KR101470590B1 - Plug-in multi pattern matching apparatus and method thereof - Google Patents

Abstract

A plug-in multi-pattern matching apparatus and method thereof are disclosed. A plug-in multi-pattern matching apparatus according to an embodiment of the present invention includes: a map generator for classifying signatures into a plurality of groups and generating a map to be used for pattern inspection for each classified group; And a plug-in searcher that reads the map loaded in the external memory into the internal memory by a plug-in method and inspects the pattern of the input packet using the map read into the internal memory.

Description

[0001] Plug-in multi-pattern matching apparatus and method [0002]

The present invention relates to a hardware-based high-performance pattern matching technique for performing a search for a large number of patterns at a high speed.

Various systems are being developed to cope with intrusion through a network. However, the speed up of networks such as Gigabit Ethernet environment and the transmission and reception of large amount of data based on them are requiring changes to existing low-speed security analysis techniques.

In other words, in order to cope with increasingly high-speed and high-capacity network environments and more diversified intrusion attempts, techniques for analyzing a large amount of data in a faster time are required. That is, research on a new type of security system considering this is required.

Generally, the signature detection engine that detects harmful traffic is developed with software. If the number of signatures increases, the time required to detect harmful traffic increases, the detection performance decreases, and the performance of the entire system is deteriorated due to an increase in the CPU utilization rate when matching the signatures to all the packets passing through the network.

According to one embodiment, a plug-in multi-pattern matching apparatus and method capable of high-speed large-capacity pattern matching based on hardware are proposed.

A plug-in multi-pattern matching apparatus according to an embodiment of the present invention includes a map generator for classifying signatures into a plurality of groups and generating a map to be used for pattern inspection for each classified group, at least a part of the map generated in the map generator, And a plug-in searcher that reads the map loaded in the external memory into the internal memory by a plug-in method and inspects the pattern of the input packet using the map read into the internal memory.

The map generator includes a pattern classifying unit for classifying signatures in groups according to a classification criterion in a signature set, a pattern translating unit for generating a multi-pattern retrieval map for each signature group, and a multi- To a usable map.

At this time, the map conversion unit may configure the map so that the plug-in searcher includes input symbol size information that can know the number of packet bytes to be pattern-matched in each state. The map converter may expand the size of the corresponding state to n bytes when n (n = 2, 3, ...) byte pattern matching is possible according to the expandable condition in each state. The extendable condition is the case where there is no match pattern in at least one of the N, F, NF and FN states and N is s = { s ₁ , ... , s _i }, S is the current state, s = { s ₁ , ... , s _i } is a symbol input in S, F is a state transited by a failure function in S, NF is a state transited by a failure function in N, FN is a state in which f = { f ₁ , ... , f _k }, and f = { f ₁ , ... , f _k } is a symbol that can be input in F. The state expanded to n bytes is a state in which transition is made to the input of the symbol set E = {s · n, s · nf, f · fn} in the current state S.

The map loader includes a map analyzer for analyzing the map generated by the map generator, a map classifier for classifying the map analyzed by the map analyzer, and a method for determining how to map the maps classified by the map classifier to the plug- A map arrangement unit for arranging the map in the plug-in searcher according to the arrangement method determined by the map arrangement unit, and a configuration setting unit for setting the environment so that the plug-in searcher can operate according to the determined arrangement method.

The plug-in searcher includes a map detector for reading signature group classification information from an input packet and extracting input symbols to detect a type and a storage position of the map, and a map detector for detecting the type and location of the map from the external memory using the stored address of the map detected by the map detector. A map carrier for reading the map and storing the read map in an internal memory, and a multi-pattern search unit for performing multi-byte pattern matching on the input packet using the map stored in the internal memory.

The plug-in searcher may further include an external memory in which maps are loaded by the map loader, and an internal memory in which a multi-pattern state map to be used by the multi-pattern search unit is extracted and loaded from the external memory in a plug-in manner.

At this time, at least some maps are stored in the internal memory according to the size of the map to be used or the expected frequency of use, and the plug-in searcher can perform pattern matching using maps stored in the internal memory.

The map detection unit can detect the map by using a limited keyword. The multi-pattern search unit may perform pattern matching by reading a corresponding amount of the input packet payload according to the size information of the input symbol in the current state in the map.

The plug-in multi-pattern matching apparatus may further include a post-processing unit that receives the execution result from the plug-in searcher, determines a rule to be applied, and processes the packet according to the determined rule. In this case, the post-processing unit may include a rule selection unit for checking the type and storage position of the rule using the rule storage address based on the pattern matching result of the plug-in search unit and selecting a predetermined rule, And a rule processing unit for processing the input packet using a rule transferred to the internal memory by the rule delivery unit.

According to one embodiment, a search for a large amount of patterns can be performed at high speed. That is, since hardware-based high-performance pattern matching technology is used and hardware resources may be limited in resources such as internal memory, information necessary for pattern matching may be divided into groups and stored in an external memory. By using the method of loading only the information into the internal memory using the plug-in method, the resource can be efficiently used and the processing speed can be improved. Furthermore, it is possible to divide the information required for pattern matching into groups and expand the pattern so that pattern matching is possible even for n (n = 2, 3, ...) bytes.

1 is a configuration diagram of a plug-in multi-pattern matching apparatus according to an embodiment of the present invention;
FIG. 2 is a detailed configuration diagram of the map generator of FIG. 1 according to an embodiment of the present invention;
FIGS. 3A to 3C are views showing a map production example capable of 1-byte pattern matching according to an embodiment of the present invention;
FIGS. 4 and 5 are views for explaining a process of expanding a pattern to enable n-byte pattern matching according to an embodiment of the present invention;
FIG. 6 is a diagram showing the structure of a map transformed by the map transform unit of FIG. 2 according to an embodiment of the present invention;
FIG. 7 is a detailed configuration diagram of the map loader of FIG. 1 according to an embodiment of the present invention;
FIG. 8 is a detailed configuration diagram of the plug-in searcher of FIG. 1 according to an embodiment of the present invention;
FIG. 9 is a reference diagram for explaining a map detection process of the map detection unit according to an embodiment of the present invention;
FIGS. 10A and 10B are views for explaining a multi-byte pattern matching process of a multi-pattern search unit according to an embodiment of the present invention;
FIG. 11 is a detailed configuration diagram of the post-processor of FIG. 1 according to an embodiment of the present invention;
12 is a flowchart illustrating a plug-in multi-pattern matching method according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. In addition, the terms described below are defined in consideration of the functions of the present invention, which may vary depending on the intention of the user, the operator, or the custom. Therefore, the definition should be based on the contents throughout this specification.

1 is a configuration diagram of a plug-in multi-pattern matching apparatus 1 according to an embodiment of the present invention.

According to the present invention, the plug-in multi-pattern matching apparatus 1 utilizes hardware (HW) -based high-performance pattern matching technology to perform a search for a large amount of patterns at a high speed. That is, the processing speed is limited in processing the pattern matching by the software (SW), and it is processed by the hardware such as the FPGA. However, since resources required for internal memory and the like may be limited at the time of hardware processing, the present invention separates information necessary for pattern matching into groups and stores them in an external memory. Then, only information necessary for pattern matching is plugged into an internal memory It is loaded and used. For high-speed processing, patterns can be extended so that pattern matching is possible even for n (n = 2, 3, ...) bytes.

The detailed configuration of the plug-in multi-pattern matching device 1 having the above-described characteristics will be described below. 1, the plug-in multi-pattern matching apparatus 1 includes a map generator 10, a map loader 12, a plug-in pattern search engine 14, And a postprocessor 16.

The map generator 10 classifies a signature pattern into a plurality of groups and generates a map to be used for pattern inspection for each classified group. At this time, the map generator 10 may extend the pattern so that even n bytes can be searched for multiple patterns. The detailed configuration of the map generator 10 will be described later with reference to FIG.

The map loader 12 stores at least a part of the map generated in the map generator 10 in the external memory. Details of the map loader 12 will be described later with reference to FIG.

The plug-in searcher 14 reads the map loaded in the external memory into the internal memory by a plug-in method. Then, the pattern of the input packet is inspected using the map read into the internal memory. The plug-in searcher 14 is a hardware-based pattern search engine that moves a map from an external memory to an internal memory using a plug-in method and then inspects patterns of input packets. The detailed configuration of the plug-in searcher 14 will be described later with reference to FIG.

The post processor 16 receives the pattern matching result from the plug-in searcher 14, determines a rule to be applied, and processes the packet according to the determined rule. The detailed structure of the post processor 16 will be described later with reference to FIG.

FIG. 2 is a detailed configuration diagram of the map generator 10 of FIG. 1 according to an embodiment of the present invention.

1 and 2, the map generator 10 includes a pattern classifier 100, a pattern complier 102, and a map transformer 104 .

The pattern classification unit 100 classifies signatures in groups according to a classification criterion in a signature set. The pattern translator 102 generates a multi-pattern search map (MPSM) for each signature group. The Aho-Corasick (AC) algorithm can be used for this purpose.

The map conversion unit 104 converts the multi-pattern search map generated by the pattern translation unit 102 into a map that can be used by the plug-in searcher 14. The detailed structure of the map converted by the map conversion unit 104 will be described in detail later with reference to FIG.

According to one embodiment, the map conversion unit 104 configures the map so that the plug-in searcher 14 includes input symbol size information that can know the number of packet bytes to be pattern-matched in each state. The map transforming unit 104 may expand the size of the corresponding state to n bytes if n-byte pattern matching is possible according to the expandable condition in each state.

Hereinafter, a map production example of the map generator 10 will be described in detail with reference to the map production scenario of FIG. 3 to FIG. However, it should be noted that the map production scenarios of Figs. 3 to 6 are only one embodiment for facilitating understanding of the present invention, and the present invention is not limited thereto.

3A to 3C are reference views showing an example of producing a map capable of 1-byte pattern matching according to an embodiment of the present invention.

In detail, FIG. 3A illustrates an example of a failure function in which signature patterns (he, she, his, hers) according to an embodiment, a match pattern, 3B shows a goto graph in which a transition between states can be known. FIG. 3C is a diagram showing a goto graph in which a next state is input when an input symbol is input in each state, It is an angry ticket. In the table of FIG. 3C, it can be confirmed that the input symbol is one byte. In FIG. 3A, although the signature pattern is formed of a character string, the signature pattern is applicable not only to a character string, but also to all possible forms such as a regular pattern, a hexadecimal number, and the like.

According to the Aho-Corasick (AC) algorithm, the signature is implemented as a state machine (hereinafter referred to as SM) in byte units. At this time, each state of the SM has a pointer (solid line in FIG. 3B) to the next state and a pointer to the state at the time of pattern comparison failure (dotted line in FIG. 3B). Therefore, the signature detection is performed by tracking the change of each state on the SM, taking each byte generated in the packet as an input.

FIGS. 4 and 5 are reference views for explaining a process of expanding a pattern to enable n-byte pattern matching according to an embodiment of the present invention.

Referring to FIGS. 4 and 5, basically, a map for one byte is constructed with a given signature. If n byte pattern matching is possible in each state, the state can be extended to n bytes.

To illustrate the extension to n bytes, we first define terms as shown in Table 1.

S: current state, s = { s ₁ , ... , si }: Symbols that can be input in S
N = {N ₁ , ... , N i }: State transition from S to s input, n = { n ₁ , ... , n _j }: symbols that can be input in N
F: state transitioned by failure function in S, f = { f ₁ , ... , F _k}: input symbol, the F
NN = {NN ₁ , ... , NN _l }: State transitioned from n to n
NF: a state transited by a failure function in N, nf = { nf ₁ , ... , nf _o }: symbols that can be input in NF
NFN: state transited by nf in NF
FN: the state transited by f in f, fn = { fn ₁ , ... , fn _k }: Symbols that can be input in FN
FNN: a state transited by fn in FN,
j : Input symbol length in S

According to the present invention, the expandable condition is a case where there is no match pattern in N, F, NF, FN, and the expansion in the expandable condition can be made as shown in Table 2 below.

E = s · n, s · nf, f · fn: new symbol set of S (priority : s · n > s · nf > f · fn)
j + 1 : Input symbol length in S,
T = {NN, NFN, FNN}: state set to transition from S to E input,
If F and NF are not 0, F and NF are in the current state, and F and NF are repeated until 0,
Repeat if S meets expandable criteria in S

An example of expansion into n bytes will now be described with reference to FIGS. 4 and 5. FIG. In this case, scenarios assumed in FIGS. 3A and 3B are also applied to FIG. 4 and FIG.

First, according to the stratified graph of FIG. 3B, N, F, NF, and FN in each state and input symbols n, f, nf, and fn are shown in the table of FIG. Referring to the table of FIG. 4A, it can be seen that a state S in which there is no match pattern in N, F, NF, or FN that is an expandable condition is {0, 2, 3, 7, 9}. This is because the match pattern is output (2) = {he}, output (5) = {she, he}, output (7) = {his}, output (9) = {hers} Because. A state S in which F or NF is not 0 in a state where there is no match pattern is {3, 7, 9}. In this case, F or NF is set to the current state S, and until F or NF becomes 0 state Repeat this.

Figures 5A and 5B illustrate an n byte extension example in the expandable condition {0, 2, 3, 7, 9}. More specifically, FIG. 5A shows the input symbols in the combination s. N, s. Nf and f. Fn in the expandable state, and FIG. 5B shows the input symbol and the next state in the expandable state as a table. It can be confirmed that the table of FIG. 5B is extended to 2 bytes.

In FIG. 5A, an input symbol marked for deletion means that there is a preceding input symbol and is pushed to a priority and deleted. For example, as shown in Table 2, the input symbol rs of the combination s · nf in state 2 is pushed away by the input symbol rs of s · n in priority order. 5B shows a state T '= {NN, NFN, FNN} transited to the input of a new symbol set E = {s · n, s · nf, f · fn} in the current state S it means.

6 is a structural diagram of a map converted by the map conversion unit 104 of FIG. 2 according to an embodiment of the present invention.

Referring to FIG. 2 and FIG. 6, the map converted by the map transforming unit 104 includes various kinds of information.

numOfStates: The total number of states in the map (Offset: 0)
NextStateOffs: Offset value of NextState information for each state (there are total number of states)
sizeOfInputSymbol: size of input symbol to be input in the corresponding state
Match: Presence of matching pattern in the corresponding state
nextStateCount: the number of input symbols that can transition from the state to the next non-zero state
inputSymbol / nextState: nextState that will transition when input Symbol is entered in the corresponding state
MatchOffs: Offset value where the Match Table is located for each state (exists for the total number of states)
mCount: number of patterns matched in each state
mSize: Size of information about the matched pattern

FIG. 7 is a detailed configuration diagram of the map stacker 12 of FIG. 1 according to an embodiment of the present invention.

1 and 7, the map loader 12 includes a map analyzer 120, a map classifier 122, a map composer 124, A Map Poster 126 and a Config Setter 128. [

The map analyzer 120 analyzes the map generated by the map generator 10 and the map classifier 122 classifies the analyzed map by the map analyzer 120. The map construction unit 124 determines how to arrange the maps classified by the map classification unit 122 in the plug-in searcher 14 and the map arrangement unit 126 arranges the map based on the arrangement method determined by the map construction unit 124 The map is placed in the plug-in searcher 14. In addition, the configuration setting unit 128 sets the environment so that the plug-in searcher 14 can operate according to the determined placement method.

FIG. 8 is a detailed configuration diagram of the plug-in searcher 14 of FIG. 1 according to an embodiment of the present invention.

Referring to FIGS. 1 and 8, the plug-in searcher 14 includes a map finder 140, a map putter 142, and a multi-pattern search engine 144 ).

The map detection unit 140 reads signature group classification information from the input packet, extracts input symbols, and confirms which map is used and where it is stored. At this time, the map detecting unit 140 can detect the map using a limited keyword. An embodiment of this will be described later with reference to FIG.

The map carrying unit 142 reads the map from the external memory 146 using the storage address of the map detected by the map detecting unit 140 and carries the read map to the internal memory 148. [ In this case, the external memory 146 is loaded with maps by the map loader 12, and the internal memory 148 is loaded by the map carrying unit 142 from the external memory 146 to the multi- The pattern state map is extracted and loaded in a plug-in fashion. The external memory 146 may be, for example, DDR, and the map is moved from the DDR to the map buffer of the internal memory 148. The map carrying unit 142 may add the base address (base Addr) of the current map buffer to the next state address (NextStateAddr) and the match address (MatchAddr) in the map.

The multi-pattern search unit 144 performs multi-byte pattern matching on the input packet using the map stored in the internal memory 148. [ At this time, the map is a multi-pattern state map (MPSM).

According to one embodiment, not all maps are stored in the external memory 146, but some maps are stored in the internal memory 148 in a distributed manner. In this case, maps in which the size of a map to be used by the multi-pattern search unit 144 is large or which are expected to be used frequently can be stored in the internal memory 148. Then, the plug-in searcher 14 can perform pattern matching using the maps stored in the internal memory 148. [

According to one embodiment, the multi-pattern search unit 144 reads a corresponding amount of the payload of the input packet according to the size information of the input symbol in the current state in the map, and performs pattern matching. An embodiment of this will be described later with reference to FIG.

9 is a reference diagram for explaining a map detection process of the map detection unit 140 according to an embodiment of the present invention.

Referring to FIGS. 8 and 9, the map detection unit 140 includes a deterministic finite automaton (DFA) engine that can find a map at the time of initialization. At this time, the map can be expanded and adjusted without modifying the FPGA by changing only the DFA engine configuration file. The map detecting unit 140 reads information that can distinguish a group from a packet input to the FIFO, extracts input symbols, and drives the DFA engine to detect the corresponding map. At this time, if there is no corresponding map, the result is notified to the post-processor, which is the next block, without performing pattern matching.

According to one embodiment, the map detection unit 140 detects a map using limited keywords as shown in FIG. The restricted keywords may be ETHERNET_TYPE_IP, ETHERNET_TYPE_IPV6, IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMP, PORT_HTTP, and the like. (5) = TCP-SRC-ANY, output (7) = TCP-SRC-FTP, output (9) = UDP-DST -TFTP.

10A and 10B are reference views for explaining a multi-byte pattern matching process of the multi-pattern search unit 144 according to an embodiment of the present invention.

Referring to FIGS. 8, 10A, and 10B, the multi-pattern search unit 144 obtains the number of bytes (sizeOfInputSymbol) to be taken as an input symbol in the current state in the map, The pattern matching is performed by reading the number of bytes corresponding to the number of bytes from the load 1000. If there is a pattern match result (Output), the pattern match result is transmitted to the post-processor. FIG. 10B shows a pattern match result (Output).

11 is a detailed configuration diagram of the post processor 16 of FIG. 1 according to an embodiment of the present invention.

1 and 11, the post-processor 16 includes a rule selector 160, a rule carrier 162, and a rule processor 164.

The rule selecting unit 160 determines which rule is used and where the rule is stored using the TCAM 165 based on the pattern matching result of the plug-in searcher 14. [ Then, when the result received from the plug-in searcher 14 is stored for each packet and the payload end signal of the packet is received, the rule having the highest priority value of the match information is selected.

The rule carrier 162 reads a rule selected by the rule selector 160 from the external memory 166 and carries it to the internal memory 168. The external memory 166 may be, for example, an SRAM.

The rule processing unit 164 processes the input packet using the rules conveyed to the internal memory 168 by the rule delivery unit 162. [ For example, an input packet may be dropped or an input of the packet may be alerted.

12 is a flowchart illustrating a plug-in multi-pattern matching method according to an embodiment of the present invention.

Referring to FIG. 1 and FIG. 12, the map generator 10 classifies signatures into a plurality of groups and generates a map 1200 to be used for pattern inspection for each classified group. According to an embodiment, the map generator 10 classifies signatures in groups according to classification criteria in a signature set, generates a multi-pattern search map for each signature group, and uses the generated multi-pattern search map by the plug- Converts to a possible map.

Then, the map loader 12 stores at least a part of the map generated in the map generator 10 in the external memory (1210). According to one embodiment, the map loader 12 analyzes and classifies the maps generated in the map generator 10, determines how to arrange the classified maps in the plug-in explorer 14 and, according to the determined placement method, (14). Then, the environment is set so that the plug-in searcher 14 can operate according to the determined placement method.

Next, the plug-in searcher 14 reads the map loaded in the external memory into the internal memory by a plug-in method and inspects the pattern of the input packet using the map loaded into the internal memory (operation 1220). According to one embodiment, the plug-in searcher 14 reads the signature group classification information from the input packet, extracts input symbols, detects the type and storage location of the map, Reads the map and stores the read map in internal memory. Then, multi-byte pattern matching is performed on the input packet using the map stored in the internal memory.

In addition, the post-processing unit 16 may receive the execution result from the plug-in searcher 14, determine a rule to be applied, and process the packet according to the determined rule. According to one embodiment, the post-processing unit 16 confirms the type and storage location of the rule using the rule storage address based on the pattern matching result of the plug-in searcher 14, selects a predetermined rule, It reads from external memory and carries it to internal memory. Then, the input packet is processed using a rule transferred to the internal memory.

The embodiments of the present invention have been described above. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

1: plug-in multi-pattern matching device 10: map generator
12: Map Stacker 14: Plug-in Explorer
16: Post-processor 100: Pattern classifier
102: pattern translation unit 104: map conversion unit
120: map analyzing unit 122: map classifying unit
124: Map construction unit 126: Map placement unit
128: Configuration setting unit 140: Map detection unit
142: map carrier unit 144: multi-pattern search unit
160: Rule selecting unit 162: Rule carrying unit
164:

Claims (14)

A map generator for classifying the signatures into a plurality of groups and generating a map to include input symbol size information indicating the number of packet bytes to be pattern-matched for each classified group;
A map loader for storing at least a part of the map generated in the map generator in an external memory; And
A plug-in searcher for reading a map stored in the external memory, storing the map in an internal memory, and performing a multi-pattern matching on an input packet having a corresponding size using the input symbol size information of the map;
Pattern matching device. 2. The map generator according to claim 1,
A pattern classifier for classifying signatures in groups according to classification criteria in a signature set;
A pattern translation unit for generating a multi-pattern search map for each signature group; And
A map conversion unit for converting the multi-pattern search map generated by the pattern translation unit into a map usable by the plug-in searcher;
Pattern matching device. 3. The apparatus according to claim 2,
Wherein the plug-in searcher constructs a map so as to include input symbol size information that indicates the number of packet bytes to be pattern-matched in each state. 3. The apparatus according to claim 2,
Wherein the size of the state is expanded to n bytes when n (n = 2, 3, ...) byte pattern matching is possible according to the expandable condition in each state. 5. The method of claim 4,
Wherein the expandable condition is a case where there is no match pattern in at least one of N, F, NF and FN states, and N is s = { s ₁ , ... , s _i }, S is the current state, and s = { s ₁ , ... , s _i } , s _i } is a symbol input in S, F is a state transited by a failure function in S, NF is a state transited by a failure function in N, and FN is f = { f ₁ , ... , f _k }, and f = { f ₁ , ..., , f _k } is an input symbol in F. 6. The method of claim 5,
Wherein the state extended to the n bytes is a state of transitioning to an input of a symbol set E = {s · n, s · nf, f · fn} in the current state S. 2. The map loader according to claim 1,
A map analyzer for analyzing the map generated by the map generator;
A map classifier for classifying the map analyzed by the map analyzer;
A map construction unit for determining a method of arranging maps classified by the map classification unit in the plug-in searcher;
A map arrangement unit for arranging a map in the plug-in searcher according to the arrangement method determined by the map construction unit; And
A configuration setting unit configured to set an environment in which the plug-in searcher can operate according to the determined placement method;
Pattern matching device. 2. The plug-in searcher according to claim 1,
A map detection unit that reads signature group classification information from an input packet and extracts input symbols to detect a type and storage location of the map;
A map carrying unit for reading the map from the external memory using the storage address of the map detected by the map detection unit and storing the read map in the internal memory; And
A multi-pattern search unit for performing multibyte pattern matching on an input packet using a map stored in the internal memory;
Pattern matching device. 9. The plug-in search apparatus according to claim 8,
An external memory on which maps are loaded by the map loader; And
An internal memory in which a multi-pattern state map to be used by the multi-pattern search unit is extracted and loaded from the external memory by a plug-in method by the map carrying unit;
Wherein the plug-in multi-pattern matching device further comprises: 10. The method of claim 9,
At least some maps are stored in the internal memory according to the size of the map to be used or the expected frequency of use,
Wherein the plug-in searcher performs pattern matching using maps stored in the internal memory. 9. The apparatus according to claim 8,
And detects the map using a limited keyword. 9. The apparatus of claim 8, wherein the multi-
Wherein the pattern matching is performed by reading the input packet payload of the size corresponding to the size information of the input symbol in the current state of the map. 2. The apparatus of claim 1, wherein the plug-
A post-processing unit for receiving a result of the plug-in search from the plug-in searcher to determine a rule to be applied and processing the packet according to a determined rule;
Wherein the plug-in multi-pattern matching device further comprises: 14. The apparatus of claim 13, wherein the post-
A rule selector for checking the type and storage location of the rule using the rule storage address based on the pattern matching result of the plug-in searcher and selecting a predetermined rule;
A rule-handling unit for reading a rule selected by the rule selection unit from the external memory and transferring the rule to the internal memory; And
A rule processing unit for processing an input packet using rules transmitted to the internal memory by the rule carrier unit;
Pattern matching device.

Images