that processor 442 moves to next from generation to generation.When all entries in the current generation had filled up, processor 442 can move in operation 498 from generation to generation.This can occur in for example when the assailant sends the TCP SYN message that much has the different target address.
When predetermined period of time exhausts, processor 442 also will move to next from generation to generation in operation 498.This cycle current time of just guaranteeing all timestamps 454 (Fig. 5) and processor 442 trackings is consistent.For example, the timestamp 454 among the SRAM450 combines with the count value that is associated among the DRAM462, and decision is for the speed of the reception bag of different target address.After timestamp exhausts period, the count value 460 that processor 442 need be reset timestamp value 454 and be associated.
Yet after the current time value that processor 442 uses was overturn or reset to 0, old DoS entry may be retained among the CAM444 potentially.In this case, processor 442 can mistakenly count value be increased to before corresponding to DRAM460 of timestamp cycle in counter 460.This will cause counter 460 bag to be counted in the cycle at a plurality of timestamp mistakenly, thereby has caused wrong DoS attack to detect.In other words, in the cycle bag is counted the false command that provides true packet rate at a plurality of timestamp.
In order to solve this potential upset (rollover) problem, in operation 496, irrelevant with the quantity of entry in the current generation behind some predetermined period of times, processor 442 automatically moves to next from generation to generation.This predetermined period of time is flip-flop transition of being used by processor 442 when multiply by total quantity from generation to generation (in this embodiment, total quantity=4 from generation to generation), less than stabbing the cycle.
For example, processor 442 can keep the current timer that overturn in per 4 seconds.Be used to move to next predetermined period of time from generation to generation and can be arranged on 0.5 second.This just guarantees to remove in per 2 seconds the DoS entry of all stagnations among CAM 444.Therefore, processor 442 is guaranteed that all timestamps 454 among the SRAM450 will be associated with the identical timestamp cycle.This also have not material and advantage, allow exactly SRAM450 the bit of a small amount of be used for timestamp 454.In other words, timestamp value 454 only needs the bit of sufficient amount to follow the trail of the time cycle of about 2 seconds or more seconds.
If do not reach size restrictions or timestamp cycle in operation 496, in operation 490-494, processor 442 continues to fill the current generation with new DoS entry, and existing DoS entry is reassigned to the current generation so.If reached the restriction of size or timestamp in operation 496, in operation 498, processor 442 moves to next from generation to generation, and begins entry is added into the new generation so.For example, processor 442 begins new DoS entry 486 is moved to the generation 1, and begins existing DoS entry 488 was removed from next generation 2 thereupon.
Fairshaped DoS attack identification (identification)
Return with reference to Fig. 5, when input bag 440 is identified, need increase progressively the relevant counter 460 among the DRAM462 in CAM444, whether in the time cycle that timestamp 454 is followed the trail of, reached the DoS attack limit to determine a large amount of similarly bags.Yet the required time quantum of visit DRAM462 may postpone the deletion subsequently that DoS attack is judged and wrapped.This also can postpone other bag is passed through the processing of fire wall 420.Processor 442 uses DoS attack sign 452, discerns the DoS bag that it is the part of current DoS attack apace.
With reference to Fig. 5 and 8, DoS attack mark 452 is manipulated in conjunction with other processing, reduces identification and handles the needed delay of DoS attack.In operation 540, processor 442 receives bag.In operation 542, processor 442 judges whether the bag that is received comprises new destination address and current less than the zone that is included in as the DoS entry among the CAM444.
If the entry that is not pre-existing among the CAM444 allows bag by fire wall 420 so immediately.Since current to identify this bag in CAM444, it can not be the part of current DoS attack so, therefore can be not deleted yet.Allowing after this bag passes through, processor 442 is carried out the DoS attended operation afterwards.This just guarantees can essentially not postpone identification bag other bags afterwards.
Among aforesaid Fig. 6 and 7, in posterior maintenance, in processor 442 operations 546 new DoS entry is added into the current generation, and in operation 548, the DoS entry is removed from generation to generation from next.In operation 550, processor 442 is removed DoS attack sign 452 (if also not removing), and new timestamp value 454 is set, and current generation value 456 is set, and increases progressively corresponding counter 460 among the DRAM462.
If desired, in operation 552, processor 442 changes the current generation.For example, as mentioned above, when all entries in the current generation are full of, or after stamp exhausted at the fixed time, processor 442 changed the current generations.Because just be provided with the timestamp 454 of new DoS entry, so the timestamp cycle will can be not depleted, still, new DoS entry already reaches the current DoS entry restriction that is used for the current generation.
Return with reference to operation 542, processor 442 can receive to have corresponding to the destination address of existing DoS entry among the CAM444 and the bag in zone.In operation 560, processor 442 read immediately with the corresponding SRAM450 of content-addressable memory order that mates in DoS attack sign 452.Attack sign 452 if corresponding D oS is set, in operation 560, delete this bag immediately so.Can delete this bag by not wrapping output and finally in storer, rewriteeing bag.
If desired, the information among the 442 renewal SRAM450 of the processor among the operation 582-586.But, because be provided with DoS attack sign 452, so processor 442 does not need to increase progressively counter relevant among the DRAM462.For example, in operation 582, processor 442 can upgrade the generation value 456 of DoS entry with the current generation.In operation 584, whether processor 442 then judgement time stamp 454 exhausts.For example, current time stamp value of following the trail of when processor 442 and the mistiming between the timestamp 454 for example 1 second, just are re-set as timestamp 454 current timestamp value during greater than some predetermined period of times.Therefore, in operation 586, can remove relevant Counter Value 460 and DoS attack sign 452.
Because will only be to need to reset timestamp 454 (for example, per 2 seconds once) occasionally, so in operation 586, with the count value that only must visit occasionally among the DRAM462.Because than SRAM450, DRAM462 requires long access time, this point particular importance.Therefore, reduced processor 442 and safeguarded the needed time in order to carry out DoS.In any case since the DoS attended operation is being carried out after the deletion bag in operation 580, other input bag 440 (Fig. 5) will can unnecessarily not postponed by processor 442 so.This just make fire wall 420 can be during DoS attack with gigabit or line speed bag filter faster, and can not slow down basically to the processing of other legal bags.
In operation 560, bag can have the existing DoS entry among the CAM444, but relevant DoS attack sign 452 is not set.In operation 562, allow bag by fire wall 420.If desired, the operation 564 in, processor 442 for the coupling DoS entry Pleistocene epoch among the CAM444 for information 456.For example, the existing generation 456 that will discern in SRAM450 is set to the current generation.If desired, when cycle generation time exhausted or the maximum quantity of generation entry in the current generation reached before during predetermined restriction as Fig. 6 and 7 described in, processor 442 can also operated the current generation of change in 564.
In operation 566, increase progressively counter 460, and in operation 568, processor 442 is checked count value 460 and the accumulated time of stabbing 454 correlation time for existing DoS entry.In operation 570, if the timestamp value during than timestamp the cycle (timestamp that exhausts) old, in operation 572, reset counting 460 and timestamp 454 so.
If it is effective to operate in 570 timestamp, processor 442 judges whether counter 460 has exceeded the DoS attack limit in operation 574 so.If no, 442 of processors turn back to operation 540, and handle the DoS candidate bag of the next one identification of possible DoS attack.If counter 460 has exceeded the DoS attack limit.In operation 576, DoS attack sign 452 is set so.
Should be noted that in one embodiment, by after the fire wall 420, DoS attack sign 452 is set at relevant bag.So additional bag is not enough to disturb the operation (Fig. 3) of target machine in the dedicated network 24 usually.But, bag is transmitted by fire wall 420 and must do not waited for that the ability of finishing the DoS bookkeeping has improved the performance of fire wall basically.Further, because operation described above may only be carried out at the bag relevant with possible DoS attack (DoS candidate bag), therefore, compare with other fire rated wall structure of the bag of each reception of handling possible DoS attack, the treatment capacity that DoS management and necessary for monitoring are wanted has obtained reduction fully.
In RSP, realize DoS
Return apace with reference to Fig. 5, any processor 442 can be used to realize above-mentioned firewall system.But in order further to improve performance, in one embodiment, the reconfigurable semantic processor of describing in Fig. 2 A-2C before processor 442 adopts (RSP) 100 is realized.Fig. 9 illustrates in greater detail how RSP100 is used for the DoS protection.Explanation for simplicity, some treatment elements among the RSP100 that describes in Fig. 2 A-2C are not shown in Figure 9 before.
In input buffer 140, receive input bag 600.DXP180 comprises the grammer in the correlation analysis table 170 (Fig. 2 A), the bag 600 (DoS candidate bag) that perhaps 170 identifications of this analytical table are associated with possible DoS attack.For example, any input bag 600 that comprises TCP SYN message, TCP FIN message, bag fragment etc. may be discerned in the analyzer grammer.At identification DoS candidate Bao Shi, DXP180 sends to SPU200 with DoS identification message 602.Message 602 is initiated the DoS SEP code 620 that (launch) carried out by SPU200 from SCT210.DoS SEP code 620 makes SPU 200 carry out the above different DoS operation of describing in Fig. 3-8.
DRAM462, CAM444 and SRAM450 shown in Figure 5 before accumulator system 215 comprises.In one embodiment, array computer context data memory (AMCD) 230 is used for the data by hash function or Content Addressable Memory (CAM) 444 visit DRAM 462 or SRAM450.
AMCD230 comprises Free Surface (free table) 604, and it comprises the position 605 that each is all relevant with entry among the CAM444.In the Free Surface 604, any useless entry is represented by zero-bit 605 among the CAM444, and any effective DoS entry is represented by one 605 that is correlated with among the CAM 444.AMCD320 support from the discovery of SPU200 first zero (SPU200 identifies first zero-bit in the Free Surface 604 for Find First Zero, FFZ) instruction.
So that when downloading new DoS entry, SPU200 carries out the FFZ instruction to Free Surface 604 when the position among the needs identification CAM444.The position of first zero-bit in the Free Surface 604 is returned in the FFZ instruction, then as respective table purpose pointer among the CAM444.Destination address that SPU200 will newly wrap and zone are loaded into the address location of discerning in CAM444.
As described in Fig. 6, the DoS entry is added to the current generation among the CAM444, and other DoS entries are removed from generation to generation from next simultaneously.SPU200 utilizes from generation to generation table 608 to identify among the CAM444 which entry apace and should remove from generation to generation from next.Each has relevant generation table 609A-D from generation to generation among the CAM444.Each relevant with discrete generation among the CAM444 effective DoS entry has corresponding zero-bit setting in the table 608 from generation to generation relevant.For example, the 3rd entry comprises and 0 relevant DoS entry from generation to generation among the CAM444.Therefore, SPU200 will show among the 608A the 3rd from generation to generation and be set to zero.
Remove the DoS entry for the generation 0 if desired, SPU200 carries out the FFZ operation to showing from generation to generation 608A so.The 3rd among the 608A shown in identification from generation to generation, and then is used to make corresponding the 3rd the DoS entry among the CAM444 invalid by SPU200.For example, the 3rd of will show from generation to generation among the 608A of SPU200 is set to 1, and is set to 0 with the 3rd in the Free Surface 604.Certainly, this only is the embodiment how table 604 and 608 moves.Also can adopt other list structures.
As mentioned above, can be after SPU200 have deleted or has allowed associated packet to pass through RSP100, discern which entry effective entry among the CAM444 and identification remove from CAM444 these DoS and keep operation.
RSP100 can also discern and abandon any bag with spoofed IP address.For example, preserve as the multileaving destination address one group of IP address.Can have source address by the bag that DXP180 detects reception, and delete this bag immediately corresponding to the multicast address of being preserved.
Figure 10 and 11 has described RSP100 on higher level and how to have realized above-described DoS operation.Particularly with reference to Figure 10 and 11, and roughly with reference to Fig. 9, in operation 650, DXP180 analyzes input bag 600.In operation 652, the grammer in the analytical table 170 is used by DXP180, to discern any DoS candidate bag.Simultaneously, DXP180 can guide SPU200 to store input bag 600 in DRAM462, perhaps bag can be kept in the input buffer 140 provisionally.In the operation 654, DXP180 also discerns the destination address of bag and receives the zone of this bag.
When identifying DoS candidate Bao Shi, in the operation 656, DXP180 sends to SPU200 to load and the relevant DoS ESP code 620 of required DoS operation with signaling (signaling) 602.For example, SEP code 620 can be relevant with the DoS operation of particular type, and the DoS operation is wrapped with the TCP SYN of identification or the bag fragment of identification is relevant.
In the operation 658, SPU compares the destination address of identification with relevant area information and the entry among the CAM444.In the operation 660, if corresponding D oS entry is present among the CAM444, SPU200 carries out as the following DoS operation of describing in Figure 11 so.If the current DoS of not having entry is present among the CAM444, in operation 662, SPU200 allows bag to pass through fire wall so.This just meaned before Jiang Bao sends to output buffer 150 directly that SPU200 can continue that the corresponding bag among the DRAM462 is carried out any other fire wall that needs to be handled.If perhaps also be not stored among the DRAM462, SPU200 can allow the bag in the input buffer 140 to be stored among the DRAM462 so, to be further processed.
The DoS that SPU200 then carries out any needs safeguards.For example, in operation 664, SPU200 reads the table 614 among the AMCD320, to judge that what being operated for relevant DoS is current activation from generation to generation.SPU200 also reads table 604 and 608, where will new DoS entry be added in CAM444 and deletes which DoS entry from the next one from generation to generation to judge.In operation 666, SPU200 upgrades CAM444 with new DoS entry, and reads the content of corresponding memory position among the SRAM450.At last, in operation 668, timestamp among the SPU 200 renewal SRAM450 and the count information among generation information and the DRAM462.
With reference to Figure 11, when the destination address of bag and zone when being DoS entry among the CAM444, operating in 700, SPU200 reads corresponding memory position among the SRAM450.In operation 702, SPU200 checks whether be provided with the DoS attack sign.If be provided with the DoS attack mark, SPU deletes bag or deletion bag from input buffer 140 immediately from DRAM462 in operation 704 so.For example, SPU200 can be provided with the deleted marker that shows that bag is invalid in DRAM462.
Then, from DRAM462, read invalid bag never again, and finally rewrite with other data.When also not being stored among the DRAM462, just deletion in input buffer 140 of bag.If the DoS attack mark is not set, in operation 706, SPU discharges bag immediately to be further processed so.For example, bag can be sent to certain location among the DRAM462 immediately from input buffer 140.If stored this bag in DRAM462, bag can send to another SPU200 to carry out further fire wall processing so, if perhaps portion needs further fire wall to handle, can send to output buffer 150 so.Alternatively, SPU200 can be be sent to recycle impact damper (recirculationbuffer) 160 from the bag among the DRAM 462, so that analyzed once more by DXP180.For example, DXP180 then can discern other the content in the bag relevant with the operation of other fire walls.
In operation 708, SPU200 upgrades the information among the SRAM450, and if desired, increases progressively counting 460 relevant among the DRAM462.In operation 710, SPU200 follows the information of any needs in updating form 604,606 and 614.Then, SPU200 waits for the new SEP instruction 602 from DXP180.
Unified fire wall/transmission management (unified tactical management)
With reference to Figure 12, fire wall 804 operates between first network 800 and second network 812.Fire wall 804 provides the multiple network interface operation.For example, except aforesaid identification with filter the DoS attack, fire wall also need be between the heterogeneous networks form convert packets, for example between IP the 4th edition (IPv4) and IP the 6th edition (IPv6), perhaps between public and private ip address, change (network address translation, NAT).Can also require fire wall 804 to carry out other virus detects and safe operation.
Then, another independent network computing device 806 of requirement such as router or switch sends or exchanges the bag by fire wall 804.For example, the bag that receives from router/switch 806 can be forwarded to other router or switch 808, then, can further bag be forwarded to other the network processes equipment in the network 812.Router or switch 806 can also be sent to end points with bag, for example server 810 or personal computer (PC) 814.
The problem of this traditional structure is that firewall box 804 and routing device 806 automatically move.Therefore, need independent processing and memory resource for each equipment 802 and 806.So not only increased the hardware cost of edge device, and restricted extensibility (scalability), also can stop these edge devices to come pack processing with needed line speed.
For example, can require fire wall 804 at possible each input bag of TCP SYN bag monitoring.As mentioned above, this just can require the destination address of each input bag of fire wall 804 identifications.Then, the TCP SYN bag that is not a DoS attack part is forwarded to router 806.Then, router 806 has to judge once more the destination address from the bag 805 of fire wall 804 receptions, bag is sent to suitable target.Therefore, each network processes equipment 804 and 806 need carry out some identical bags processing operations to identical bag.As a result, each equipment 804 and 806 must be kept independent bag state, bag impact damper etc.As mentioned above, this has just restricted the whole extensibility and the processing power of network processes equipment.
With reference to Figure 13, another aspect of the present invention adopts unified tactical management in network processes equipment 820, with pack processing more effectively.In one embodiment, UPM integrates traditional fire wall and edge device operation with bag forwarding operation, and this bag is transmitted operation and still carried out routinely by independent independent operation processor up to now.In one embodiment, the table of unique access control list (ACL) is used by processor 822, so that multiple different UPM operation to be provided.
According to the various combination of asserting entry 850 that may be relevant, come the table 840 of organization access control table (ACL) with the operation of different UPM or other fire walls.For example, whether first group of firewall policy ACL848 can be allowed to by denial of service (DoS) operation of network processes equipment 820 relevant with different judgement input bags 821.Firewall policy ACL848 can also be relevant with other bag conversion, mandate and the filter operation that need be carried out by network processes equipment 820, for example, and network address translation (nat), viral detection and filtration, IP version conversion etc.
In the embodiment of another concrete uniqueness, ACL table 840 can also comprise forwarding information base (FIB) 842, and it makes different destination address 844 be associated with different destination port number 846.FIB842 can reside in the independent sector of ACL table 840, and/or as described in more detail below, can integrate with some firewall policy ACL848.
ACL entry in the table 840 also comprises action (action) 852, its bootstrap processor 822 allow or the bag refusing to be correlated with by network processes equipment 820.Other ACL action 852 can guide to the bag of being correlated with specific target or return processor 822 to carry out other processing.In other situation, the bag 821 that firewall policy action 852 can bootstrap processor 822 will be correlated with is sent to concrete output port 846.
Firewall policy ACL848 in the table 840 and the combination of FIB842 provide multiple different UMP operation, and it is not to carry out in identical network processes equipment 820 usually.For example, the smaller subset of UPM operation comprises as mentioned above the bag of deleting because of DoS or intrusion detection 838.Network processes equipment 820 can also be revised before being forwarded to destination address or marks packets 824.For example, bag 824 can encapsulate in specific tunnel, perhaps carries out mark etc. with specific QoS grade.
In another UPM action, the entry in the ACL table 840 can bootstrap processor 822 will be any by or the statistics of the bag 830 deleted be recorded to server 828.In another UPM operation, mention briefly that as above entry in the ACL table 840 can make processor 822 according to different firewall policy tolerance (metrics), and bag 834 is forwarded to different subnet 832 or equipment 836.For example, comprise that the bag 834 of specific http session can be sent to server 836, and every other bag can send to subnet 832.
In the description and following further description of above Figure 13, send and exchange and to use interchangeably.Will be understood by those skilled in the art that shown in following describing in further detail, UPM system 820 carries out unified second layer exchange and/or the 3rd layer of transmit operation in conjunction with other firewall policy tolerance.
Access control list
Figure 14 shows the exemplary entry of the above ACL table of describing 840 in Figure 13.Any combination of asserting and moving can be combined in ACL table 840, and Figure 14 only shows some embodiment.In one embodiment, processor 822 (Figure 13) is asserted one or more ACL and is put together, and group 854 conducts of asserting that will make up comprise the address entry of the CAM of ACL table 840.By the CAM output action, this action is relevant with the action of first entry in the ACL table 840, and mates with the group 854 of asserting that processor 822 is submitted.
First entry 860 in the ACL table 840 comprises that target ip address asserts that 860A, source IP address assert that 860B, tcp port number assert that the TCP session of 860C, foundation asserts 860D and allow action 860E.In this embodiment, ACL 860 is first entries in the ACL table 840.Certainly, any order of ACL entry and combination can be carried in the ACL table 840.
Assert group 854 couplings when asserting 860A-860D, the relevant action 860E of output in ACL table 840 when what provide by processor 822.In this embodiment, when the target ip address of input bag 821 (Figure 13) and source IP address mated the value of asserting among 860A and the 860B respectively, the output of ACL table 840 allowed action 860E.Asserting that the IP address of discerning among 860A and the 860B can only comprise and relevant subnet address, IP source and target address completely.Be similar to the mode of current use subnet mask in the transmission table, the additional bit in the IP address can be sheltered and is " haveing nothing to do " value.
In order to mate ACL entry 860, bag 821 (Figure 13) also must have and assert the corresponding relevant tcp port number of 860C.Should be noted that does not have source or target qualifier (qualifier) to assert that with tcp port number 860C is relevant.This just mean bag in 821 identical source tcp port C or identical target tcp port number C will mate and assert 860C.Finally, in order to mate ACL entry 860, assert that as the TCP that sets up 860D is desired like that, it must be the part of the TCP session of having set up that input wraps 821.Assert that 860D asserts the sign of group in 854, it is determined when being the TCP session of having set up a part of at input bag 821, and is set by processor 822.Therefore ACL entry 860 can not mate the bag that comprises the TCP SYN message of attempting to set up new TCP session.
Following two ACL entries 862 are relevant with the firewall policy that relates to denial of service (DoS) attack with 864.In order to mate ACL entry 862, the address in the input bag 821 must be mated target and source IP address respectively and asserted 862A and 862B.In addition, input bag 821 also must be to assert that as the type TCP the desired TCP of 862C wraps.It is relevant that the specific objective that ACL entry 862 makes TCP bag and source IP address and TCP DoS move 862D, and the specific region of describing among this action and above-mentioned Fig. 4 is corresponding.Therefore, action 862D can utilize and zone 1 corresponding specified packet rate limit, comes bootstrap processor 822 to carry out the above DoS operation of describing in Fig. 4-11.
864D is relevant in ACL entry 864 and TCP DoS action, and comprises with target ip address and assert that the identical target ip address of 862A asserts 864A.Yet, assert that 864B comprises with source IP address to assert the source IP address C that 862B is different.This is just corresponding with the bag that receives from the heterogeneous networks interface.Therefore, ACL action 864D is used to the TCP DoS operation that utilizes different respective regions 3 to carry out.Processor is in case reception action 864D just can judge DoS attack with the different packet rate limit.
ACL entry 866 and Internet protocol the 4th edition (IPv4) are associated to the conversion of Internet protocol the 6th edition (IPv6).For example, input bag 821 can receive by the network that adopts the IPv6 operation.Yet the network that moves in other areas of network processes equipment 820 can adopt IPv4.Therefore, network processes equipment 820 can need all IPv6 bags are converted to the IPv4 bag.
IP type field in the IP head of input bag 821 is designated IPv4 or IPv6 with this bag.Processor 822 is from wrapping 821 target ip address and the IP version identifier that extracts in the IP type field, and with these formats (format) to being applied to asserting in the group 854 in the ACL table 840.Assert that when 866A and 866B, processor 822 receives XLATE IPv6 action 866C backward in the group 854 coupling ACL entries 866 asserting.XLATE IPv6 action 866C bootstrap processor 822 is utilized ad hoc rules 5 will import IPv6 bag 821 and is converted to IPv4.For example, IPv6 rule 5 can instruct processor 822 that the separating part of bag of the IPv6 in the IPv4 head or IPv6 address is encapsulated in the different companies and local code that into is included in the IPv4 head.Conversion between IPv4 and the IPv6 will further be described in detail in Figure 24 following.
ACL entry 868 is relevant with transmission and conversion operations based on strategy with 870.ACL entry 868 comprises that the forwarding information base (FIB) in conjunction with firewall policy tolerance 868B sends standard 868A and 868C.Similarly, ACL entry 870 comprises that the FIB in conjunction with firewall policy tolerance 870C sends standard 870A and 870C.These ACL entries 868 and 870 allow network processes equipment 820 based on IP destination address and firewall policy tolerance, will wrap and send or exchange to different port.
For example, ACL entry 868 comprises forwarding behavior 868C, and its bootstrap processor 822 will be imported the port 3 that bag 821 exports the TCP bag type 868B with target ip address G to.Yet the UDP bag type 870B that ACL entry 870 bootstrap processor 822 will have same target IP address G is forwarded to different output port 4.These transmission ACL based on strategy can be used for for example the TCP bus being threatened the particular procedure equipment that is sent to, and handle to carry out further DoS, and UDP wraps and is sent to and asserts the corresponding destination address of 870A simultaneously.Certainly, the entry in the ACL table 840 only is the small-sized embodiment that can be used to carry out the different ACL of unified tactical management.
Figure 15 has described the network processes equipment 820 among Figure 13 in more detail and how to have carried out UPM.In operation 880, processor 822 receives input bag 821, and in operation 882, imports packet generation certainly and asserts group 854.For example, can programme, with in one group of predetermined IP bag field identification, extracting and advance to assert with the predefined procedure layout to processor 822.Be not present in the input bag 821 if IP wraps one of field, extract the next one bag field in the table so, and with extraction and asserting of layout combine before.
In the operation 884, processor 822 will assert that group 854 is applied in the ACL table 840, and in operation 886, receive and carry out the action that receives the entry of asserting from the coupling of ACL table 840.For the sake of simplicity, 3 action kinds returning have only been described in Figure 15 from the ACL table.Yet, any amount of different actions can be configured in the ACL entry.If in operation 892, from ACL table 840, receive deletion action 852, operating in 900 the processor discarded packets so.Before beginning to handle next input bag 821, in the operation 902, any statistical information that is surrounded by the pass that processor 822 can write down and delete.
If in operation 890, receive by moving 853 from the ACL table, in operation 898, processor can send or exchange packets according to FIB842 (Figure 13) so.890 can comprise the forwarding port numbers by moving, or can bootstrap processor 822 visit ACL table 840 once more to obtain to transmit port information.
If in operation 888, from the ACL table, receive and control (steer) ACL action 853, in operation 894, processor is carried out the fire wall operation relevant with the ACL action so.If can use, processor 822 can also be transmitted bag according to relevant firewall policy tolerance in operation 894 so.For example, described in above Figure 14, control action 852 can bootstrap processor be forwarded to the network processes equipment place that checks DoS attack by particular port with the TCP bag.
Alternatively, the control action 852 of identification can 822 pairs of bootstrap processor wrap the fire wall processing of carrying out other in operation 888.For example, control action 852 can also bootstrap processor 822 be carried out network address translation (nat).Therefore, in operation 882, if desired, processor 822 can extract another and asserts group 854 from wrapping 821, and in operation 884, once more will be new assert that organizing 854 is applied in the ACL table 840.According to next ACL action 852 that in ACL table 840, receives, processor 822 can deletion before carrying out the NAT operation, by or control bag.
Transmit bag according to the top osi layer
Figure 16 has described to send and transmit to operate how to manage another integrated embodiment with firewall policy.ACL table 910 is similar to the ACL table 840 among Figure 13.Yet ACL table 910 is with forwarding information base (FIB) and layer 4 and layer 7 and strategy is measured 910D and 910E combines respectively.
An important aspect should noting is, simply by new asserting is added into table 910, any combination of tactical management tolerance can be added into traditional transmission and exchange is transmitted.The another feature that should note is, will send or exchange decision usually and be restricted to the internet pattern of open system interconnection (osi).For example, switch and router are formulated bag forwarding decision based on bag port numbers and IP address usually.
ACL table 910 is in conjunction with the network processes device structure among Figure 13, and forwarding is determined can be based on the information that is included in the higher osi layer.For example, the bag of some in the ACL table 910 is transmitted decision based on the information in data chainning (layer 2), network layer (layer 3), transport layer (layer 4) and the application layer (layer 7).Certainly, transmitting decision can also be based on any other osi layer.
In order to be further explained in detail, ACL table 910 comprises that target ip address asserts 910A, and it partly is used for bag is forwarded to the different output ports that identify at action 910C.Assert that the traditional subnet mask among the 910B is used for asserting that at target ip address 910A shelters the position.For example, in first ACL entry 912, three subnet fields that only begin of address " 10.0.0 " compare with the target ip address of importing bag 821.In ACL entry 916, only first subnet fields " 10 " compares with the target ip address of input bag 821.
In such an embodiment, except asserting 910D and the 910E based on layer 4 or layer 7 respectively, transmit decision and go back based target IP address.For example, the input TCP bag with target ip address " 10.0.0.x " (wherein " x " expression " has nothing to do ") will be sent to output port 15.Alternatively, the input UDP bag with target ip address " 10.0.0.x " also will be sent to output port 5.
During beginning the bag processing, in processor 822 recognition objective IP addresses, by the TCP and the UDP identifier of processor 822 identification input bags 821.Target ip address and TCP or UDP identifier then with ACL table 910 in entry compare, to judge the correct output port of transmitting bag.How this transmits an embodiment who wraps based on layer 4 tolerance if showing.
ACL entry 918 shows another kind of embodiment, wherein sends based on layer 7URL to measure.A kind of application that the type sends is to be used for access network services, and then URL bag more subsequently is sent to different positions.Can operational network server 934 referring to figs. 16 and 17, enterprise, the webserver 934 can be by different user 930 by the Internet 932 visits.The webserver 934 can be shown to user 930 with webpage 936, and it provides the multiple different linking of different commerce services.For example, first URL link 938 can guide the user to enter customer support, and second URL link 940 can guide the user to enter sale of automobile, and the 3rd link 942 can guide user 930 to enter the furniture sale.
Support the web page server of these different linking 938,940 and 942 can be positioned on the different the Internet locations, and may but be not limited on the different geographic position.For example, customer support services device 944 can be positioned at the corporate HQ of Atlanta, and sale of automobile server 946 is positioned at the Detroit, and furniture sales server 949 is positioned at Paris France.ACL table 910 (Figure 16) is used for more effectively user 930 being connected to URL link 938,940 and 942.
For example, when the user clicks customer support and links 938, web page server 934 produce and have the URL of comprising "
Http: //DEST1" the bag of target ip address " 10.10.x.x ".Router 935 among Figure 17 with IP destination address and URL together with ACL table 910 in entry compare.Therefore, router 935 sends to customer support services device 944 by output port 1 with bag.Router 935 can also receive the bag that has same target IP address " 10.10.x.x " but do not have URL " fttp:/DEST2 ".Therefore router 935 is sent to automobile services device 946 by port 2 with these bags.Bag with target ip address " 10.10.x.x " and relevant URL/DEST3 is sent to furniture server 948 by port 3.This just provides the more direct transmission that arrives the IP target of expectation.
Adopt the unified tactical management of RSP
As mentioned above, unifying tactical management (UPM) can realize in as shown in Figure 13 traditional processor and Computer Systems Organization.Yet in order to realize further performance, UPM can realize in the reconfigurable semantic processor (RSP) of the RSP100 shown in Fig. 2 A-2C before being similar to.
With reference to Figure 18 and 19, in operation 1000, the DXP 180 among the RSP100 carries out grammer, and bag in this grammatical analysis input buffer 140 and identification execution UPM operate needed any ACL and assert 954.In the operation 1002, DXP 180 is sent to instruction the SPU 200 that initiates SEP code 212.SEP code 212 makes SPU 200 that ACL is asserted that 954 layouts advance to assert group 956, and this asserts that group 956 then is applied to ACL table 979.In this embodiment, some in the ACL table 979 or all be included among the one or more CAM220.
According to the relevant SEP code 212 of initiating among the grammer of carrying out in DXP 180 and the DXP 180, any amount of ACL asserts that 954 can both be combined into ACL by SPU 200 and assert in the group 956.For example, the grammer among the DXP 180 can assert 954 at bag target and source address identification ACL.Can be at IPv6-IPv4 conversion or TCP DoS operation, that discerns other asserts 954.When DXP identification IPv6 bag, the SEP code 212 of being initiated by DXP180 can make SPU200 that target ip address is asserted and assert with IPv6 bag type and to combine.Similarly, in identification TCP when bag, DXP180 can initiate SEP code 212, and this SEP code 212 makes SPU 200 that target ip address is asserted that 954 assert that with TCP bag type 954 are combined in and assert in the group 956.
In operation 1004, SPU200 asserts ACL and organizes the 956 ACL tables 979 that are applied among the CAM220.In operation 1006, SPU then comes pack processing according to receive the ACL action 852 of returning from CAM220.In operation 1010, ACL action 252 can be simple delete instruction, and this delete instruction makes SPU200 abandon bag among the current DRAM280 of being stored in (Fig. 2 A).In operation 1012, ACL action 952 can be to make SPU200 the bag among the DRAM280 be sent to the instruction of output buffer 150.
Under the third situation, ACL action 952 can make SPU200 initiate additional SEP code 212, and it can be relevant with specific fire wall operation.For example, one group of ACL entry 980 can be relevant with different fire wall operations.ACL entry 980A can be relevant with intruding detection system (ID) permit operation, and it will be described in more detail following.Another ACL entry 980B can be relevant with corresponding IDS operation, this IDS operates in the application of the associating pending trial that is called " intrusion method for testing in the network processes equipment and equipment " and describes, this application was submitted on May 9th, 2005, patent application serial numbers is No.11/125,956, it is included in herein with way of reference.
For example, SPU 200 can assert ACL that group 956 is applied to CAM 220, and these CAM 220 couplings are wrapped corresponding ACL entry 880E with DoS TCP.The action that is included among the ACL entry 980E can be the pointer 982 that points to semantic code table 210.In the operation 1008 among Figure 19, SPU 200 initiates and carries out the SEP code at pointer position 982 places.In this example, the SEP code 212 at 982 places, position makes SPU200 carry out above some or all TCPDoS operations of describing in Fig. 4-11.
After finishing the TCP DoS operation of being initiated by the action among the ACL entry 980E, SEP code 212 can make SPU 200 carry out any various other fire wall operations.For example, represented by path 1014, guiding SPU200 asserts 954 that from the ACL by DXP180 identification another ACL of set asserts group 956.Then, the new group 956 of asserting is applied to ACL table 979 once more, to carry out other fire wall operations.Represented as the path among Figure 19 1016, SEP code 212 can guide SPU200 deletion bag, perhaps can be represented as path 1018, bag is sent to output port.
As before as described in above Figure 13-17, RSP100 can also carry out unified tactical management, and it will send/and swap operation all unites with other firewall policy bookkeeping.Therefore, CAM220 can also comprise forwarding information base 984, and it comprises the entry with target ip address and related objective port numbers.As shown in above Figure 16, fib table 984 can have traditional fib table order 987 and other entry 986, and these entries send bag according to destination address and other firewall policy tolerance 988.
RSP100 can be easily moves between the operation of carrying out as fire wall, traditional router or switch or its combination.For example, the 990 expression RSP100 of the path in the semantic code table 210 (Figure 18) are converted to transmit operation from DoS TCP operation.Submit to first of CAM220 by SPU200 and assert that organizing 956 can mate DoS TCP entry 980E.After the execution of finishing the SEP code 982 relevant, can guide SPU200 that another is asserted that group 956 is committed to CAM220 with DoS TCP operation.956 entries 986 or 987 that can mate among the FIB984 are organized in new asserting.Entry among the FIB984 can be directed to SPU200 the SEP code 992 among the SCT210, and it carries out traditional or the IPM transmit operation.
Alternatively, provide to the group of initially asserting of CAM220 and 956 can mate fib table order 986, rather than initially mate DoS TCP entry 980E.The bag that the resulting action of the result who comprises in the entry 986 can guide SPU200 to be correlated with sends to by output port DoS TCP is provided another equipment of operation.
Network address translation (nat)/port address translation (pat)
With reference to Figure 20, can programme to carry out the NAT/PAT operation to RSP100, this operation is changed the IP address and/or the port numbers that transmit bag by fire wall 1062 between public ip address and private ip address, public ip address is used for by public network 12 transmission package, and private ip address is used for by dedicated network 24 transmission package.
Usually, exist with operate in dedicated network 24 in a plurality of unique private ip address of being associated of heterogeneous networks treatment facility.But only one or a few public ip address can be used to represent a plurality of private ip address.The identity of internal machine in this public dedicated network 24, and reduced the quantity that is mapped to the required public address in a plurality of specific addresses in the dedicated network 24.
In optional embodiment, one or more private ip address has the independent public ip address that is associated.Can need not to reduce the quantity of public ip address like this, but allow fire wall 1062 that corresponding private ip address is stashed from public network 12.This man-to-man mapping also allows fire wall 1062 that public ip address is reconfigured to the network equipments different in the dedicated network 24.
RSP100 is reconfigured, and is converted to private ip address 1074 with the public ip address 1058 that will import bag 1061.Then, private ip address 1074 is used for inside bag 1076 is sent to the network processes equipment 1078 that dedicated network 24 is correlated with.RSP 100 also receives bag 1072 in the local device from dedicated network 24 1078, and bag 1072 comprises private ip address 1070.If wrap 1072 end points 1056 that are directed in the public network 12, RSP100 is converted to private ip address 1070 and is used for will wrapping 1050 public ip addresses 1052 that are sent to end points 1056 by public network 12 so.
In order to make an explanation in further detail, the equipment 1078 of operation can will wrap 1072 targets that send in the public network 12 by fire wall 1062 at first in dedicated network 24.RSP100 receives bag 1072, and special-purpose source IP address 1070 is converted to the public ip address 1052 relevant with fire wall 1062.Output packet (outgoing packet) 1050 has also been distributed specific port numbers 1054 by RSP100.RSP100 then by adding private ip address entry 1068 and corresponding ports entry 1066, upgrades look-up table (lookup table) 1064.
The equipment 1056 that receives output packet 1050 can send it back local device 1078 with bag 1061.Public IP source address 1052 and port numbers 1054 that equipment 1056 utilizes in the bag 1050 are as the destination address 1058 and the port numbers 1060 of the bag 1061 that sends it back local device 1078.RSP100 will wrap destination address 1058 in 1061 and port numbers 1060 and map to port numbers entry 1066 in the look-up table 1064.RSP100 with appropriate ports entry 1060 corresponding look-up tables 1079 in, identify private ip address entry 1070.
RSP100 is used for from the private ip address 1070 of the identification of look-up table 1064, replaces wrapping the public target IP address 1058 in 1061.Carry out the transition period between special use and public ip address, RSP100 can divide and unpacks, and produces checksum value once more, and then re-assemblies bag.
Figure 21-23 shows the embodiment how RSO100 carries out above-mentioned NAT/PAT conversion in further detail.In operation 1100 (Figure 22), DXP180 (Figure 21) analyzes the input bag that receives from dedicated network 24, and identification special I P source address 1070.In the operation 1102, DXP180 sends signalisation SPU200 and loads micro-order from SCT210, is used for special I P source address 1070 is converted to public IP source address.
In the operation 1104, SPU200 produces public ip address and the port numbers that is used to wrap.Public ip address is normally distributed to the IP address of fire wall 1062 (Figure 20).In operation 1106, SPU200 will wrap 1072 port numbers and accordingly private ip address be loaded on look-up table 1079.Figure 21 shows an example how utilizing CAM220 and SRAM221 to realize look-up table 1079.SPU200 is stored to CAM position 220A by AMCD230 with the port numbers relevant with output packet 1050, and corresponding private ip address 1070 is stored among the SRAM221 as entry 221A.
In operation 1108, SPU200 wraps 1072 special I P source address 1070 with the public source IP address 1052 that comprises associated port number 1054 (Figure 20), replacement.In operation 110, SPU200 can also produce the new verification that is used for output packet 1050 and.At last, in operation 1112, the bag 1050 that SPU200 will have public ip address 1052 and port numbers 1054 is sent to output port 152 from DRAM 280.
Figure 23 has described the public target IP address translation how RSP100 will import bag and has returned private ip address.In operation 1120, DXP180 analyzes the input bag 1061 that receives from public network 12, and relevant 5 tuples (tuple) address of identification.In operation 1122, DXP180 sends signalisation SPU200 and loads micro-order from SCT210 (Fig. 2 A), so that public IP destination address 1058 and port numbers 1060 are converted to corresponding special I P destination address 1074.
In operation 1124, SPU200 will compare from the public target IP address 158 of input bag 1061 and IP address and the port numbers entry 220A in port numbers 1060 and the look-up table 1079.For example, SPU200 utilizes destination port number as the address that enters CAM220.Address among the part 220A of mating end slogan is as the pointer that enters the address portion 221A among the SRAM221.In operation 1126, SPU200 reads the application-specific target IP address of identification in SRAM221, and the public IP destination address 1058 that replaces bag with the private ip address 1074 of identification.In operation 1128, SPU200 can also produce the new verification that is used for convert packets and.At last, SPU200 will export dedicated network 24 to by output port 152 from the bag 1076 of DRAM280 in operation 1130.
RSP100 can be configured to before or after the NAT/PAT operation, identical bag be carried out other modification and policer operation.In this case, SPU200 can send it back the bag from the new private ip address 1074 of having of DRAM280 recycle impact damper 160 (Fig. 2 A), handles to carry out further fire wall.Then, the bag in the recycle impact damper 160 is carried out other fire wall operation.
The IPv6/IPv4 conversion
With reference to Figure 24, fire wall 1062 may be changed between Internet protocol the 4th edition (IPv4) and IP the 6th edition (IPv6), perhaps changes between other IP protocol version.For example, first network 1150 can adopt IPv6, and second network 1160 can adopt IPv4.Therefore fire wall 1062 need wrap IPv6 32 bit address space 1170 that 1156 128 bit address space 1158 are converted to IPv4 bag 1172.Other information in head and the service load also may be changed between IPv4 and IPv6.
In one example, fire wall 1062 is converted to IPv4 bag 1172 with IPv6 bag 1156.In another example, fire wall 1062 advances 1156 encapsulation of IPv6 bag in the IPv4 tunnel 1164.Consider reverse conversion, fire wall 1062 can be converted to the IPv4 bag IPv6 bag or the IPv6 tunnel is entered in 1172 encapsulation of IPv4 bag.The type of the IP network that is connected to fire wall 1062 is depended in these different conversions.
Yet, if type field 1186 indications are different from the IP version in the operation of the opposite end of RSP100, in operation 1202, DXP180 sends signalisation SPU200 to load micro-order from SCT210 (Fig. 2 A), so that will import the IP version that the IP bag changes other networks into so.In this embodiment, (the international open text of the application is unclear herein) SPU200 is so that convert the IPv6 bag to the IPv4 bag.
In operation 1204, SPU is with the IPv6 address applications of the DXP180 identification part 220B to the CAM220 (Figure 21) relevant with 128 IPv6 addresses.CAM220 is in the part 221B of the SRAM221 that comprises corresponding 32 IPv4 addresses, for corresponding entry distributes the address.In operation 1206, SPU200 reads the IPv4 address of exporting from SRAM221, and in operation 1208, with the IPv6 address in the IPv4 address replacement bag of identification.Alternatively, SPU200 can seal IPv6 and be contained in the IPv4 tunnel, and this tunnel uses the IPv4 address of discerning in SRAM221.In operation 1210, SPU200 produce new verification and, and in operation 1212, with the IPv4 bag of conversion or comprise that the IPv4 tunnel of IPv6 bag is sent to output port 152 from DRAM280.
Be similar to the processing described in Figure 25, can also be used for input IPv4 bag is converted to the IPv6 bag.Change between the IP bag version of any other that above-mentioned identical processing can also be used for may occurring in future.RSP100 discerns new IP version number simply, then initiates one group of SEP code, and this group SEP code is used by SPU200 then and changes between first IP version and second IP version.
The IP version conversion can also be arrived with the above unified tactical management operative combination of describing in Figure 13-19.For example, RSP100 can be sent to different relevant IP subnets with identifying the bag with different IP version, and this subnet can be supported in the IP version that identifies in the bag.
One of a lot of specific characteristics of RSP100 are that the bag that adds is handled the complicacy that operation can need not to require additional firmware and need not to increase considerably software or treatment state and carried out.For example, being used for the identical RSP configuration shown in Figure 21 of NAT/PAT conversion can also be used for changing between IPv4 and IPv6.Each IPv6 to IPv4 map addresses 220B and 221B, and reverse map addresses 220C of each IPv4 to IPv6 and 221C can be stored in the IP public and private address 220A that is used for NAT/PAT conversion among the CAM220 and the next door of 220B.Further, because only need a spot of additional clock period to be used to analyze the head of bigger IPv6 bag, the processing of 128 IPv6 heads increasing is only increased to a spot of additional cycle the whole bag processing speed of RSP100.
Can analyze by the public DXP of influence (leverage), in identical RSP100, carry out a plurality of different fire walls operations more effectively.For example, the DXP180 among Figure 21 can carry out at NAT/PAT and IPv6/IPv4 and operate a part in both the same analysis operation.For example, the IP address is discerned by the DXP180 that is used for the conversion of NAT and IP version.Therefore, identical DXP adress analysis result can be used in NAT and IP version conversion.Therefore, except that the NAT grammer, DXP180 only needs very a spot of grammer.
RSP100 also is not constrained to and handles any particular data size.Therefore, any IPv4 or IPv6 operation perhaps can easily utilize identical RSP structure 100 accomplished in the IP version or the address size of developed any other in future.By adding minimum new syntax, RSP100 can be configured to handle these different IP versions and address size simply to DXP180, by the additional SEP code of SPU200 execution and some the additional entries among CAM220 and the SRAM221.
This is opposite with traditional hardware configuration, and traditional hardware configuration requires fully to redesign so that process IP v6 bag rather than IPv4 wrap effectively.For example, data routing size, register size and logic element in the conventional processors will have to redesign to be used for 128 bigger IPv6 addresses.
(VPN) is integrated for VPN (virtual private network)
Figure 26 shows an embodiment who how sets up VPN (virtual private network) (VPN) tunnel 1207 by the Internet 1212.Computing machine 1216 can be from corporate server 1202 demand files 1200.Server 1212 access files 1200, and file sent it back long-distance user 1216 as IP bag 1204 by VPN/ fire wall 1206.
Figure 27 illustrates in greater detail the operation of being carried out by RSP 100 in VPN/ fire wall 1206 and 1241.RSP100 at first carries out preliminary DoS and filters 1220, surpasses the IPSec bag 1218 that the DoS attack rate limit receives to filter.DoS filters 1220 can also adopt the method that is similar to above description in Fig. 4-11, filters any non-IPSec bag.
Secure federation (Security Association, SA) search operation 1222 is extracted IP address, bag Session ID and Security Parameter Index (SPIs) 1226 from IPSec bag 1218, and this IPSec bag 1218 is discerned the desired deciphering of being used by RSP 100 and signed other technology.SPIs 1226 and other IP information are submitted to look-up table 1224, and this look-up table is similar or the same with searching with the ACL table of the above-mentioned DoS of being used for, UPM, NAT and IP version conversion.Look-up table 1224 returns deciphering key 1228, decipherment algorithm identifier 1230 and verification algorithm identifier 1232.
Relevant decipherment algorithm is transformed to non-encrypted state with the position in the IPSec bag 1218 from encrypted state.The embodiment of decipherment algorithm comprises: the T-DES in data encryption standards (DES), triple DES (T-DES), Advanced Encryption Standard (AES) and the CBC pattern.Verification algorithm is carried out Hash operation to data, and is the same with the position that sends out at first from server 1202 to confirm the position in the IP bag 1204.The embodiment of verification algorithm comprises MD 5 and SHA 1.
Result from SA look-up table 1222 is provided to decryption oprerations 1234, and decryption oprerations 1234 is then got back to 1218 deciphering of IPSec bag in the initial IP bag 1204.In the application of following associating pending trial, described and how to have carried out SA and search 1222 and the detail of decryption oprerations 1234, these applications are included in herein by reference: the patent application serial numbers that on May 11st, 2005 submitted to is No.11/127,445 " multiprocessor architecture " with unsteady decryption/encryption/authentication function piece, the patent application serial numbers that on May 11st, 2005 submitted to is No.11/127,443 " IP secure decryption/encryption/checking ", the patent application serial numbers that on May 11st, 2005 submitted to is No.11/127,468 " pipeline-type IP secure decryption/encryption/checking ", and the patent application serial numbers that on May 11st, 2005 submitted to is No.11/127,467 " the DEA engine with DMA interface ".
DXP180 analyzes the input bag, and discerns IPSec bag 1218 according to the IP type field of identification.Then, the SPIs 1226 that is used to initiate SEP code 212 (Fig. 2 A) by DXP180 correspondingly discerned in the grammer among the DXP180.SEP code 212 guiding SPU200 are applied to ACL among the CAM220 with SPIs 1226, and then the result who searches according to CAM carries out deciphering 1234.For example, decruption key 1228, decipherment algorithm identifier 1230 and verification algorithm identifier 1232 can be stored in the identical CAM/SRAM structure of describing in Figure 21 in early days.The result that CAM searches is ACL action, and it points to additional SEP code, and this code utilizes decruption key 1228 to carry out decipherment algorithm relevant with identifier 1230 and the verification algorithm of being correlated with identifier 1232.
If receive non-encrypted bag for identical IPsec session, for example, have the bag of 5 identical tuples, corresponding ACL table destination packet can guide SPU200 to delete this bag among the CAM220 so.This has just prevented that undelegated assailant from occupying VPN session 1207.
(post decryption) operated after the IP bag of deciphering then was sent to one or more different deciphering, and it can comprise may be similar to the above forwarding operation of describing 1236 in UPM uses.For example, the RSP100 that transmits in the operation 1236 can be forwarded to destination address with the bag of deciphering 1204 simply, and need not to utilize the FIB that describes among Figure 13-19 to carry out any other fire wall operation.
Alternatively, the output of deciphering 1234 can filter 1238 by second DoS.Second DoS filtration 1238 can be wrapped IP address and other identifiers execution DoS detection and the filtration of the current deciphering in 1204 to IP.For example, some that are used for DoS and other UPM operation are asserted decrypted now.Asserting of deciphering is identified, and is then used in the fire wall operation of carrying out second DoS operation 1238, UPM or other requirements.
The operation of other fire wall can also comprise as the TCP agent operation 1240 described in the associating unexamined patent application, this application name is called " TCP with semantic processor tcp state machine isolates ", submit on July 14th, 2005, patent application serial numbers is No.11/181,528, it is included in herein with way of reference.After another possible deciphering in the operation 1240, as above NAT/PAT use described in like that, RSP100 can be public or specific address with the IP address translation of deciphering.
According to the type of fire wall operation that is realized and deciphering IP bag 1204, RSP100 can carry out any combination of deciphering back operation 1236,1238,1240 or 1240.Certainly, can also carry out above-described any other fire wall operation.
Utilize the permission of firewall policy management
With reference to Figure 28, can be used to more effectively distribute (allocate) anti-virus (Anti-Virus, AV) licence in conjunction with the ACL table 1506 of RSP100.Current, the AV licence is assigned to independent machine 1514.Problem is that system operator is difficult to manage these licences.For example,, must buy another licence, AV software is installed then for each the new machine 1514 that increases to network.When licensing agreement expired, network manager just had to reinstall or activate again AV software then on independent machine.Further, any renewal of AV software has to be loaded on individually every computing machine 1514.
RSP100 provides concentrated license management (centralized license management).For example, can be by the mode of describing in the application that is similar to following associating pending trial, by the operation of the RSP100 in the fire wall 1502 AV software 1504, this application name is called " intrusion method for testing and equipment in the network processes equipment ", it was submitted on May 9th, 2005, patent application serial numbers is No.11/125,956.Alternatively, AV software 1504 can be carried out by traditional network processes equipment.
In any case, RSP100 judges which subnet 1520,1522 and 1524 has the AV licence, and correspondingly only the bag of the subnet that is directed to these permissions is used AV software 1504.With reference to Figure 28 and 29, RSP100 receives bag 1525 from the public the Internet 1500 with specific objective address 1527.DXP180 among the RSP100 discerns IP destination address 1527 to SPU200, and makes SPU200 carry out the SEP code, and wherein, the SEP code check is to determine whether have the AV licence with the subnet of destination address 1527 corresponding passes.
For example, SPU200 submits to CAM220 with the destination address 1527 of bag.Destination address 1527 can be mated and asserted 1528 in the ACL entry 1526.The action 1530 relevant with ACL entry 1526 shows: have the licence of the subnet 1522 (Figure 28) relevant with bag destination address 1527, this bag destination address and ACL assert that 1528 mate.Action 1530 can be the pointer that points to additional SEP code, and this additional SEP code guiding SPU200 judges that then current foundation and number of connection subnet 1522 are whether less than the quantity of the licence that distributes.If the quantity of the licence of buying that is used for subnet 1522 is applied to wrap 1525 with AV software 1504 so greater than the quantity that flexibly connects.
SPU200 can judge whether apace and be applied to CAM220 by the bag destination address 1527 that will discern, and AV software 1504 is applied to wrap 1525.Position among the CAM220 identification SRAM221, the quantity 1531 that it comprises current connection count art 1529 and is used for the available licenses of subnet 1522.If one or more AV licences can be used, so before the fire wall operation of carrying out other, between or afterwards, SPU200 is applied to bag 1525 with AV software 1504.
If, just can set up the tunnel for any bag by AV software 1504 by public network location subnet.For example, subnet 1524 can be positioned on the position away from fire wall 1502.If subnet 1524 has been assigned the AV licence, mate the action 1530 in the corresponding ACL entry 1526 of address of subnet 1524 so, also will be before Jiang Bao send to subnet 1524, guiding SPU200 will seal and be contained in the secure tunnel 1518.
The RSP array
With reference to Figure 30 and 31, a plurality of RSP100 can connect together, so that fire wall operation order or parallel to be provided.For example, in Figure 30, a plurality of RSP 100A-100D are connected in series, and each carries out different fire wall, transmission or intruding detection system (IDS) operations.First RSP100A can discern and extract IP information by extracting 5 tuple source and target IP address and port numbers from input bag 1598.
Second RSP100B can then carry out the operation relevant with TCP, and for example, any TCP bag that management TCP session and filtration are relevant with DoS attack is described in Fig. 4-11 as above.RSP100 can carry out bag and handle operation, and any any http session that can deliver is searched in this operation in bag.At last, RSP100D can search any text and the executable file that may comprise virus or other particular type of information in http session, for example, described in the associating co-pending application, this application name is called " intrusion method for testing in the network processes equipment and equipment ", it was submitted on May 9th, 2005, and patent application serial numbers is No.11/125, and 956.
Certainly, any combination of RSP100 can both be carried out any combination of different fire-proof and non-firewall operation, only shows an embodiment among Figure 30.Should notice by emphasis that each additional RSP provides the increase of substantially linear on performance.For example, RSP100A can assert the fire wall of any analysis, IDS signaling, non-termination (NT) 312, produce code 178, SEP code 177B (Fig. 2 B and 2C) etc. 1602 and be transmitted to next RSP 100B.RSP 100B can send to RSP 100C with similar status information 1602 after finishing the bag processing.
This has just prevented each RSP100 that follows subsequently some identical analyses of having finished of repetition of having in RSP before.Further, DXP180 (Fig. 2 A) simple in structurely by NT132 being loaded in the analyzer storehouse (parser stack) 185 (Fig. 2 A), allow each RSP100 to be transformed into immediately and before the identical state of RSP.For example, RSP 100A can discern the ACL that comprises the IP destination address and asserts.RSP 100A asserts the ACL in the message 1602 and is sent to RSP 100B with relevant NT132 together in company with relevant bag 1600.Under the state that has stopped before the RSP100A, RSP 100B can then utilize the IP address information of having discerned, and begins to carry out the TCP operation to wrapping 1600.Therefore, do not need RSP 100B analysis package 1600 once more, for example, so that find target ip address once more.
This is opposite with traditional processor structure, and in traditional processor structure, the packet handler state is not to change easily.As a result of, increase to each additional conventional processors of wrapping disposal system and can need not to increase linearly whole network processes equipment performance.In other words, the quantity of the bag treatment facility with traditional computer structure is doubled, might not cause the entire process performance to double.On the contrary, make the quantity of RSP100 double almost can make the whole performance of mainframe network disposal system to double.
But Figure 31 shows another arrangement of RSP100.In this configuration, one or more RSP100 parallel runnings.First RSP 100A can carry out initial UPM operation, and this operation is asserted based on the IP address of extracting from bag and other, judges and need carry out which other fire wall operation to input bag 1598, if present.RSP 100A is sent to RSP 100B-G according to the firewall policy tolerance of identification with bag.
For example, assert that bag 1598 can require to provide DoS to handle by RSP 100B based on the fire wall of identification.Therefore, RSP 100A is sent to RSP 100B with bag.If RSP 100B judges the targeted subnet address of bag and has the relevant IDS licence of describing in 29 at Figure 28 as above that bag can be sent to RSP 100C to carry out the anti-virus processing so.Otherwise RSP 100B can transmit bag to the end points in the LAN (Local Area Network) 1604.
Judge that bag need be converted into the IPv4 form if the UPM in RSP 100A sends, bag just is sent to RSP 100D so.Bag 1598 can then be sent to RSP 100E, and RSP100E comes pack processing according to different higher 0SI layer data then.For example, RSP 100E can send bag according to the HTTP information in the bag as described in above Figure 17.Other bag can be sent to RSP 100F and 100G, with NAT and the DoS operation of carrying out other respectively.
Command line interface (CLI)/record/statistics
Command line interface
Return with reference to Fig. 2 A, command line interface (CLI) 282 is connected to MCPU56, and allows the operator on the computing machine 284 CLI order and data 286 can be input to RSP100.Then, MCPU56 explains the CLI order 286 that receives from computing machine 284, and according to these CLI order 286 actions.For example, CLI order 286 can guide among the TCAM220 of MCPU 56 with new ACL entry loaded into memory system 215.CLI order 286 can also guide MCPU56 that data load is advanced in any other memory component of accumulator system 215.
Record (logging)
Concrete information and recognition category that MCPU56 will be included in the deletion bag advance in the daily record (log) like the statistical editing of deleting the quantity of wrapping.Daily record can layout advances to have in the IP bag of IP address of system journal machine (syslogmachine), and then this system journal machine receives and be recorded in the incident that RSP100 detects.The bag that comprises daily record can be sent to the system journal machine by output port 152 by SPU200.
The incident of any detection can be by the RSP100 record, and includes but not limited to, any incident of above-mentioned identification in the fire wall operation.For example, SEP code 212 can also indicate SPU200 bag to be sent to the MCPU56 of specific ACL entry among the coupling CAM220.
Statistics
The statistics of any requirement can be recorded among the RSP100, and can locally store or be sent to register system.For example, can programme, so that bag each reception, deletion or output is counted to SPU200.Different SEP codes 212 can comprise the record order in company with other relevant fire wall operations.RSP100 identification and any statistical information that is surrounded by the pass that receives or send.For example, receive the quantity of bag, the size that receives bag, the size that sends bag and quantity, deletion bag quantity, have invalid verification and the quantity, failed registration attempt etc. of quantity, copy package of bag.Statistics can order 286 to be downloaded to computing machine 284 by CLI, is perhaps periodically sent in bag by output port 152 by SPU200.
Checking (certification)
Above-mentioned any fire wall operation can be verified, and it can meet the validation criteria that different industry is accepted, and comprising: computer security association (ICSA), national standard and technological associations (NIST), state of New Hampshire university (UNH), PLUG Fest etc.
Sum up
The use of the novelty of RSP structure combined with access control table effectively utilizes same hardware more and minimum number software reconfigures, and carries out multiple different fire wall, UPM or other bag and handles operation.These multiple fire walls operations can be used syntactic element, for example, assert, it obtains identification by DXP or by other fire wall analysis operation.Therefore, RSP provides the fire rated wall structure of more scalable (scalable).
As above mentioned, above-mentioned any operation can realize on any network processes equipment, and is not restricted on the equipment that is called fire wall on the edge device or on the traditional sense and moves.For example, DoS, UPM and other operation can be carried out on gateway, router, server, switch and any other endpoint device.Further, above-mentioned a lot of operations must need not utilize RSP100 to realize, and alternatively, can realize on traditional Computer Architecture.
Intrusion detection
In the following description, term " virus (virus) " is meant that the invasion of any kind, undelegated data, spam (spam), denial of service (DoS) are attacked or data, signal or the transmission of messages of the invasion that is considered to network processes equipment of any other type.Term " virus " is called " rogue software (malware) " alternatively, and is not limited to the unauthorized data or the message of any particular type.
Figure 32 A shows private IP network network 2024, and it is connected to public the Internet protocol (IP) network 2012 by edge device 2025A.Public ip network 2012 can provide any wide area network (WAN) of packet switch.Dedicated network 2024 can be incorporated business's network, ISP (ISP) network, home network etc., its need prevent from public network 2012 such as virus or attack such as other rogue software attacks.
The network equipment 2025A-2025D that intruding detection system (IDS) 2018 is combined in operation in 2024 realizes.Each IDS2018 gathers and analyzes the network traffic 2022 by mainframe network treatment facility 2025, and comprises any bag 2016 of virus in identification and the discarded packets stream 2022.In one embodiment, IDS2018 utilizes reconfigurable semantic processor (RSP) to realize, will be described in more detail following.Yet, should be appreciated that IDS2018 is not limited to utilize the embodiment of RSP, and can use other treatment facility.
In one embodiment, IDS2018 is installed among the edge router 2025A, and it is connected to external public network 2012 with dedicated network 2024.In other embodiments, IDS2018 can also not realize in the execution IDS network operating treatment facility on traditional sense.For example, IDS2018 can also realize in router or switch 2025B.In an embodiment again, IDS2018 can also realize in one or more endpoint devices, for example in PC2025C or in webserver 2025D.Realize that in a plurality of different network processes equipment 2025A-2025D intruding detection system 2018 provides intrusion detection more completely, and can remove the virus 2016 that enters dedicated network 2024 by a plurality of different access points except edge router 2025A.For example, can detect virus, and remove by the IDS 2018 that in PC 2025C, router two 025B or server 2025D, moves by personal computer 2025C visit special use/internal network 2024 of employee.
In another embodiment, the IDS2018 in the network processes equipment 2025 is used to detect and remove the viral 2016A that is derived from dedicated network 2024.For example, the operator of PC 2025C can produce viral 2106A, and this virus is directed into the network equipment of operation in public ip network 2012.Any combination that operates in the IDS2018 in the internal network 2024 can be used for being output to the public ip network 2012 at viral 2016A, identification and then remove this virus.
Semantic processor allows antivirus operations to embed or distributes to fit over whole network 2024.For example, semantic processor can be carried out the intrusion detection operation in a plurality of ports of network router or switch 2025B.The intruding detection system IDS2018 that embeds is firmer, and compares with current circumference anti-virus detection scheme, and it provides more effectively intrusion detection.This intrusion detection scheme is carried out the data stream of network transfer speeds transmission speed, and must not handle some incredible data type, for example, and e-mail attachment, off-line.
Utilize the intrusion detection of syntactic element
Figure 32 B shows traditional intruding detection system and how to produce filtrator.Input traffic 2071 comprises a plurality of bags 2072.Bag 2072 comprises one or more head 2072A and useful load 2072B.Traditional intruding detection system does not compare with threat characteristics (threat signature) 2058 each byte 2074 of each bag 2072 in the data stream 2071 with making any distinction between.Any filtrator 2075 that the threat characteristics comparison is produced then is applied to whole data stream 2071.
This intrusion detection scheme need not to waste computational resource.For example, some information in the data stream 2071, for example some header data 2072A can never comprise threat.In any case, the intruding detection system among Figure 32 B compares each byte in the data stream 2071 and threat characteristics 2058 blindly.This need not to undertake heavy burden with regard to making the computational resource of carrying out intrusion detection.
Intruding detection system among Figure 32 B also can not treated with a certain discrimination and will be carried out the context of the bag of virus scan.For example, be applied to each bag 2072 with the related threat characteristics 2058 of e-mail virus, and do not consider whether true border has comprised email message to bag 2072.Therefore, can compare with the bag 2072 that comprises HTTP message with the related threat characteristics 2058 of e-mail virus.This has just further limited the extensibility of intruding detection system.
Figure 32 C is the diagram that the embodiment of IDS 2018 is shown, and IDS2018 discerns syntactic element more effectively to detect virus in data stream.IDS2018 utilizes analyzer to discern and wraps 2072 relevant session contexts 2082.For example, one or more among media interviews control (MAC) address 2076A, Internet protocol (IP) address 2076B and transmission control protocol (TCP) the address 2076C can be discerned in initial analysis operation.In this embodiment, analyzer can also be identified as bag 2072 and comprise Simple Mail Transfer protocol (SMTP) email message.These identifiers 2076A-2076D of session context 2082 is called syntactic element alternatively.
Identification syntactic element 2076 allows IDS2018 more effectively to detect and remove virus or other rogue softwares threaten.For example, IDS2018 can customize further intrusion detection operation based on the session context 2082 locating to find of beginning at bag 2072.For instance, session context 2082 will wrap 2072 and be identified as and comprise email message.IDS2018 can then seek and discern especially relevant especially with email message adjunct grammar element 2076E-2076H.And more specifically, identification comprises the mail syntax element of virus.
For example, IDS2018 identification syntactic element 2076E-2076G, it comprises in the email message information about " go to (To): ", " from (From): " and " theme (Subject): " field.IDS2018 can also discern e-mail attachment 2076H, and it also can be included in the email message.In this embodiment, virus or rogue software can not only be included among the syntactic element 2076H that comprises e-mail attachment.Other syntactic element 2076A-2076G can not cause invasion to threaten.Therefore, only will comprise that the syntactic element 2076H of e-mail attachment and threat characteristics 2058 compare.
Then, can use the information among other the syntactic element 2076A-2076G, help produce the filtrator 2070 that is used for bag filter 2072.For example, can produce filtrator 2070, its filtration has discern identical " from: " field or any bag of the identical IP source address discerned in syntactic element 2076B in syntactic element 2076F.
Therefore, IDS2018 can detect intrusion attempt based on IP session context 2082, traffic characteristics and the grammer 2076 of data stream.Then, compare, detect invasion by the syntactic element 2076 that will in network traffic, discern and the feature rule 2058 of describing the incident that is considered to thorny.These rules 2058 (for example can be described any behavior, some main frame is connected to some service), what behavior is to be worth (for example, the different main frames of specified rate attempt to constitute " scanning ") of caution or the description feature to the known attack or the visit of known fragility.
Fixed packet postpones
Figure 33 shows the delay buffer (delay buffer) that uses in conjunction with IDS2018.Can carry out monitoring instruction operation 2040 in reconfigurable semantic processor (RSP) 2100, other monitoring instruction circuit that perhaps can be combined in the outside operation of RSP2100 inside or RSP2100 are carried out monitoring instruction operation 2040 locally.
With reference to Figure 33 and 34, in functional block 2048A, RSP2100 receives bag 2022 from input port 2120.RSP2100 among the functional block 2048B can carry out initial threat filter operation, and this operation has abandoned the first kind bag 2032A that comprises that virus or other types threaten.This inceptive filtering 2048 can be carried out by the table of the predetermined known threat characteristics of for example visit.This inceptive filtering prevents that IDS2018 from having to handle further some data 2032A.For example, can detect Denial of Service attack, well-known virus attack or undelegated IP session, and deletion associated packet and can't help IDS2018 and further handle.
In functional block 2048C, RSP2100 is stored in remaining bag 2022 in the packet delay impact damper 2030.In one embodiment, this packet delay impact damper 2030 is dynamic RAM (DRAM), or according to the size manufacturing so that the storer of some other types of adhoc buffer input traffic 2022.In functional block 2048D, RSP2100 further discerns the grammer of input traffic.For example, RSP2100 can discern the bag that comprises email message.
Attack at various a large amount of invasions, come from the email message that arrives at as file in the message or script (script) based on the PC of Windows .The form of data is simple binary machine code or ASCII text in the attack.Message must touch the syntax and semantics of transmission mechanism before it is activated.For example, utilize Simple Mail Transfer protocol/Point of Presence (SMTP/POP (Point of Presence)) agreement to come the executable file in the transmission of e-mail message, these two kinds of agreements are used multi-functional internet mail extension (MIME) file attachment of explanation in the Request for Comment (RFC) 2822.Therefore, the RSP2100 among the functional block 2048D can recognition function piece 2048D in SMTP and/or the corresponding bag of MIME agreement.
In functional block 2048E, RSP2100 produces token 2068, and this token is corresponding to the grammer of the identification of data stream 2022.For example, token 68 can comprise the specific daughter element in the email message of identification, for example, the sender of email message (" from: _ _ "), time of sending of the theme of the recipient of email message (" go to: _ _ "), email message (" theme: _ _ "), Email (" send: _ _ "), be included in annex in the email message etc.Because RSP2100 checks this session information, therefore as the filtration of the threat in the network processes equipment such as router and switch be not limited to the element only in single bag, found, that is, attempt to kidnap the TCP session, ftp flow is turned to, perhaps forge the HTTPS certificate.
Use token 2068 in functional block 2048F, dynamically to produce second group of more deep filtrator 2070, this filtrator is that the grammer that is included in the data in the packet delay impact damper 2030 customizes.For example, token 2068 can be used for producing the filtrator 2070 relevant with the virus that is included in email message.The extensibility of IDS2018 is important.By producing the filtrator relevant with the grammer of data, IDS can more effectively scan threat.For example, IDS2018 must not use the filtrator that is not suitable for when the data type of pre-treatment by elapsed time.
The filter set 2070 that RSP2100 among the functional block 2048G will customize is applied to the data that are stored in the packet delay impact damper 2030.Abandon any bag 2032B that comprises by the threat of filtrator 2070 identifications.Data had been stored one section predetermined fixed time period in packet delay impact damper 2030 after, the RSP2100 among the functional block 2048H exported data to output port 2152.
The fixed delay that provides by packet delay impact damper 2030, for policer operation 2040 provides the time, so that before data stream 2034 is exported from output port 2152, assessment threatens, determines whether have new threat in the current processing of carrying out, forms the relevant filtrator 2070 of one group of grammer and uses filtrator.Usually, the delay in the delay buffer 2030 of per second 1 gigabit (Gbps) ethernet lan system approximately is 20 to 50 milliseconds (ms).Certainly, also can use other fixing delay periods.
RSP2100 is used for data streams 2022 with the analytical technology of novelty.This makes RSP2100 realize IDS2018 with the line speed of network, and must not carry out monitoring instruction operation 2040 in off-line ground the identical network treatment facility from other fan-in network transmit operations that can carry out.This makes RSP2100 to handle input bag 2022 with fixing packet delay, makes the invador be difficult to discern and avoid to move the network processes equipment 2025 of intruding detection system (Figure 32 A).
For example, the invador is when attempting with virus 2016 infection dedicated networks 2024 (Figure 32 A), and possible monitor network postpones.If identify by the long response of a particular network path in response to the virus attack that repeats, the invador can judge that this path comprises intruding detection system so.The long time does not respond the attack of attempting if another network path has cost, and the invador can sum up this path and do not comprise intruding detection system so, and may send virus by port in the network path of identification or equipment.
By with the type of data 2022 or produce and be applied to data stream 2022 filtrator 2070 type irrespectively, produce unified packet delay between input port 2120 and output port 2152, IDS2018 has prevented that the invador from discerning the network processes equipment 2025 of operation IDS2018.Certainly, this only is an embodiment, and can not utilize constant packet delay to realize other IDS embodiment 2018.
In an optional embodiment, RSP2100 only is applied to fixed delay the recognition data of particular type, and handles other data under the situation of not using fixed delay.By the grammer of recognition data stream, IDS2018 can discern the data stream that need carry out the data stream of virus scan and not need to carry out virus scan.IDS2018 then only is applied to fixed delay the data stream of scanning advisably.For example, RSP2100 can be applied to fixed delay the bag that identifies as comprising TCP SYN message.If in SYN bag, do not detect scrambling, the RSP2100 tcp data bag that can receive and receive with aftertreatment so, and do not use the above fixed delay of in Figure 34, describing.Therefore, can postpone unfounded TCP session, and not postpone other traffic.
Figure 35 is the more detailed description in the operation of being carried out by IDS2018 shown in Figure 34.Bag from data stream 2022 is received by bag input buffer (PIB) 2140 by input port 2120.Byte from bag 2022 is handled by direct execution analysis device (DXP) 2180 and semantic processes unit (SPU) 2200.In this embodiment, one or more SPU2200 can carry out access control list (ACL) checked operation 2050, session search operation 2052 and token generation operation 2054 concomitantly.
ACL checked operation 2050 detects the input bag in the data stream 2022 at the initial ACL table of known set (a priori) filtrator 2064.ACL checked operation 2050 is removed the bag of coupling ACL filtrator 2064, then remaining bag 2022 is loaded on to postpone among the FIFO2030.
Token produces operation 2054 according to the grammer by DXP2180 recognition data stream 2022, produces token 1068.In one embodiment, token generator (token generator) 2054 produces the token 2068 that comprises 5 tuple data groups, and this data set comprises relevant with handled bag in the input buffer 2140 have source IP address, target ip address, source port number, destination port number and protocol number.Token 2068 can also comprise in the TCP bag any unusual, such as the IP or the tcp option of the unknown.
In embodiment described below, some tokens 2068 also comprise the syntactic element relevant with email message.For example, DXP2018 can discern with as above at the relevant bag of Simple Mail Transfer protocol (SMTP) session described in Figure 32 C.Token produces operation 2054 and then extracts information specific from the mail session such as the SMTS/MIME annex.It is as follows that use pattern, length, value (TLV) form produce an embodiment of the token 2068 relevant with email message:
Type: SMTP/MIME annex (in email message, transmitting the method for file)
Length: the byte number in the file
Value: actual file
In another embodiment, in the DXP 2180 identification input buffers 2140 with the relevant bag 2022 of hypertext markup language (HTML) session.Token produces operation 2054 and therefore produces relevant especially token, and identification HTMP session is as follows:
Type: HTML Bin service (in webpage, transmitting the method for file)
Length: the byte number in the file
Value: actual file
Reconfigurable semantic processor (RSP)
Figure 36 shows the calcspar of the reconfigurable semantic processor (RSP) 2100 that is used for an embodiment, and this embodiment has realized above-mentioned IDS2018.RSP2100 comprises: input buffer 2140, and it is used to cushion the packet data streams that receives by input port 2120; And output buffer 2150, it is used to cushion the packet data streams by output port 2152 outputs.
Directly execution analysis device (DXP) 2180 controls are at input buffer 2140 (for example, the input " stream ") locate to receive, (for example export output buffer 2150 to, output " stream ") and in the bag of the middle recycle of recycle impact damper 2160 (for example, recycle " stream ") or the processing of frame.Input buffer 2140, output buffer 2150 and recycle impact damper 2160 be first-in first-out (FIFO) impact damper preferably.DXP2180 also controls the processing of the 2200 pairs of bags in semantic processes unit (SPU), and impact dampers 2140,2150 and 2160 and the data transmission of 2215 of memory sub-systems are handled in this semantic processes unit 2200.The bag that memory sub-system 2215 storages receive from input port 2120, and storage is used for the threat characteristics 2058 (Figure 35) in input traffic identification threat.
RSP2100 is used to carry out given IDS operation with at least three tables.The code 2178 that is used for receiving generation rule 2176 is stored in analytical table (PT) 2170.Grammer generation rule 2176 is stored in the generation rule table (PRT) 2190.The code segment that SPU2200 carries out is stored in the semantic code table (SCT) 2210.Code 2178 in the analytical table 2170 is stored with for example ranks form or content addressable form.In the column format of being expert at, the non-termination code NT 2172 that is provided by internal analysis device storehouse 2185 that worked of analytical table 2170 carries out index.The input data values DI[N that the row of analytical table 2170 extract by the data head from input buffer 2140] 2174 carry out index.In the content addressable form, from the non-termination code 2172 of analyzer storehouse 2185 and from the input data values 2174 of input buffer 2140 and put to analytical table 2170 input be provided.
Generation rule table 2190 carries out index by the code 2178 from analytical table 2170.Table 2170 and 2190 can link as shown in Figure 36, makes will directly return the generation rule 2176 that can be applicable to non-termination code 2172 and input data values 2174 to the inquiry of analytical table 2170.DXP2180 uses the generation rule (PR) 2176 that returns from PRT2190 to replace the non-termination code on analyzer storehouse 2185 tops, and continues to analyze the data from input buffer 2140.
Also according to the code 2178 that produces by analytical table 2170, and/or according to the generation rule 2176 that produces by generation rule table 2190, index semantic code table 2210.Whether usually, analysis result allows DXP2180 to detect for given generation rule 2176, should and carry out by the SPU2200 loading from the code segment 2212 of semantic code table 2210.
SPU2200 has several access path to the memory sub-system 2215 that the fabric memory interface is provided, and this interface can be by the context symbol addressing.Memory sub-system 2215, analytical table 2170, generation rule table 2190 and semantic code table 2210 can adopt monolithic memory, such as synchronous dynamic random access memory (DRAM) and the external memory devices of Content Addressable Memory (CAM) or the combination of this resource.Each table and context provide one or more other tables or context only to the context interface of sharing the physical memory space.
Safeguard that CPU (central processing unit) (MCPU) 2056 is connected between SPU2200 and the memory sub-system 2215.MCPU2056 carries out any desired function of RSP2100, and RSP2100 can reasonably finish with traditional software.These functions function normally rare, no event horizon can not guarantee to be included among the SCT2210 owing to complicacy.Alternatively, MCPU2056 also has the ability that on behalf of MCPU, request SPU2200 execute the task.In one embodiment, the auxiliary generation of MCPU2056 access control list (ACL), this ACL table is used by SPU2200, comes from input Bao Liuzhong filtration virus.
The detailed design optimization of the functional block of RSP2100 is not within the scope of the invention.But embodiment for the detailed structure of application semantics functional processor piece, the reader can be with reference to associating co-pending application 10/351,030, and its name is called: reconfigurable semantic processor, submit on January 24th, 2003, this application is included in herein with way of reference.
Utilize the intrusion detection of RSP
Can understand the function of RSP2100 in the intrusion detection context better in conjunction with specific embodiments.In embodiment described below, RSP2100 removes virus or other rogue softwares in the email message.The notion that those skilled in the art will appreciate that description is applied to detect the rogue software of the virus or the other types of any kind easily, and the intrusion detection of carrying out any kind for any data stream of utilizing any communication protocol transmission.
Initial intrusion detection operation comprises the grammer of analyzing and detecting input traffic, and this operation makes an explanation with reference to Figure 37 and 38.Then with reference to Figure 37, the code relevant with a lot of different grammers can be present in analytical table 2170 and the generation rule table 2190 simultaneously.For example, code 2300 is relevant with MAC packet header format analysis, and code 2302 is with relevant in the processing of IP bag, and another group code 2304 is relevant with the processing of TCP bag, or the like.Other codes 2306 in the analytical table 2170 are relevant with the above intrusion detection of describing in Figure 32 A-35 2018, and in this embodiment, especially discerned Simple Mail Transfer protocol (AMTP) bag in the data stream 2022 (Figure 35).
In one embodiment, analytical table 2170 also comprises addressing device 2310, and it receives NT symbol 2172 and data value DI[n from DXP2180] 2174.Addressing device 2310 is NT symbol 2172 and data value DI[n] 2174 and put, and will and value of putting (concatenated value) 2308 be applied to analytical table 2170.Although regard the structure of generation rule table 2170 as for each unique combination of NT code 2172 and data value 2174 the matrix with a PR code 2178, conceptive normally useful, the present invention is not limited to this.Dissimilar storeies goes for different application with memory construction.
In one embodiment, analytical table 2170 realizes that as Content Addressable Memory (CAM) wherein addressing device 2310 uses NT code 2172 and input data values DI[n] 2174 keys as CAM, search PR code 2178.Preferably, CAM be the ternary CAM that constitutes by the TCAM entry (Ternary CAM, TCAM).Each TCAM entry comprises NT code 2312 and DI[n] matching value 2314.Each NT code 2312 can have a plurality of TCAM entries.
Can be with every DI[n] matching value 2314 is set to " 0 ", " 1 " or " X " (expression " haveing nothing to do ").This ability allows PR code 2178 to require only DI[n] some position/bytes match coding mode of 2174, so that analytical table 2179 finds coupling.
For example, the TCAM of delegation can comprise the NT code NT_SMTP 2312A of SMTP bag, then is extra byte 2314A, and its representative is present in the particular type of content in the SMTP bag, for example label of e-mail attachment.The remainder bytes that TCAM is capable is set to " haveing nothing to do ".Therefore, as the byte DI[n of NT_SMTP 2312A and some quantity] when being submitted to analytical table 2170, DI[n wherein] first group of byte comprise accessory identifier, no matter DI[n] remainder bytes in what comprises, coupling all will take place.
As explained above like that, the TCAM in the analytical table 2170 produces and coupling NT 2172 and DI[n] 2174 the corresponding PR code of TCAM entry 2178A.In this embodiment, PR code 2178A is surrounded by related with the SMTP that comprises email message.PR code 2178A can be sent out back DXP 2180, directly arrives PR table 2190, perhaps can.In one embodiment, PR code 2178A is the line index that produces the TCAM entry of coupling.
Figure 38 shows a possibility embodiment of generation rule table 2190.In this embodiment, addressing device 2320 receives PR code 2178 from DXP 2180 or analytical table 2170, and receives NT symbol 2172 from DXP 2180.Preferably, the NT symbol 2172 that is received is the identical NT symbols 2172 that are sent to analytical table 2179, and in analytical table 2179, the NT symbol is used to locate the PR code 2178 that is received.
Addressing device 2320 uses the PR code 2178 and the NT symbol 2172 of these receptions, visits corresponding generation rule 2176.In some embodiments, addressing device 2320 is optional, but when using, just can be the part of DXP2180, a part or the intermediate function piece of PRT2190.Can not need addressing device, for example, if when analytical table 2170 or DXP2180 directly make up the address.
The generation rule 2176 that is stored in the generation rule table 2190 comprises three data segments.These data segments comprise: sign field 2177A, SPU entrance (SEP) section 2177B and the byte section 2177C that skips.These sections can be fixed length segment or variable length segment, and preferably, they are " empty end ".Sign field 2177A comprises termination and/or the non-terminal on the analyzer storehouse 2185 (Fig. 2 A) that will be pushed to DXP.SEP section 2177B comprises that SPU2200 is used for the SPU entrance (SEP) of process segments of data.The byte section of skipping 2177C comprises that input buffer 2140 is used for increasing progressively the byte value of skipping of its buffer pointer and the processing of propelling inlet flow.Other information that are used to handle generation rule can also be stored as the part of generation rule 2176.
In this embodiment, corresponding by the one or more generation rule 2176A of generation rule code 2178A index with the SMTP bag of identification in the input buffer 2140.SEP section 2177B points to the SPU code 2212 in the semantic code table 2210 among Figure 36, when being carried out by SPU 2200, it is carried out, and above different ACL that describes in Figure 35 checks 2050, session search 2052 and token produce 2054 and operate.In one embodiment, SPU2 200 comprise can parallel running a collection of semantic processes element.SEP section 2177B among the generation rule 2176A can start that one or more SPU 2200 come that executed in parallel ACL checks 2050, session search 2052 and token produce 2054 operations.
As above mentioned, analytical table 2170 can also comprise that processing and SMTP wrap the grammer of incoherent other types data.For example, be included in IP grammer 2302 in the analytical table 2170 can comprise with input buffer 2140 in the relevant generation rule code 2178 of NT_IP destination address of identification.
Matched data value 2314 in the generation rule code 2302 can comprise the target ip address of the resident network processes equipment wherein of RSP2100.If the input data DI[I relevant with NT_IP code 2172] 2174 do not have the destination address that is included in the matching value 2314 of PR code 2302, default generation rule code 2178 can be provided to generation rule table 2190 so.Default generation rule code 2178 can point to the generation rule 2176 in the generation rule table 2190, and its indication DXP2180 and/or SPU2200 abandon the bag from input buffer 2140.
Semantic processes unit (SPU)
As mentioned above, DXP2180 discerns specific syntactic element in inlet flow, for example, and the SMTP electronic mail conversation in IP session, TCP session and this example.These parser operation are important for the overall performance of IDS system 2108.Because the actual syntax of DXP2180 identification inlet flow, so the above follow-up IDS operation of describing in Figure 35 can more effectively be carried out by SPU2200 now.
For example, SPU2200 may only need the ACL filter application relevant with email message to the data stream of analyzing.This just provides some advantage.The first, each byte of each bag need not with Figure 35 in each threat characteristics 2058 compare.Replacedly, only the threat characteristics subclass relevant with email message is applied to the SMTP bag.This just has the basic advantage of the extensibility that increases IDS2018, and allows IDS2018 to detect more virus and rogue software and move under higher packet rate.
ACL checked operation 2050 that Figure 39 has described in Figure 35 before having described in further detail and output acl operation 2062.In functional block 2400, DXP2180 sends signalisation SPU2200 and load suitable micro-order from SCT 2210, ACL detecting operation 2050 that SCT2210 describes in Figure 35 before carrying out and output acl operation 2062.As above described in Figure 38, DXP2180 sends signal by SPU entrance (SEP) section 2177B who is included among the generation rule 2176A to SPU2200.
According to the SPU code of in SCT2210, obtaining in response to SEP section 2177B 2212 (Figure 36), in functional block 2402, some syntactic element that the SPU2200 acquisition is discerned in input traffic by DXP2180.For example, DXP2180 can discern 5 tuple syntactic elements, comprises IP source address, IP destination address, destination port number, source port number and protocol type.Certainly, this only is an embodiment, and other syntactic elements in the data stream 2022 (Figure 35) can also be discerned by DXP2180.
In functional block 2404, SPU 2200 compares the syntactic element of DXP2180 identification with one group of set access control list (ACL) filtrator that is included among the TCAM2220.For example, set access control list (ACL) filtrator of the group of this among the TCAM2220 can comprise the different IP address relevant with known threat.In one embodiment, by being sent to TCAM2220 by AMCD2230 such as the syntactic element of the IP address of wrapping, SPU2200 compares the syntactic element of the bag in the input buffer 2140 and the set filtrator among the TCAM2220.The IP address is then as the address that enters among the TCAM2220, and TCAM2220 is back to SPU2200 with the result by AMCD2230 output.
In functional block 2406, SPU2200 checks from the result among the TCAM2220.Can indicate deletion bag, storage package or possible IP safety (IPSEC) bag from the output of TCAM220.For example, in the time of one in the set filtrator entry among the IP matching addresses TCAM2220 that provides from the bag of input buffer 2140, TCAM2220 can produce deletion bag sign.In the IP address of input traffic 2022 does not match TCAM2220 during any one entry, output storage package sign.TCAM2220 can also comprise with encryption IP SEC and wraps corresponding entry.If in the IP matching addresses IPSEC entry one, TCAM2220 output IPSEC sign so.
In functional block 2408, the SPU2200 deletion produces any bag among the PIB2140 that deletes the bag sign in TCAM2220.SPU2200 can skip to next bag by indication input buffer 2140 simply and delete bag.If the storage package sign is exported from TCAM2220, in functional block 2410, SPU2200 will be stored among the DRAM2280 from the bag of input buffer 2140 so.DRAM2280 is as the delay FIFO2030 operation as describing in Figure 34 and 35.If the IPSEC sign is by TCAM220 output, SPU2200 can send the bag in the input buffer 2140 by the cryptochannel 2240 in the memory sub-system 2215 so.Decrypted packet can then send it back the recycle impact damper 2160 among Figure 36, and repeats ACL checked operation described above.
When bag was stored among the DRAM2280 (the delay FIFO2030 among Figure 35), MCPU256 (the counter measures agency 2056 among Figure 35) dynamically produced ACL filtrator 2070, and it is corresponding to the token 2068 that extracts from input traffic.It is explained in more detail in Figure 41.In the functional block 2412, the bag that SPU2200 will be stored among the DRAM2280 compares with ACL filtration 2070 (Figure 35) that are stored in the dynamic generation among the TCAM2220 now.For example, SPU2200 can use the 5 identical tuples of the bag of identification in functional block 2402.
5 tuples that SPU2200 will wrap are applied to the dynamic filtrator 2070 that produces in TCAM2220.In functional block 2414, then from DRAM2280, delete any bag among the DRAM2280 by SPU2200, this packet generation from the deletion bag sign result of TCAM2220.After predetermined fixed delay period, in functional block 2416, SPU2200 then exports remaining bag to output port 2152.
Should be appreciated that CAM2220 can comprise other set filtrator.For example, CAM2200 can comprise with bag in the different agreement or the relevant filtrator of data that comprise.DXP2180 discerns the syntactic element that needs are applied to the filtrator among the TCAM2220 to SPU2200.
Within postponing, the set time that is provided by delay FIFO judges that virus or rogue software may be impossible.For example, virus can be included in the place, end of very big multi-megabit message.In this case, IDS2018 can produce viral notification message, and it is gone to and the identical recipient (recipient) of bag who comprises virus.Virus notification message notification receiver abandons the bag that comprises virus.
Figure 40 has explained the operation of being carried out by SPU2200 during the session search operation of describing before 2052 in Figure 35.In functional block 2430, DXP2180 is by sending as before at the relevant SEP section 2177B described in Figure 38, sending signalisation SPU2200 and load suitable micro-order from the SCT2210 relevant with carrying out the session search operation.
In one embodiment, in functional block 2432, SPU2200 receives the source and target address and the port numbers of input bag from DXP2180.SPU2200 follows compare address and port numbers and is included in the current sessions information of the bag among the DRAM2280.For some IP sessions, in functional block 2434, SPU2200 may the delay FIFO2030 in running on DRAM2280 in, will cut apart fragmented bag rearrangement.In functional block 2438, SPU2200 can also delete any bag in the input buffer 2140, these bags be existing IP session before the duplicating of the bag that receives.
The token that Figure 41 has described in Figure 35 before having described produces operation 2054.In functional block 2450, described in Figure 36-38, DXP2180 analyzes from the data in the inlet flow as above.In functional block 2452, the syntactic element in the data stream in the DXP2180 identification input buffer 2140, it may be relevant with virus or rogue software.In above embodiment, this can comprise that DXP2180 identification comprises the bag of email message.Yet, can be any by the syntactic element of DXP2180 identification, it comprises: the traffic speed of the identification of IP address, the IP traffic that comprises the source and target address, specific data stream, or the like.
In functional block 2454, DXP2180 sends signalisation SPU2200 and loads micro-order from producing the relevant SCT2210 of operation with particular token.And more specifically, by the micro-order of the identification of the SEP section 2177B among Figure 38, indication SPU2200 is that the specific syntax elements of DXP2180 identification produces token.
In functional block 2456, SPU2200 then produces token 2068 (Figure 35) from the syntactic element of identification.For example, SPU code 2212 (Figure 35) can indicate SPU2200 to extract the syntactic element of locating at the email message of identification.SPU2200 can produce the token that comprises following information: in the bag from the information of " from: ", " going to: " and " theme: " field.SPU2200 can also extract and produce the token that is present in any e-mail attachment in the data stream.For example, SPU2200 can produce before at the TLV token # 1 described in Figure 35.
Type: SMTP/MIME annex (in email message, transmitting the method for file)
Length: the byte number in the file
Value: actual file
Be also to be understood that DXP2180 can discern and threatens a lot of dissimilar syntactic element that is associated.DXP2180 can initiate to be used for the different SPU code 2212 (Figure 36) of different syntactic elements.For example, as mentioned above, DXP2180 can also discern with according to the corresponding syntactic element of HTMP message.DXP2180 sends SEP section 2177B, and its indication SPU2200 produces and can be similar to HTML token shown below:
Type: HTML Bin service (in webpage, transmitting the method for file)
Length: the byte number in the file
Value: actual file
In functional block 2457, SPU2200 layout token is to be convenient to be applied to the threat characteristics 2058 among Figure 35.For example, SPU is type, length and value (TLV) data with the token layout.In functional block 2458, SPU then is sent to the token of layout the MCPU2056 among Figure 36, perhaps is sent to the above outside threat/virus analysis described in Figure 35 and ACL counter measures agency 2056.
In one embodiment, MCPU2056 is applied to the threat characteristics 2058 that is included among the TCAM2220 with token 2068, and TCAM2220 produces one group of ACL filtrator 2070 that dynamically produces.SPU2200 is in the above output acl operation of describing in Figure 39 2062, and then the ACL filtrator 2070 with the dynamic generation among the TCAM2220 is applied to the bag that is stored among the DRAM2280 delay FIFO.Any bag among the delay FIFO of coupling ACL filtrator 2070 is deleted.
In this embodiment, TCAM2220 comprises a plurality of tables, comprises threat characteristics table and ACL filtrator table.Threat characteristics table among the TCAM2220 is visited by MCPU2056, and the ACL filtrator among the TCAM2220 is visited by AMCD2230 by SPU2220.
In optional embodiment, the outside threat analytical equipment is that power moves with the chip from RSP2100.In this embodiment, independent TCAM can comprise threat characteristics.SPU2200 is sent to the outside threat analytical equipment with token 2068, and the ACL filtrator 2070 that the outside threat analytical equipment then will dynamically produce exports MCPU2056 to.The ACL filtrator 2070 that MCPU2056 then will dynamically produce writes among the TCAM2220.SPU2220 then is being used for ACL checked operation 2050 described in Figure 35 and output acl operation 2062, the ACL filtrator among the visit TCAM2220.
For a person skilled in the art, the actual generation of ACL filtrator 2070 is known, therefore it is not described further.Yet, intruding detection system once according to data stream in the relevant former dynamic ACL filtrator that produced of token of syntactic element of identification, this can not make us believing.
Intrusion detection in the fragment bag
Current existence is used for the text scanner of the known mode of Network Search message.Threaten for fear of detecting mistakenly, utilize the conventional style use patterns matching technique of expressing usually, the text of the long sequence of coupling.Yet these technical requirement bytes are adjoined, and perhaps require to threaten scanner to use the context-memory of expansion.
For example, viral script can be used as in as shown below a long row is comprised in:
For?all?files?in:
C:\;{open(xxx);delete(xxx);close(xxx);}end.
Therefore, virus scanner has to seek whole text string:
s/
*open(
*);delete(
*);close(
*)
*/
But the assailant may be distributed in virus in a plurality of bag fragments as follows:
IP?frag#1:For?all?files?in?c:\;{open(xxx);
IP?frag#2:delete(xxx);close(xxx);}end;
More than may not detecting, traditional virus scanner is divided into the virus in the IP bag of fragment.ICP/IP protocol the most at last the section message put back to a time-out, virus has been invaded dedicated network.RSP2100 detected and reconfigured the fragment bag before carrying out aforesaid intrusion detection operation.This just allows IDS to cross over a plurality of fragment bags and detects virus.
Figure 42 A comprises process flow diagram 2500, and how the RSP2100 among its explanation Figure 36 detects the virus in the fragment bag.With reference to Figure 36 and 42A, in functional block 2502, receive bag at input buffer 2140 places by input port 2120.In functional block 250, DXP2180 begins to analyze the head of the bag in the input buffer 2140.When bag was judged as the ip fragmentation bag, DXP2180 stopped to analyze the head of the bag of reception.Preferably, DXP2180 is the analyzing IP head intactly, but stops to analyze any head that belongs to succeeding layer (for example, TCP, UDP, iSCSI etc.).Grammer or the SPU2200 indication of DXP2180 on analyzer storehouse 2185 time stops to analyze.
According to next functional block 2520, DXP2180 sends signalisation SPU2200 and loads suitable micro-order from SCT2210, and wraps from input buffer 2140 sections of reading.According to next functional block 2530, SPU2200 is written to DRAM2280 by streaming cache memory 2270 with the fragment bag.Although functional block 2520 and 2530 is depicted as two independent step,, they also can read and write a step of bag alternatively concomitantly and carry out as SPU2200.The concurrent operations that is read and write by SPU2200 is called as SPU stream line operation, and wherein SPU2200 serves as the conduit or the pipeline of the flow data that transmits between two functional blocks in semantic processor 2100.
According to next arbitration functions piece 2540, SPU2200 judges whether to have distributed context control block (CCB) at the collection and the ordering of correct IP bag fragment.Be used for preferably being stored in DRAM2280 according to the CCB of collection of ip fragmentation bag and ordering fragment.The bit mask of the ip fragmentation bag that CCB comprises the pointer that points to ip fragmentation among the DRAM2280, be used for not arriving at and the timer value that forces semantic processor 2100 after the time cycle of assigning, to stop to wait for additional ip fragmentation bag and discharge the data of the CCB that is stored in DRAM2280.
SPU2200 preferably judges whether by utilizing the IP source address of the ip fragmentation bag that receives, wrap the identification and the agreement of the head of fragment in conjunction with the IP that is received, as key, visit Content Addressable Memory (CAM) locating function of AMCD2230, thereby distribute CCB.Alternatively, the ip fragmentation key is stored in the independent CCB table of DRAM2280, and by utilizing the IP source address of the ip fragmentation bag that is received, in conjunction with the identification and the agreement of wrapping the head of fragment from the IP that is received, and accessed with CAM.This optional addressing of ip fragmentation key has avoided key to overlap and dimensional problem.
If SPU2200 judges collection and the ordering distribution CCB that does not also have at the fragment of concrete ip fragmentation bag, executive routine proceeds to functional block 2550 so, and wherein SPU2200 distributes CCB.SPU2200 preferably shows the ip fragmentation CCB that key is input among the AMCD2230 according to the CCB that distributes, and start the timer be positioned among the CCB, this key comprise reception ip fragmentation IP source address and from the identification and the agreement of the head of the ip fragmentation bag that receives.When receiving first fragment of given fragment bag, the IP head also is stored among the CCB so that carry out recycle later on.For other fragment, need not the storing IP head.
In case collection and ordering at the ip fragmentation bag have distributed CCB, according to next functional block 2560, the pointer that SPU200 will point to ip fragmentation (deducting its IP head) bag is stored among the DRAM2280 of CCB.The pointer of fragment can be arranged among the CCB, as such as lists of links.Preferably, SPU2200 is also by mark and the corresponding masked segment of former state that receives fragment, upgrades the bit mask among the CCB of up-to-date distribution.
According to next arbitration functions piece 2570, SPU2200 judges whether to have received all ip fragmentations from bag.Preferably, this judgement is finished by utilizing the bit mask among the CCB.Will be understood by those skilled in the art that, have multiple can be used for the realizing technology of bit mask or the tracking mechanism of equivalence, so that use with the present invention.If also do not receive all ip fragmentations of fragment bag, semantic processor 2100 postponements are to the further processing of fragment bag, till receiving other fragments so.
After receiving all IP sections, according to next functional block 2580, SPU2200 reads the IP section with correct order from DRAM2280, and they are written to recycle impact damper 2160 to carry out analysis and processing in addition, and for example above-mentioned intrusion detection is handled.In one embodiment of the invention, SPU2200 only is written to recycle impact damper 2160 with the first of the IP bag (the fragment position resets) of the head becomed privileged and recombinant.
The head of Te Shuhuaing makes the DXP2180 guiding handle the ip fragmentation bag that reconfigures that is stored among the DRAM2280 like this, and ip fragmentation bag that will be not all is transferred to recycle impact damper 2160.The head of becoming privileged can be made up of the non-terminal of assigning, and its loading comprises IDS operation 2018 and points to the analyzer grammer of the pointer of CCB.Analyzer 2180 is analyzing IP head normally then, and continues to analyze higher level (for example, TCP) head.When reconfiguring in recycle impact damper 2160 identified the syntactic element that may comprise virus in the bag, DXP2180 sent signalisation SPU2200 load instructions from SCT2210, and it carries out above-mentioned intrusion detection operation 2050,2052 and 2054.For example, comprise email message if reconfigure to wrap to be identified as, DXP2180 indication SPU2200 produces the token corresponding to above-mentioned different email message fields so.
Figure 42 B comprises the process flow diagram how IDS2018 carries out the invasion operation of a plurality of TCP bag is shown.According to functional block 2592A, transmission control protocol (TCP) session is based upon between initiator and the network processes equipment as the RSP2100 main frame.RSP2100 comprises suitable grammer in the analytical table 2170 and the microcode among PRT2190 and the SCT2210, to set up the TCP session.In one embodiment, one or more SPU2200 organize and keep the state of TCP session, be included among the DRAM2280 distribute CCB TCP reorder to carry out, window size restriction and timer, if wherein do not arrive from other TCP bag of initiator at the time frame of assigning, timer just finishes the TCP session.
After initiator was set up the TCP session, according to next functional block 2592B, RSP2100 waited for that the TCP bag arrives at input buffer 2140, and this TCP bag is corresponding with the TCP session of setting up in functional block 2592A.Because RSP2100 may have a plurality of SPU2200 that are used to handle the input data, so RSP2100 can receive and handle a plurality of bags concurrently in corresponding next TCP bag of the TCP session of waiting for and set up in functional block 2592A.
In functional block 2592C, receive the TCP bag at input buffer 2140 places by input port 2120, and DXP2180 analyzes the TCP head of the bag in the input buffer 2140.DXP2180 sends micro-order to the SPU2200 that distributes, and this micro-order require the SPU2200 that distributes to read the bag of reception from input buffer 2140, and the bag that will receive by streaming cache memory 2270 is written to DRAM2280 when carrying out.The SPU2200 that distributes then locatees TCP CCB, is stored to TCP CCB with pointing to the pointer that receives the position of bag among the DRAM2280, and restarts the timer among the TCP CCB.Then discharge the SPU2200 that distributes, and it can be distributed to other processing that DXP2180 determines.
According to next functional block 2592D, if desired, the TCP bag that receives is resequenced, to guarantee the correct ordering of payload data.As known in the art, if all arriving at preceding bag thinks that so the TCP bag has correct order.Be in correct order when the bag that receives is judged, so believable SPU2200 loads micro-order so that carry out recycle from SCT2210.
According to next functional block 2592E, the SPU of distribution is in conjunction with TCP link information and TCP nonterminal symbol from the TCP head, to produce the TCP head of becoming privileged.The SPU2200 that distributes then is written to recycle impact damper 2160 with the TCP head of becoming privileged.Alternatively, the TCP head of particularization can be sent to recycle impact damper 2160 together with its corresponding tcp payload.
According to next functional block 2592F, the TCP head of particularization and the tcp payload that reconfigures are analyzed by DXP2180, with the adjunct grammar element in the identification tcp data.Be identified as any syntactic element that may comprise invasion, handle according to above-mentioned invasion operation by SPU2200.
Distributed token produces
Figure 43 shows an embodiment of the distributed I DS system that operates in the network 2600.Network 2600 comprises heterogeneous networks treatment facility 2610, and it carries out different movable, for example fire wall 2610A, e-mail server 2610B and webserver 2610C.Each moves the IDS2620A-C of similar above-mentioned IDS2018 respectively heterogeneous networks equipment 2610A-C.In one embodiment, utilize to be similar to the above RSP2100 that in Figure 36-41, describes, realize one or more IDS2620.Yet, in other embodiments, utilize other hardware configurations to carry out one or more IDS2620.
Each network processes equipment 2610 is connected to central intrusion detection device (central intrusiondetector) 2670, and it is carried out central authorities' invasion and analyzes.Each IDS 2620A-2620C analyzes input traffic, and produces token 2640A-C respectively, is similar to the above token of describing in Figure 35 2068.Token 2640 is sent to central intrusion detection device 2670.
With reference to Figure 43 and 44, in the functional block 2802, central intrusion detection device 2670 receives token 2640 from each IDS2620.In the functional block 2804, intrusion detection device 2670 is analyzed the travel pattern of different data streams according to token 2640.In functional block 2806, then produced filtrator, and in functional block 2808, can produce threat characteristics according to analyzing.Then, in functional block 2810, new filtrator and threat characteristics are distributed to each IDS2620.
In one example, the fire wall 2610B among Figure 43 can produce token 2640B, the new data stream that its identification receives from public network 2630.Token 2640B is sent to the central intrusion detection device 2670 of the new source IP address A of identification.Webserver 2610C can also be sent to token 2640C intrusion detection device 2670.The source IP address A that first token 2640C_1 identification is new, second token 2640C_2 represents that source IP address A has been used for the file of access web server 2610C.
Central authorities' intrusion detection device 2670 is interrelated with token 2640B, 2640C_1 and 2640C_2, with identification may not can by normal detected possible virus or rogue software.For example, intrusion detection device 2670 can be judged the new source IP address A that receives among the slave firewall 2610B in token 2640B, is the identical ip addresses A that also opens file in webserver 2610C.Among this embodiment, suppose not open the internal network file from the external linkage of public the Internet 2630.
Because token 2640B receives from fire wall 2610B, therefore central intrusion detection device 2670 sums up IP address A from public the Internet 2630 outside receptions.Therefore, central intrusion detection device 2670 is sent to IDS 2620B among the fire wall 2610B with new filtrator 2750, and may be sent to other network equipments 2610A and 2610C, thereby prevents that the bag with source IP address A from entering network 2600.
In another embodiment, the IDS 2620A among the e-mail server 2610A has produced token 2640A_1, and its identification Email receives from unknown source IP address A.IDS 2620A also sends token 2640A_2, and it is identified in the MIME/ annex that comprises in the Email that identifies among the token 2640A_1.
Central authorities' intrusion detection device 2670 judges that according to the token 2640B, the 2640C_1 that receive before and 2640C_2 any data stream relevant with IP source address A may comprise virus or rogue software.Therefore, central intrusion detection device 2670 can dynamically produce new feature 2660, and it is corresponding with the title and/or the content that are included in the MIME/ annex among the token 2640A_2.Central authorities' intrusion detection device 2670 will new feature 2660 be sent among the IDS 2620A among the e-mail server 2610A, and may be sent among each other the IDS 2620 that moves in network 2600.IDS2620A then is added into new threat characteristics in the threat characteristics 58 shown in Figure 35.
Therefore, IDS system 2600 can be according to the grammer content of token 2640, and according to the type of the network processes equipment 2610 that sends token, produces filtrator and/or feature.For example, compare, can handle the token 2640B that produces by fire wall 2610B more enquiringly with the token that other network processes equipment in the automatic network produce.Simultaneously, as mentioned above, by the new IP address knowledge of fire wall 2610B (IP that receives from public the Internet wraps) identification, can be relevant with the knowledge of other operations that detect by e-mail server 2610A or webserver 2610C, so that detect virus more up hill and dale.
In other embodiment, central intrusion detection device 2670 can be forbidden and the virus or the related any network processes equipment of other rogue softwares that detect.For example, virus 2660 can be detected by the IDS 2662 that operates among the PC 2662.IDS 2662 is notified to central intrusion detection device 2670 with virus 2660.Then, central intrusion detection device 2670 can make PC 2650 and remaining network 2600 disconnect, till identification and removing the source of virus 2660.
The extensibility of tree-like search
Above-mentioned IDS2018 has improved existing intrusion detection by scanning in the session context that can occur threatening.With parsing tree (parser tree) rather than regular-expression (regularexpression), be used for pattern match.Seek the pattern of mating those known threats by " scanning " input bag stream, carry out other threats in intrusion detection and the bag data.
Existing conventional expression formula scanner must scan each byte of bag, and does not have which that judge bag and partly comprise the ability of threat.For example, the threat in the Email may only enter by e-mail attachment.The definition main body of email message is an ascii string, and software usually can be not expect or the behavior of malice acts on ascii string.The annex of email message is defined by specific disclosed grammer and head, for example, and multi-functional internet mail extension (MIME).
And the head that is used for the IP agreement of transmission of e-mail message can not cause that usually client email carries out malicious act.Usually, script or program implementation cause the invasion problem in the e-mail attachment.Therefore, only need the MIME of scans e-mail message partly to detect possible virus.
Find the MIME part of email message, require to understand agreement and the Email MIME form that is used for transmission of e-mail message (TCP/IP).RSP2100 analyzes apace, and only at the MIME part of message, starts virus scan in extendible mode.So just reduce the quantity of the bag of necessary scanning, also reduced the quantity of the byte that must in each bag, scan.RSP2100 points to the grammatical analysis of input traffic, and this grammatical analysis allows the IDS2018 understanding to need the data of which kind of type of scanning and needs the scanning of which kind of type of execution.This just makes IDS2018 can produce more effectively and the corresponding token 68 of the grammer of inlet flow.
Other features of DXP2180 and RSP2100 scan at such threat to be optimized, and compares with the regular-expression scanner that uses the conventional hardware structure, has augmented performance.For example, LL (k) analyzer combines with the Ternary Content Addressable Memory of realizing in analytical table 2170 and analyzer storehouse 2185 among Figure 36 (TCAM), can search for inlet flow quickly than regular-expression engine.
The regular-expression scanner requires a considerable amount of and length variable, so that determine possible coupling.The asterisk wildcard coupling also requires unique operation.On the other hand, LL (k) analyzer can be skipped the asterisk wildcard of long string, and mate specified byte in a clock period in conjunction with TCAM.
Revise session content
With reference to Figure 45, IDS2018 also can be used for increasing or revises information in the session context 2852 of identification.In other words, IDS2018 is not subject to the bag of only deleting identification in invasion threatens.Figure 45 shows the IP that PC2864 sets up with network processes equipment 2856 and links 2866.IDS2018 moves in equipment 2856, and identification links 2866 relevant specific IP session contexts 2852 with IP as mentioned above.For example, IDS2018 identification HTTP message, FTTP message, SMTP email message etc., it is sent to the other end point device that moves in WAN2850 by PC2864.
Can programme to IDS2018, to increase or to revise the content 2862 of the particular type relevant with the session context discerned 2852.In one embodiment, can programme, be included in credit number 2858 in the file in Email or the FTTP message with removing to IDS2018.In another embodiment, can programme, digital watermarking (digitalwatermark) 2860 is added into any file of in FTTP or electronic mail document, discerning to IDS2018.IDS2018 can for example be added into digital watermarking 2860 in the file of the IP source address that comprises PC2864.
As mentioned above, the DXP2180 of RSP2100 identification is by the IP link 2864 different session contexts 2852 that carry.SPU2200 can then produce the token relevant with dissimilar content 2862, and this content 2862 is relevant with the session context 2852 of identification.For example, described in Figure 35, SPU2200 can produce the token that comprises e-mail attachment as above.The RSP2100 search is included in any file in the e-mail attachment.
In first embodiment, DXP2180 can discern any IP bag that is directed into WAN2850.DXP2180 then indicates SPU2200 to search for any file that comprises credit number that is included in the bag.If detected the signal card number, IDS2018 replaces credit number with making credit card information become blank a series of " X " so.In second embodiment, SPU2200 is added into detection file in FTTP or electronic mail conversation with digital watermarking 2860.File with the credit card information of modification or watermark information then is forwarded to the destination address corresponding to FTTP or electronic mail conversation.
Similarly modification can also be carried out the content 2862 of any kind relevant with the session context 2852 of any identification.For example, specific I P source or destination address can be changed into another IP address, and session context 2852 or the session content 2862.30 followed according to some identifications send it back IP network 2850.
Figure 46 shows an embodiment of pushdown automata (PDA) engine 3 040, and PDA engine 3 040 is used for more effectively search data with the free grammer of context (CFG).Semantic table 3042 comprises non-termination (NT) symbol 3046, and its expression is by the different semantic state of PDA engine 3 040 management.Each semantic state 3046 also has one or more corresponding semantic entries 3044, and it is relevant with the semantic primitive 3015 in being included in input data 3014.The arbitrary portion (arbitrary portion) 3060 of input data 3014 is combined with current non-terminal 3062, and is applied in the entry of semantic table 3042.
At first, storehouse 3052 can comprise termination and non-termination (NT) symbol, and it allows the semantic state of PDA engine 3 040 to be nested in other semantic states.This just makes that a plurality of semantic states can be represented by single non-terminal, and requires abundant a spot of state to be managed by PDA engine 3 040.
Further, with reference to Figure 46 and 47, there is not semantic state exchange usually, till detecting relevant semantic primitive.For example, 040 initial launch of PDA engine 3 and is not converted to the second semantic state 3072 in the first semantic state (SS) 3070, till detecting whole semantic primitive " WWW. ".Similarly, PDA engine 3 040 still is retained in the semantic state 3072, till detecting next semantic primitive " .ORG ".Then PDA engine 3 040 is converted to semantic state 3074 from semantic state 3072.Therefore, one of PDA engine 3 040 is characterised in that: semantic state 3070,3072 and 3074 quantity corresponding to need be in input data 3014 quantity of the semantic primitive of search.
On the contrary, the PDA engine 3 040 among Figure 46 can be searched for long character string without any need for additional semantic state.For example, Figure 48 shows the optional search that requires PDA engine 3 040 search string " WWWW.XXXX.ORGG ".In this embodiment, PDA engine 3 040 is required to search for additional " W " in first semantic primitive " WWWW. ", and searches for additional " G " character in second semantic primitive " ORGG ".Be added into semantic state 3070,3071 that additional character in the new search string requires before not increasing and 3073 quantity among Figure 48 in Figure 47.
Being on the other hand of PDA engine 40: can not influence or increase the complicacy of semantic table 3042 substantially, and increase other search string.With reference to Figure 49, show the 3rd semantic primitive " .EXE " and be added in the search of carrying out by the PDA engine 3 among Figure 46 040.Additional semantic primitive " .EXE " only increases an additional semantic state 3076 to semantic table 3042.
Therefore, the PDA structure among Figure 46 has caused compacter and effective state table, and it has measurable and stable linear condition expansion when adding additional search criteria.For example, when new string is added in the data search, does not need to rewrite whole semantic table 3042, and only need to increase additional semantic entry.
Example embodiment
Figure 50-54 illustrates in greater detail the free grammer of being carried out by PDA engine 3 shown in Figure 46 before 040 of example PDA context.With reference to Figure 50, used identical search example, wherein, PDA engine 3 040 search URL string " WWW.XXX.ORG ".Certainly, this only is an embodiment, and the combination of any string or character can both utilize PDA engine 3 040 to search for.
Should also be noted that PDA engine 3 040 can also realize in software, make semantic table 3042, the mapping 3048 of semantic state and storehouse 3052 all be arranged in storer by CPU (central processing unit) (CPU) visit.Universal cpu is then realized operation described below.Another embodiment uses reconfigurable semantic processor (RSP), in following Figure 47 it is explained in more detail.
In this embodiment, Content Addressable Memory (CAM) is used to realize semantic table 3042.Optional embodiment can be used static random-access memory (SRAM) or dynamic RAM (DRAM).Semantic table 3042 is divided into semantic state part (semantic state section) 46, and as mentioned above, it can comprise corresponding non-termination (NT) symbol.In this embodiment, semantic table 3042 only comprises two semantic states.The semantic state of among the part 3046A first is discerned by nonterminal symbol NT1, and relevant with semantic primitive " WWW. ".Second semantic state among the part 3046B discerned by nonterminal symbol NT2, and relevant with semantic primitive " .ORG ".
The second portion 3044 of semantic table 3042 comprise with import data 3014 in the corresponding different semantic entries of semantic primitive.Identical semantic entry can exist repeatedly in identical semantic state part 3046.For example, semantic entry
WWW. can be positioned at part 3046AIn different positions, with identification semantic primitive "
WWW. "Occur
In input data 3014In diverse location.This only is an embodiment, is used for further optimizing the operation of PDA engine 3 040.In optional embodiment, have only specific semantic entry only can use once, and input data 3014 move to the Data Position to check that each is different in the input buffer 3061 subsequently.
The second semantic state part 3046B in the semantic table 3042 comprises two semantic entries effectively." .ORG " entry is used for detecting " .ORG " string of input data 3014, and " WWW. " entry is used for detecting possible second " WWW. " string of input data 3014.In addition, a plurality of different " .ORG " and " WWW. " entries are loaded on the part 3046B of semantic table 3042 alternatively, to carry out analysis optimization.May use equally one "
WWW." entry and " ORG. " entry, the perhaps fewer entry shown in Figure 50.
In this embodiment, semantic state mapping 3046 comprises three different parts.Yet, can also use relatively small number of parts.Next state part 3080 maps to the next semantic state that is used by PDA engine 3 040 with the semantic entry of coupling in the semantic table 3042.Semantic entrance (SEP) part 3078 is used for initiating to be used for the micro-order of semantic processes unit (SPU), and it will be explained in more detail following.This part is optionally, and PDA engine 3 040 can use the non-terminal of identification in NextState part 3080 alternatively, judges 4 other operations of then input data 301 being carried out.
For example, when non-terminal NT3 exports 3048 from shining upon, corresponding processor (not shown) know the URL string "
WWW.XXX.ORG" in input data 3014, detect.After PDA engine 3 040 identified URL, processor then can be carried out desired any subsequent treatment to input data 3014.Therefore, SEP3078 only is an optimization in PDA engine 3 040, and it can be comprised or can not comprise.
3076 identifications of the byte of skipping part are from the byte number of input data 3014, to be displaced to input buffer 3061 in next operation cycle.When in semantic table 3042, not having coupling, use all analyzer entry tables of coupling (Match All Parser entries Table, MAPT) 3082.
Carry out
The functional symbol at specific end " $ " at first is pushed on the storehouse 3052 in company with initial non-terminal NT1, and NT1 represents first relevant semantic state with search URL.First section 3060 of NT1 symbol and input data 3014 is loaded into input buffer 3061, and is applied to CAM3090.In this embodiment, the content of the input buffer 3061 any entry among the CAM 3090 that do not match.Therefore, the pointer 3054 that is produced by CAM 3090 points to the default NT1 entry of MAPT table 3082.The extra byte that default NT1 entry indication PDA engine 3 040 will be imported data 3014 is displaced in the input buffer 3061.PDA engine 3 040 then is pushed into storehouse 3052 with another non-termination NT1 symbol.
Figure 51 shows next the PDA circulation after next byte of input data 3014 is displaced to input buffer 3061.First URL semantic primitive 3060A (" WWW. ") is included in the input buffer 3061 now.Non-terminal NT1 ejects from storehouse 3052 once more, and combines with input data 3060 in the input buffer 3061.The comparison of the content in input buffer 3061 and the semantic table 3042 has produced the coupling at NT1 entry 3042B place.The index 3054B relevant with entry 3042B points to semantic state mapping map order 3048B.NextState among the entry 3048B comprises non-terminal NT2, and its expression is converted to next semantic state.
Figure 52 shows in next circulation in the input buffer 3061 back PDA engine 3s 040 of the next one 8 byte shifts that will import data 3014.Equally, new semantic N state T2 has been pushed to storehouse 3052, then pop-up a stack 3052 and combine with the next section 3060 of input data 3014.Content in the input buffer 3061 is applied to semantic table 3042 once more.In this PDA circulation, any semantic entry in the semantic table 3042 that do not match of the content in the input buffer 3061.Therefore, the default pointer 3054C of NT2 state points to corresponding N T2 entry in the MAPT table 3082.NT2 entry indication PDA engine 3 040 in input buffer 3061, and is pushed into storehouse 3052 with identical semantic N state T2 with an additional byte shift.
Figure 53 shows in next PDA circulation behind the input buffer 3061 of another byte shift that will import data 3014.In this embodiment, between the content of input buffer 3061 and any NT2 entry in the semantic table 3042, still there is not coupling.Therefore, the default pointer 3054C of semantic N state T2 points to the NT2 entry in the MAPT table 3082 once more.Default NT2 entry indication PDA engine 3 040 in the table 3082 will be from another byte shift in the input data 3014 to input buffer 3061, and another NT2 symbol is pushed into storehouse 3052.In should be noted that in the end two PDA circulate, in the semantic state of representing by non-termination NT2, there is not variation.Although three characters in the front in second semantic primitive " .ORG " " .OR " are received by PDA engine 3 040, not existence conversion still.
Figure 54 shows the next PDA circulation that the content in the input buffer 3061 is wherein mated the NT2 entry 3042D in the semantic table 3042 now.Corresponding pointer 3054D points to the entry 3048D in the semantic state mapping 3048.In this embodiment, entry 3048D indication URL " WWW.XXX.ORG " obtains detecting by being mapped to next semantic N state T3.Should be noted that PDA engine 3 040 is not transformed into semantic N state T3, till detecting whole semantic primitive " .ORG ".
With the transmission of the SEP micro-order of SPU concomitantly, mapping entry 3048D can also indicate PDA engine 3 040 to be pushed into storehouse 3052 by the new semantic state that non-termination NT3 represents.This may make PDA engine 3 040 begin to carry out the difference search for other semantic primitives in the input data 3014 after the URL 3016 that detects.For example, as shown in figure 49, PDA engine 3 040 can begin to search for the semantic primitive relevant with executable file " .EXE ", and it can be included in the input data 3014.Similarly, as described above, the new semantic primitive " .EXE " of search only requires PDA engine 3 040 to add an additional semantic state in semantic table 3042.
Still as mentioned above, do not require that PDA engine 3 040 keeps independent state at the data item of each analysis.State only between the different semantic primitives and kept.For example, Figure 50,52 and 53 illustrates and mates by halves the data input of any semantic entry in the semantic table 3042.In these cases, PDA engine 3 040 continues to analyze the input data, and does not keep any status information of non-matched data string.
Equally, as above mentioned in Figure 46-48, the semantic state in the PDA engine 3 040 is independent of search string length basically.For example, can be simply by replace with long semantic entry " WWWW. " semantic entry in the semantic table 3042 "
WWW.", just can search for long search string "
WWWW." rather than "
WWW.", and correspondingly.
Reconfigurable semantic processor (RSP)
Figure 45 shows the calcspar of the reconfigurable semantic processor (RSP) 3100 that is used for an embodiment, and this embodiment is used to realize pushdown automata described above (PDA) engine 3 040.RSP3100 comprises: input buffer 3140, and it is used to cushion the packet data streams that receives by input port 3120; And output buffer 3150, it is used to cushion the packet data streams by output port 3152 outputs.
Directly execution analysis device (DXP) 3180 is realized PDA engine 3 040, and control on input buffer 3140, receive (for example, input " stream "), to output buffer 3150 export (for example, export " stream ") and (for example, recycle " the stream ") bag of recycle in recycle impact damper 3160 or the processing of frame.Preferably, input buffer 3140, output buffer 3150 and recycle impact damper 3160 are first-in first-out (FIFO) impact dampers.
DXP3180 also controls the processing by the 3200 pairs of bags in semantic processes unit (SPU), semantic processes unit 3200 handle impact dampers 3140,3150 and 3160 and memory sub-system 3215 between data transfer.The bag that memory sub-system 3215 storages receive from input port 3120, and the access control list (ACL) among the storage CAM3220, be used for unified tactical management (UPM), fire wall, virus detects and other the fire wall operation described in the patented claim of following associating pending trial, comprise: the patent application serial numbers of submitting on July 21st, 2005 is No.11/187, the patent application serial numbers that 049 " network interface and firewall box " and on May 9th, 2005 submit to is No.11/125,956 " intruding detection system ", it is included in herein with way of reference.
RSP3100 uses at least three tables to realize given PDA algorithm.The code 3178 that is used for retrieving generation rule 3176 is stored in analytical table (PT) 3170.In one embodiment, analytical table 3170 comprises the semantic table 3042 shown in Figure 46.Grammer generation rule 3176 is stored in the generation rule table (PRT) 3190.Generation rule table 3190 can comprise for example semantic state mapping 3048 shown in Figure 46.The code segment of carrying out by SPU 3,200 3212 is stored in the semantic code table (SCT) 3210.Can initiate code segment 3212 according to the SEP pointer 3078 in the semantic state mapping 3048 shown in Figure 50-54.
Generation rule table 3190 is by code 3178 index from analytical table 3170.Table 3170 and 3190 can link, and makes will directly return the generation rule 3176 that can be applicable to non-termination code 3172 and input data values 3174 to the inquiry of analytical table 3170.DXP3180 uses the generation rule (PR) 3176 that returns from PRT3190 to replace the non-termination code at analyzer storehouse 3185 tops, and continues to analyze the data from input buffer 3140.
The code 3178 that produces according to analytical table 3170 also, and/or the generation rule 3176 that produces according to generation rule table 3190, index semantic code table 3210.Whether usually, analysis result makes DXP3180 detect for given generation rule 3176, should and carry out by the SPU3200 loading from semantic entrance (SEP) routine 3212 of semantic code table 3210.
SPU3200 has the path of several reference-to storage subsystems 3215, and this memory sub-system 3215 provides a kind of context symbol addressable fabric memory interface.Memory sub-system 3215, analytical table 3170, generation rule table 3190 and semantic code table 3210 can use chip memory, such as synchronous dynamic RAM (DRAM) and the external memory devices of Content Addressable Memory (CAM) or the combination of this resource.Each table or content can only provide one or more other tables or content to the context interface of sharing physical memory space.
Safeguard that CPU (central processing unit) (MCPU) 3056 is connected between SPU3200 and the memory sub-system 3215.MCPU3056 carries out any desired function of RSP3100, and it can reasonably be realized with traditional software and hardware.These functions are normally rare, timeless function, can not guarantee to be included among the SCT3210 because of complicacy.Preferably, MCPU3056 also has the ability that on behalf of the MCPU benefit, requirement SPU3200 execute the task.
The name that the detailed design optimization of RSP3100 functional block was submitted on January 24th, 2003 is called the application No.10/351 of the associating pending trial of " reconfigurable semantic processor ", is described in 030, and it is included in the content of this paper by reference.
Analytical table
Analytical table 3170 can be implemented as Content Addressable Memory (CAM) described in Figure 46-54 as above, wherein NT code and input data values DI[n] search the key of PR code 3176 as CAM, PR code 3176 is relevant with generation rule among the PRT3190.Preferably, CAM is the ternary CAM (TCAM) that comprises the TCAM entry.Each TCAM entry comprises NT code and DI[n] matching value.Each NT code 312 can have a plurality of TCAM entries.Every DI[n] matching value can be set to " 0 ", " 1 " or " X " (expression " haveing nothing to do ").This ability makes only DI[n of PR code requirement] some position/byte match code pattern successively so that analytical table 170 finds a kind of coupling.For instance, the TCAM of delegation can comprise the NT code NT_IP that is used for the IP DAF destination address field, follows expression and four bytes that comprise the corresponding IP destination address of equipment of semantic processor thereafter.Four bytes of residue that TCAM is capable are set to " haveing nothing to do ".Therefore at NT_IP and 8 byte DI[8] when being submitted to analytical table 3170, DI[8 wherein] first 4 byte comprise correct IP address, no matter whether comprise DI[8] residue 4 bytes, coupling all can take place.
Because TCAM uses " haveing nothing to do " ability, and may have a plurality of TCAM entries, so TCAM can find for given NT code and DI[n for single NT] the TCAM entry of a plurality of couplings of matching value.TCAM distinguishes priority ranking by its hardware to these couplings, and only output has the coupling of limit priority.Further, as NT code and DI[n] when matching value was submitted to TCAM, TCAM attempted concurrently NT code and the DI[n with each TCAM entry and reception] match code mates.Therefore, TCAM has the ability to judge whether found coupling in analytical table 3170 in the single clock period of semantic processor 3100.
The other method of observing this structure is as " variable prediction (variable look-ahead) " analyzer.Although will be applied to TCAM such as the fixed data input section of 8 bytes, the TCAM coding allows any part of next generation rule (or the semantic entry described in Figure 46-54) based on current 8 bytes of input.If any or a byte of any position is the result of current rule in current 8 bytes at the head place of inlet flow, can encode to the TCAM entry so, make and when coupling, can ignore remaining position or byte.Basically, for given generation rule, current " symbol " can be defined as any combination of 64 at inlet flow head place.For given analysis task,, can reduce the quantity of analysis cycle, NT code and entry usually by intelligently encoding.
The TCAM embodiment of generation rule table 3170 has been described in further detail in the application of following associating pending trial, this application name is called " analytical table/generation rule list structure that utilizes CAM and SRAM ", its patent application serial numbers is No.11/181,527, submit on July 14th, 2005, this application is included in herein with way of reference.
Said system can be used dedicated processor systems, microcontroller, programmable logic device or the microprocessor of carrying out some or all operations.In the aforesaid operations some can realize in software, and other operation can realize in hardware.
For purpose easily, operation being described to various interconnective functional blocks or distinct software module.Yet this is not necessary, can have following situation, and wherein these functional blocks or module are incorporated into single logical device, program equivalently or have the operation of in-defined boundary.In anything part, the feature of functional block and software module or flexible interface can realize that perhaps the operation of other in combined with hardware or the software realizes by himself.
In a preferred embodiment, described and shown principle of the present invention, should be appreciated that, in the case of without departing from the present invention, can to the present invention arrange and details on make amendment.All modifications and variation are carried out in our requirement in the spirit and scope of claims right.
Claims (45)
1. a monitoring and filter the method that denial of service (DoS) is attacked, it comprises:
Identification and the possible related bag of Denial of Service attack;
The state of following the trail of bag is as the denial of service entry in the storer;
When not having previous denial of service entry in the storer, allow new bag to pass through; And
After allowing described new bag to pass through, new denial of service entry is added the described storer that into is used for described new bag.
2. method according to claim 1 comprises:
Receive and in described storer, had denial of service table destination packet;
When in corresponding denial of service entry, being provided with the Denial of Service attack sign, delete described bag; And
When timestamp than predetermined period of time old times more, upgrade described timestamp, counter and be used for the described Denial of Service attack sign of corresponding denial of service entry.
3. method according to claim 1 comprises:
Receive and in described storer, had denial of service table destination packet;
When in corresponding denial of service entry, the Denial of Service attack sign not being set, allow described bag to pass through; And
After allowing described bag to pass through, increase progressively the counter that is used for corresponding denial of service entry; And
When the timestamp that surpasses the Denial of Service attack limit and be used for corresponding denial of service entry at counter is in the predetermined period of time, the Denial of Service attack sign is set.
4. network processes equipment comprises:
Processor is configured to use identical memory sub-system as forwarding information base (FIB) and be used for firewall policy management.
5. network processes equipment according to claim 4, wherein, on the same group access control list (ACL) entry mutually that described processor will be included in destination address and firewall policy tolerance and the memory sub-system in the bag compares, and sends or exchange decision and carry out fire wall and operate to formulate.
6. network processes equipment according to claim 4, wherein, described access control list entry comprises: assert, measure consistent with described destination address and described firewall policy in the described bag; And action, which kind of fire wall expression is carried out or is transmitted operation bag.
7. network processes equipment according to claim 4, wherein, described processor comprises:
Data-analyzing machine is configured to discern address and fire wall tolerance in the bag; And
One or more semantic processes unit (SPU) is transmitted operation according to the described address and the described fire wall tolerance of identification to described bag execution fire wall operation and bag.
8. semantic processor comprises:
Analyzer, analysis package is operated related syntactic element with identification and network interface, and described analyzer is then initiated micro-order according to the syntactic element of described identification; And
Described network interface operation is carried out by carrying out the described micro-order of being initiated by direct execution analysis device in one or more semantic processes unit (SPU).
9. semantic processor according to claim 8 comprises:
Input port is configured to receive data symbol;
Direct execution analysis device, the storage stack symbol, described analyzer is handled described storehouse symbol in response to the data symbol that receives;
Analytical table, forming has the generation rule code, the symbol that described generation rule code can be provided by the data symbol and the described analyzer of at least one reception be combined into line index;
The generation rule table, composition has can be by the generation rule of described generation rule code index; And
The semantic code table can be conducted interviews by described semantic processes unit, and forms the machine instruction that has by described generation rule code index.
10. semantic processor according to claim 8, wherein, described processor identification may be the denial of service bag of the part of denial of service (DoS) attack, described analyzer makes the semantic processes unit monitors receive the speed of denial of service candidate bag, and according to the speed deletion of monitoring or by described denial of service candidate bag.
11. semantic processor according to claim 8 comprises access control list (ACL), described access control list comprises entry, has: assert accordingly with the bag semantic primitive of being discerned by described analyzer; And action, to judge which kind of fire wall operation described bag is carried out by one or more semantic processes unit uses.
12. semantic processor according to claim 11, comprise forwarding information base (FIB), described forwarding information base comprises destination address and corresponding output port, described one or more semantic processes unit by using is asserted and from the combination of the destination address of described forwarding information base, is decided and how to transmit and handle described bag from described access control list.
13. semantic processor according to claim 12, wherein, described access control list comprises and the related different URL(uniform resource locator) of different output ports (URL) that are used for asserting described same target address, described analyzer identification is included in destination address and the unified resource identifier value in the described bag, and described semantic processes unit is forwarded to the described output port of discerning with described bag in described access control list, and the destination address that described access control list has a coupling asserts and URL(uniform resource locator) is asserted.
14. semantic processor according to claim 8, comprise network address translation and/or port address conversion (NAT/PAT) look-up table that public address and specific address are shone upon, described analyzer is discerned the public or specific address in the described bag, and indicates one or more semantic processes unit to use from the corresponding public or specific address of described look-up table and replace described special use or public address.
15. semantic processor according to claim 8, comprise Internet protocol (IP) version conversion table, the address of the first internet protocol version form and the appropriate address of the second internet version case form are shone upon, the identification of described analyzer is used for the described internet protocol version form of described bag, and indicates described semantic processes unit to replace address in the described bag with the different addresses of other internet protocol version form.
16. semantic processor according to claim 8, comprise VPN (virtual private network) (VPN) table, described VPN (virtual private network) table is with decruption key, decipherment algorithm identifier and/or verification algorithm identifier are associated with relevant Security Parameter Index (SPI), described analyzer is discerned the security parameter index in the described bag, and indicate described semantic processes unit that the Security Parameter Index of identification is applied to described VPN (virtual private network) table, and then according to the described decruption key that receives back from described VPN (virtual private network) table, described decipherment algorithm identifier and/or described verification algorithm identifier are decrypted described bag.
17. an intruding detection system comprises:
Data-analyzing machine, the syntactic element in the recognition data stream; And
Threaten filtering circuit, according to the threat of the described syntactic element filtration of discerning by described data-analyzing machine from described data stream.
18. intruding detection system according to claim 17 comprises delay buffer, described delay buffer is used by described threat filtering circuit, will export one period substantially invariable time cycle of described traffic latency when filtering described threat.
19. intruding detection system according to claim 18, wherein, described threat filtering circuit utilizes first group of set access control list (ACL) filtrator to carry out the first preliminary threat filtration of described data stream, and utilizes the second group access control table filtrator that produces according to the syntactic element of discerning to carry out the second threat filtration of data in the described delay buffer.
20. intruding detection system according to claim 17, wherein, described threat filtering circuit produces token from the syntactic element of described identification, described token is applied to threat characteristics dynamically to produce one group of threat filtrator corresponding to described syntactic element.
21. intruding detection system according to claim 20, wherein, described token be only at can producing with threatening the syntactic element in the related described data stream, and do not produce tokens at other parts in the described data stream.
22. intruding detection system according to claim 17, wherein, described data-analyzing machine is according to the described data of symbolic analysis that are included in the analyzer storehouse.
23. intruding detection system according to claim 22, wherein, described analyzer comprises analytical table, described analytical table comprises the generation rule code corresponding to the different syntactic elements in the described data stream, and described generation rule code is according to carrying out index from the described symbol and the described data stream of part of described analyzer storehouse.
24. intruding detection system according to claim 23, comprise the generation rule table, described generation rule table comprises the generation rule by described generation rule code index, when described threats of filtering from described data stream, a part of generation rule is to carrying out addressing by the micro-order of described threat filtering circuit execution.
25. intruding detection system according to claim 17, comprise central intrusion detection device, described central intrusion detection device receives token from the described threat filtering circuit that is arranged in the heterogeneous networks treatment facility, described heterogeneous networks treatment facility identification is by the different syntactic elements of the handled different data streams of described heterogeneous networks treatment facility, described central intrusion detection device produces filtrator according to described different syntactic elements, and described filtrator distribution is got back in the described heterogeneous networks treatment facility.
26. intruding detection system according to claim 25, wherein, described central intrusion detection device produces described filtrator according to the network processes operation of being carried out by the network processes equipment that sends described token.
27. intruding detection system according to claim 17 comprises the recycle impact damper, described recycle impact damper reconfigured the fragment bag from described data stream before the described threat of described threat filtering circuit filtration from described data stream.
28. a semantic processor comprises:
Direct execution analysis device (DXP), the syntactic element in the recognition data stream; And
One or more semantic processes unit (SPU) is according to by the syntactic element of described direct execution analysis device identification described data stream being carried out the intrusion detection operation.
29. semantic processor according to claim 28 comprises analytical table, described analytical table comprises many group generation rule codes, and described generation rule code comes index by merging non-terminal and the described data stream of part corresponding with syntactic element.
30. semantic processor according to claim 29, comprise the generation rule table, described generation rule table comprises the generation rule by the generation rule code index in the described analytical table, at least a portion in the described generation rule comprises semantic processes unit inlet point value, and described semantic processes unit inlet point value index is by the described one or more performed micro-order in semantic processes unit that is used to carry out described intrusion detection operation.
31. semantic processor according to claim 28, wherein, described one or more semantic processes unit compares the bag in the described data stream and first group of set access control list filtrator, and then according to described comparison, abandons or store described bag.
32. semantic processor according to claim 31, wherein, when described one or more semantic processes unit is operated in the described intrusion detection of execution, with one section fixed delay period of described bag storage.
33. semantic processor according to claim 32, wherein, described one or more semantic processes unit produces token from the described syntactic element by direct execution analysis device identification, and described token is provided to the threat analysis device of the dynamic generation access control list corresponding with described token (ACL).
34. semantic processor according to claim 33, wherein, described one or more semantic processes unit abandons any storage package of the access control list of the described dynamic generation of coupling.
35. semantic processor according to claim 28, comprise the recycle impact damper, described recycle impact damper is used to reconfigure fragment bag in the described data stream by described one or more semantic processes unit (SPU), described direct execution analysis device is then discerned the syntactic element in the described bag that reconfigures, and the intrusion detection operation is carried out according to the syntactic element of described identification in described one or more semantic processes unit.
36. semantic processor according to claim 28, wherein, described direct execution analysis device is discerned Simple Mail Transfer protocol (SMTP) bag in the described data stream, and indicate described one or more semantic processes unit from described Simple Mail Transfer protocol bag, to extract the Email element, and utilize the Email element of described extraction to produce the one group of Email threat filtrator that then is applied to described Simple Mail Transfer protocol bag.
37. a pushdown automata (PDA) engine comprises:
Semantic table, be configured to different piece corresponding to the semantic state of different pushdown automatas, wherein at least some described parts comprise one or more semantic entries, described semantic entry is with can be included in the multiword symbol semantic primitive of input in the data corresponding, and index is carried out in section making up of the symbol of described semantic table by will discern the semantic state of described difference and described input data.
38. according to the described pushdown automata engine of claim 37, comprise semantic state mapping, described semantic state mapping is discerned the semantic state of next pushdown automata according to the described semantic entry in the semantic state of coupling symbol that makes up and the current pushdown automata of importing data segment.
39. according to the described pushdown automata engine of claim 38, comprise storehouse, described storehouse ejects and is used for the symbol combined with described input data segment, and advances and the corresponding next symbol of being discerned by described semantic state mapping of next semantic state.
40. according to the described pushdown automata engine of claim 39, wherein, described storehouse comprises the non-terminal of the semantic state of a plurality of previous pushdown automatas of expression.
41. according to the described pushdown automata engine of claim 37, wherein, the described semantic primitive that described semantic table basis is discerned in described input data, and be independent of the independent character that is included in the described semantic primitive, between the semantic state of different pushdown automatas, change.
42. according to the described pushdown automata engine of claim 37, wherein, described semantic table comprises that Content Addressable Memory (CAM), the semantic entry location matches in the described Content Addressable Memory are used for discerning the semantic primitive of the described input data of next semantic state.
43. according to the described pushdown automata engine of claim 42, comprise the data map of skipping, carry out index by Content Addressable Memory, the described data map of skipping is discerned a plurality of input data to be displaced in the described pushdown automata engine, so that compare with described semantic entry.
44. according to the described pushdown automata engine of claim 37, comprise reconfigurable semantic processor (RSP), described reconfigurable semantic processor comprises according to the one or more semantic processes unit (SPU) of described input data being carried out additional operations by the described semantic state of described semantic table identification.
45. according to the described pushdown automata engine of claim 44, comprise semantic entrance (SEP) mapping, described semantic entrance mapping is by described semantic table index, so that the micro-order that initiation is carried out by described one or more semantic processes unit.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US63900204P | 2004-12-21 | 2004-12-21 | |
| US60/639,002 | 2004-12-21 | ||
| US11/125,956 | 2005-05-09 | ||
| US11/187,049 | 2005-07-21 | ||
| US60/701,748 | 2005-07-22 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101116052A true CN101116052A (en) | 2008-01-30 |
Family
ID=39023476
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2005800442190A Pending CN101116052A (en) | 2004-12-21 | 2005-12-20 | Network interface and firewall device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101116052A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340275B (en) * | 2008-08-27 | 2010-10-20 | 华为终端有限公司 | Data card, data processing and transmitting method |
| CN101984638A (en) * | 2010-11-10 | 2011-03-09 | 河海大学常州校区 | Storage agent system used for cross-IPv4 and IPv6-network processing and method thereof |
| CN103218288A (en) * | 2011-12-08 | 2013-07-24 | Sap股份公司 | Information validation |
| CN103309928A (en) * | 2012-03-13 | 2013-09-18 | 株式会社理光 | Method and system for storing and retrieving data |
| CN103458046A (en) * | 2013-09-13 | 2013-12-18 | 中国科学院信息工程研究所 | Data secrete sharing system and method based on core network |
| CN106878247A (en) * | 2016-08-11 | 2017-06-20 | 阿里巴巴集团控股有限公司 | A kind of attack recognition method and apparatus |
| CN107968825A (en) * | 2017-11-28 | 2018-04-27 | 新华三技术有限公司 | A kind of message transmission control method and device |
| CN109167774A (en) * | 2018-08-23 | 2019-01-08 | 西安理工大学 | A kind of data message and the data flow secure interaction method on firewall |
| CN109391523A (en) * | 2017-08-08 | 2019-02-26 | 罗伯特·博世有限公司 | Method for monitoring the traffic between the network members in network |
| CN112003873A (en) * | 2020-08-31 | 2020-11-27 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
| CN113169967A (en) * | 2018-11-30 | 2021-07-23 | 思科技术公司 | Dynamic intent-based firewall |
| CN115033750A (en) * | 2022-03-23 | 2022-09-09 | 成都卓源网络科技有限公司 | TCAM-based classification structure and method |
-
2005
- 2005-12-20 CN CNA2005800442190A patent/CN101116052A/en active Pending
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340275B (en) * | 2008-08-27 | 2010-10-20 | 华为终端有限公司 | Data card, data processing and transmitting method |
| CN101984638A (en) * | 2010-11-10 | 2011-03-09 | 河海大学常州校区 | Storage agent system used for cross-IPv4 and IPv6-network processing and method thereof |
| CN101984638B (en) * | 2010-11-10 | 2013-05-15 | 河海大学常州校区 | Storage agent system used for cross-IPv4 and IPv6-network processing and method thereof |
| CN103218288B (en) * | 2011-12-08 | 2017-07-07 | Sap欧洲公司 | Information Authentication |
| CN103218288A (en) * | 2011-12-08 | 2013-07-24 | Sap股份公司 | Information validation |
| CN103309928A (en) * | 2012-03-13 | 2013-09-18 | 株式会社理光 | Method and system for storing and retrieving data |
| CN103458046B (en) * | 2013-09-13 | 2016-09-07 | 中国科学院信息工程研究所 | A kind of data secret shared system based on core network and method |
| CN103458046A (en) * | 2013-09-13 | 2013-12-18 | 中国科学院信息工程研究所 | Data secrete sharing system and method based on core network |
| CN106878247A (en) * | 2016-08-11 | 2017-06-20 | 阿里巴巴集团控股有限公司 | A kind of attack recognition method and apparatus |
| CN109391523A (en) * | 2017-08-08 | 2019-02-26 | 罗伯特·博世有限公司 | Method for monitoring the traffic between the network members in network |
| CN109391523B (en) * | 2017-08-08 | 2023-04-18 | 罗伯特·博世有限公司 | Method for monitoring traffic between network members in a network |
| CN107968825A (en) * | 2017-11-28 | 2018-04-27 | 新华三技术有限公司 | A kind of message transmission control method and device |
| CN107968825B (en) * | 2017-11-28 | 2021-06-29 | 新华三技术有限公司 | Message forwarding control method and device |
| CN109167774A (en) * | 2018-08-23 | 2019-01-08 | 西安理工大学 | A kind of data message and the data flow secure interaction method on firewall |
| CN109167774B (en) * | 2018-08-23 | 2021-04-06 | 西安理工大学 | Data message and data stream safety mutual access method on firewall |
| CN113169967A (en) * | 2018-11-30 | 2021-07-23 | 思科技术公司 | Dynamic intent-based firewall |
| CN112003873A (en) * | 2020-08-31 | 2020-11-27 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
| CN115033750A (en) * | 2022-03-23 | 2022-09-09 | 成都卓源网络科技有限公司 | TCAM-based classification structure and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101116052A (en) | Network interface and firewall device | |
| KR20070087198A (en) | Network interface and firewall device | |
| US7706378B2 (en) | Method and apparatus for processing network packets | |
| US20070022479A1 (en) | Network interface and firewall device | |
| Ficara et al. | An improved DFA for fast regular expression matching | |
| US8751787B2 (en) | Method and device for integrating multiple threat security services | |
| US7882555B2 (en) | Application layer security method and system | |
| JP3794491B2 (en) | Attack defense system and attack defense method | |
| CN103634315B (en) | The front-end control method and system of name server | |
| US20070022474A1 (en) | Portable firewall | |
| US9001661B2 (en) | Packet classification in a network security device | |
| CN100556031C (en) | Intelligent integrated network security device | |
| US20050216770A1 (en) | Intrusion detection system | |
| KR101536880B1 (en) | Anchored patterns | |
| US20040049596A1 (en) | Reliable packet monitoring methods and apparatus for high speed networks | |
| US6772348B1 (en) | Method and system for retrieving security information for secured transmission of network communication streams | |
| US20100174770A1 (en) | Runtime adaptable search processor | |
| US20110016154A1 (en) | Profile-based and dictionary based graph caching | |
| AU2002252371A1 (en) | Application layer security method and system | |
| WO2002075547A1 (en) | Application layer security method and system | |
| US8272056B2 (en) | Efficient intrusion detection | |
| CN1326365C (en) | Worm blocking system and method using hardware-based pattern matching | |
| JP2002124996A (en) | Fast packet acquiring engine/security | |
| CN112311776B (en) | System and method for preventing flooding attack of API gateway | |
| JP2008524965A (en) | Network interface and firewall devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |