US9270698B2 - Filter for network intrusion and virus detection - Google Patents

Filter for network intrusion and virus detection Download PDF

Info

Publication number
US9270698B2
US9270698B2 US12/346,734 US34673408A US9270698B2 US 9270698 B2 US9270698 B2 US 9270698B2 US 34673408 A US34673408 A US 34673408A US 9270698 B2 US9270698 B2 US 9270698B2
Authority
US
United States
Prior art keywords
slice
hit
logic array
hit signals
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US12/346,734
Other versions
US20100169401A1 (en
Inventor
Vinodh Gopal
Christopher F. Clark
Gilbert M. Wolrich
Wajdi K. Feghali
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tahoe Research Ltd
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US12/346,734 priority Critical patent/US9270698B2/en
Application filed by Intel Corp filed Critical Intel Corp
Assigned to INTEL CORPORATION reassignment INTEL CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CLARK, CHRISTOPHER F., FEGHALI, WAJDI, GOPAL, VINODH, WOLRICH, GILBERT
Priority to EP09836863A priority patent/EP2382739A4/en
Priority to CN200980153566.5A priority patent/CN102273137B/en
Priority to PCT/US2009/068168 priority patent/WO2010077904A2/en
Publication of US20100169401A1 publication Critical patent/US20100169401A1/en
Priority to US15/049,519 priority patent/US10218739B2/en
Publication of US9270698B2 publication Critical patent/US9270698B2/en
Application granted granted Critical
Assigned to TAHOE RESEARCH, LTD. reassignment TAHOE RESEARCH, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTEL CORPORATION
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9014Indexing; Data structures therefor; Storage structures hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • G06F16/90344Query processing by using string matching techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/02Comparing digital values
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/02Indexing scheme relating to groups G06F7/02 - G06F7/026
    • G06F2207/025String search, i.e. pattern matching, e.g. find identical word or best match in a string

Definitions

  • This disclosure relates generally to the field of network processing.
  • the disclosure relates to a novel filter architecture to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
  • a Bloom filter conceived by Burton H. Bloom in 1970, is a probabilistic structure for determining whether an element is a member of a set. Hashing is performed on the element. Multiple different hash functions are used to generate multiple different hash indices into an array of bits. To add or insert an element into the set, these hash functions are used to index multiple bit locations in the array for the element and these bit locations are then set to one. To query the filter for an arbitrary element the hash functions are used to index multiple bit locations in the array for the element and these bit locations are then checked to see if they are all set to one. If they are not all set to one, the arbitrary element in question is not a member of the set.
  • the Bloom filter Whenever a filter generates a positive outcome for an element, which is not actually a member of the set, the outcome is called a false positive.
  • the Bloom filter will not generate a false negative. It is a goal of any particular filter design, that the probability of false positives is “small.” For Bloom filters, after inserting n elements into a set represented by an array of m bits using k different hash functions, the probability of a false positive is (1 ⁇ (1 ⁇ 1/m) kn ) k .
  • Designing a filter for a specific problem may be tedious, and at high data rates it is difficult or impossible for state-of-the art processors to implement the design at rates even close to line-rate.
  • To achieve rates close to one or more gigabits per second specialized field-programmable gate array solutions or custom circuits have been proposed.
  • FIG. 1 illustrates one embodiment of a filter apparatus to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
  • FIG. 2 illustrates a flow diagram for one embodiment of a process to initialize a filter apparatus for string matching in packet inspection.
  • FIG. 3 illustrates a flow diagram for one embodiment of a process to utilize a filter apparatus for string matching in packet inspection.
  • FIG. 4 illustrates one embodiment of a system employing a filter apparatus to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
  • a filter apparatus may be configured as a set of string matching slice circuits, each slice circuit of the set being configured to perform string matching steps in parallel with other slice circuits.
  • Each slice circuit may include an input window storing some number of bytes of data from an input data steam.
  • the input window of data may be padded if necessary, and may be multiplied by a distinct Galois-field polynomial modulo an irreducible Galois-field polynomial to generate a hash index.
  • a storage location of a memory slice corresponding to the hash index may be accessed to generate a slice-hit signal of a plurality of slice-hit signals.
  • the slice-hit signal may be provided to an AND-OR logic array where the plurality of slice-hit signals is logically combined into a match result.
  • Embodiments of such methods and apparatus represent reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
  • FIG. 1 illustrates one embodiment of a filter apparatus 101 to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
  • Filter apparatus 101 as shown includes an input data stream 120 , which may be in a system memory or may comprise an optional data stream buffer of filter apparatus 101 for storing packed data for inspection and/or a pattern database to initialize filter apparatus 101 .
  • Filter apparatus 101 also includes a set of H (e.g. 1-8) slice circuits 110 - 150 , each i th slice circuit of the set is configurable for providing an i th slice-hit signal to a configurable AND-OR logic array 140 as one of a set of H slice-hit signals.
  • H e.g. 1-8
  • Slice circuits 110 - 150 respectively include input windows 111 - 151 each configurable to store W i (e.g. 2-8) bytes of data from input data steam 120 , and Ghash units 112 - 152 coupled with input windows 111 - 151 and configurable to receive the W i bytes of data, to pad the W i bytes of data if necessary, and to multiply their respective W i bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
  • W i e.g. 2-8) bytes of data from input data steam 120
  • Ghash units 112 - 152 coupled with input windows 111 - 151 and configurable to receive the W i bytes of data, to pad the W i bytes of data if necessary, and to multiply their respective W i bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
  • filter apparatus 101 may use the same irreducible Galois-field polynomial in each of the Ghash units 112 - 152 with H distinct polynomial multipliers selected at random (each having a good mixture of 1's and 0's) to generate H distinct hash indices, thus simplifying the task of generating distinct hash indices for each Ghash unit. It will also be appreciated that in embodiments of filter apparatus 101 where, unlike the Bloom filter, input windows 111 - 151 are independently configurable to store W i bytes of data from input data steam 120 , the filter apparatus 101 may be used to solve multiple problems of different sizes (e.g. a 2-byte match, a 3-byte match, a 6-byte match, and an 8-byte match, etc.) at the same time in parallel.
  • problems of different sizes e.g. a 2-byte match, a 3-byte match, a 6-byte match, and an 8-byte match, etc.
  • Slice circuits 110 - 150 also include memories 113 - 153 coupled with the Ghash units 112 - 152 and configurable to access respective storage locations responsive to their respective indices (e.g. at the addresses specified by some field of bits from respective indices) to each generate an i th slice-hit signal and to provide the an i th slice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals 115 - 155 .
  • Some embodiments of memories 113 - 153 are configurable from a larger memory 130 to serve as individual memories 113 - 153 for slice circuits 110 - 150 respectively.
  • Some alternative embodiments of memories 113 - 153 may be N-entry (e.g.
  • RAMs read/write random-access memories
  • Slice circuits 110 - 150 may also include multiplexers 114 - 154 , respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the i th slice-hit signal and to provide the i th slice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals 115 - 155 .
  • AND-OR logic array 140 is configurable to receive a set of H slice-hit signals 115 - 155 and to combine the set of H slice-hit signals 115 - 155 into a match result 145 , a copy of which may be stored as a match result 185 .
  • Some embodiments of AND-OR logic array 140 may be configurable to perform a simple AND (e.g. as in a Bloom filter) or a simple OR (e.g. as in solving multiple problems of different sizes in parallel) of the set of H slice-hit signals 115 - 155 to get a match result 145 .
  • Alternative embodiments of AND-OR logic array 140 may be configurable to perform a complex AND-OR of the set of H slice-hit signals 115 - 155 (e.g.
  • the complex AND-OR of the set of H slice-hit signals 115 - 155 may be used, for example, in embodiments of filter apparatus 101 to provide multiple Bloom filters in parallel.
  • FIG. 2 illustrates a flow diagram for one embodiment of a process 201 to initialize a filter apparatus for string matching in packet inspection.
  • Process 201 and other processes herein disclosed are performed by processing blocks that may comprise dedicated hardware or software or firmware operation codes executable by general purpose machines or by special purpose machines or by a combination of both.
  • processing block 211 a set of H slice circuits are configured.
  • i is set to zero (0).
  • processing block 213 i is incremented.
  • processing block 214 i is checked to see if it has exceeded H. It will be appreciated that even though initialization of the H slice circuits is shown as an iterative process 201 , in at least some preferred embodiment of process 201 , the set of H slice circuits are configured to concurrently perform initialization according to processing blocks 215 - 220 of process 201 for use in string matching during network packet inspections. Therefore, for each of the H slice circuits processing blocks 215 - 220 are executed as follows, before proceeding to processing block 222 .
  • W i bytes of data is stored from an input data steam in an i th input window.
  • the W i bytes of data are padded if necessary.
  • the W i bytes of data are multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an i th hash index.
  • a storage location of a memory corresponding to the i th hash index is accessed, and in processing block 220 an i th slice-hit signal is stored (i.e. set) in the storage location of the memory corresponding to the i th hash index.
  • processing proceeding to processing block 222 where a pointer in the input data stream is moved (e.g. to a new string in the database). Then from processing block 224 , if the data stream is empty processing terminates. Otherwise processing repeats in processing block 212 .
  • the process 201 may be iterated for hundreds to hundreds of thousands of times in order to initialize a filter apparatus for string matching patterns in packet inspection.
  • substantial performance improvements may be realized.
  • the process 201 of initializing a filter apparatus (by setting slice-hit signals) may be performed in a manner substantially similar to a process of utilizing a filter apparatus for string matching (by reading the slice-hit signals) in packet inspection.
  • a pointer into the input data stream may moved for each i th slice, in such a way as to provide each i th slice with a new compete pattern, whereas in utilizing a filter apparatus for string matching a pointer into the input data stream may be simply incremented.
  • FIG. 3 illustrates a flow diagram for one embodiment of a process 301 to utilize a filter apparatus for string matching in packet inspection.
  • a set of H slice circuits are configured.
  • i is set to zero (0).
  • i is incremented.
  • i is checked to see if it has exceeded H.
  • the set of H slice circuits are configured to concurrently perform string matching according to processing blocks 315 - 321 of process 301 for use during network packet inspections. Therefore, for each of the H slice circuits processing blocks 315 - 321 are executed as follows, before proceeding to processing block 323 .
  • W i bytes of data is stored from an input data steam in an i th input window.
  • the W i bytes of data are padded if necessary.
  • the W i bytes of data are multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an i th hash index.
  • a storage location of a memory corresponding to the i th hash index is accessed to generate an i th slice-hit signal of a set of H slice-hit signals.
  • the i th slice-hit signal is provided to an AND-OR logic array as one of the set of H slice-hit signals.
  • processing proceeding to processing block 323 where the AND-OR logic array is configured to receive the set of H slice-hit signals and to combine the set of H slice-hit signals into a match result. Then from processing block 323 processing terminates.
  • process 301 may be configured in accordance with embodiments of filter apparatus 101 to substantially accelerate string matching in packet inspection.
  • FIG. 4 illustrates one embodiment of a system 401 employing a filter 480 to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
  • System 401 includes an input data stream 420 , which may be in system memory 470 as shown, or may comprise an optional data stream buffer of filter 480 for storing packed data for inspection and/or a pattern database to initialize filter 480 .
  • Filter 480 includes a set of H slice circuits 410 - 450 , each i th slice circuit of the set is configurable for providing an i th slice-hit signal to a configurable AND-OR logic array 440 as one of a set of H slice-hit signals.
  • Slice circuits 410 - 450 respectively include input windows 411 - 451 each configurable to store W i bytes of data from input data steam 420 , and Ghash units 412 - 452 coupled with input windows 411 - 451 and configurable to receive the W i bytes of data, to pad the W i bytes of data if necessary, and to multiply their respective WI bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
  • Slice circuits 410 - 450 also include memories 413 - 453 coupled with the Ghash units 412 - 452 and configurable to access respective storage locations responsive to their respective indices to each generate an i th slice-hit signal and to provide the an i th slice-hit signal to AND-OR logic array 440 as one of the set of H slice-hit signals 415 - 455 .
  • Memories 413 - 453 may be N-entry read/write RAMs of any fixed width and configurable to be combined into larger memories (e.g. memory 430 ) as necessary. Alternatively some embodiments of memories 413 - 453 may be configurable from a larger memory 430 .
  • Slice circuits 410 - 450 may also include multiplexers 414 - 454 , respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the i th slice-hit signal and to provide the i th slice-hit signal to AND-OR logic array 440 as one of the set of H slice-hit signals 415 - 455 .
  • AND-OR logic array 440 may receive the set of H slice-hit signals 415 - 455 and combine the set of H slice-hit signals 415 - 455 into a match result 445 .
  • System 401 also includes system processor 460 to executed a program 471 in system memory 470 to accelerate string matching in packet inspection for network applications using filter 480 , and to move or increment a pointer 461 into input data stream 420 until a match result 445 is positive (in the case of string matching for packet inspections) or until an end-of-file is reached in the input data steam 420 .
  • processor 460 may check a copy of match result 445 stored in system memory 470 as a match result 485 when string matching for packet inspections to determine if match result 445 was positive.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Methods and apparatus to perform string matching for network packet inspection are disclosed. In some embodiments there is a set of string matching slice circuits, each slice circuit of the set being configured to perform string matching steps in parallel with other slice circuits. Each slice circuit may include an input window storing some number of bytes of data from an input data steam. The input window of data may be padded if necessary, and then multiplied by a polynomial modulo an irreducible Galois-field polynomial to generate a hash index. A storage location of a memory corresponding to the hash index may be accessed to generate a slice-hit signal of a set of H slice-hit signals. The slice-hit signal may be provided to an AND-OR logic array where the set of H slice-hit signals is logically combined into a match result.

Description

FIELD OF THE DISCLOSURE
This disclosure relates generally to the field of network processing. In particular, the disclosure relates to a novel filter architecture to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
BACKGROUND OF THE DISCLOSURE
In modem networks, applications such as intrusion detection/prevention and virus detection are important for protecting the networks and/or network users from attacks. In such applications network packets are often inspected to identify problematic packets by finding matches to a known set of data patterns. Matching every byte of an incoming data stream against a large database of patterns (e.g. up to hundreds of thousands) is very compute-intensive. Programs have used techniques such as finite-state machines and filters to find matches to known sets.
A Bloom filter, conceived by Burton H. Bloom in 1970, is a probabilistic structure for determining whether an element is a member of a set. Hashing is performed on the element. Multiple different hash functions are used to generate multiple different hash indices into an array of bits. To add or insert an element into the set, these hash functions are used to index multiple bit locations in the array for the element and these bit locations are then set to one. To query the filter for an arbitrary element the hash functions are used to index multiple bit locations in the array for the element and these bit locations are then checked to see if they are all set to one. If they are not all set to one, the arbitrary element in question is not a member of the set.
Whenever a filter generates a positive outcome for an element, which is not actually a member of the set, the outcome is called a false positive. The Bloom filter will not generate a false negative. It is a goal of any particular filter design, that the probability of false positives is “small.” For Bloom filters, after inserting n elements into a set represented by an array of m bits using k different hash functions, the probability of a false positive is (1−(1−1/m)kn)k.
Designing a filter for a specific problem may be tedious, and at high data rates it is difficult or impossible for state-of-the art processors to implement the design at rates even close to line-rate. To achieve rates close to one or more gigabits per second, specialized field-programmable gate array solutions or custom circuits have been proposed.
To date, more generalized reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection have not been fully explored.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings.
FIG. 1 illustrates one embodiment of a filter apparatus to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
FIG. 2 illustrates a flow diagram for one embodiment of a process to initialize a filter apparatus for string matching in packet inspection.
FIG. 3 illustrates a flow diagram for one embodiment of a process to utilize a filter apparatus for string matching in packet inspection.
FIG. 4 illustrates one embodiment of a system employing a filter apparatus to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
 DETAILED DESCRIPTION
Methods and apparatus to perform string matching for network packet inspection are disclosed below. In some embodiments, a filter apparatus may be configured as a set of string matching slice circuits, each slice circuit of the set being configured to perform string matching steps in parallel with other slice circuits. Each slice circuit may include an input window storing some number of bytes of data from an input data steam. The input window of data may be padded if necessary, and may be multiplied by a distinct Galois-field polynomial modulo an irreducible Galois-field polynomial to generate a hash index. A storage location of a memory slice corresponding to the hash index may be accessed to generate a slice-hit signal of a plurality of slice-hit signals. The slice-hit signal may be provided to an AND-OR logic array where the plurality of slice-hit signals is logically combined into a match result.
Embodiments of such methods and apparatus represent reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
In the following description, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In other instances, well-known circuits, structures and techniques have not been shown in detail in order not to obscure the understanding of this description. These and other embodiments of the present invention may be realized in accordance with the following teachings and it should be evident that various modifications and changes may be made in the following teachings without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense and the invention measured only in terms of the claims and their equivalents.
FIG. 1 illustrates one embodiment of a filter apparatus 101 to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection. Filter apparatus 101 as shown includes an input data stream 120, which may be in a system memory or may comprise an optional data stream buffer of filter apparatus 101 for storing packed data for inspection and/or a pattern database to initialize filter apparatus 101. Filter apparatus 101 also includes a set of H (e.g. 1-8) slice circuits 110-150, each ith slice circuit of the set is configurable for providing an ith slice-hit signal to a configurable AND-OR logic array 140 as one of a set of H slice-hit signals. Slice circuits 110-150, respectively include input windows 111-151 each configurable to store Wi (e.g. 2-8) bytes of data from input data steam 120, and Ghash units 112-152 coupled with input windows 111-151 and configurable to receive the Wi bytes of data, to pad the Wi bytes of data if necessary, and to multiply their respective Wi bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
It will be appreciated that some embodiments of filter apparatus 101 may use the same irreducible Galois-field polynomial in each of the Ghash units 112-152 with H distinct polynomial multipliers selected at random (each having a good mixture of 1's and 0's) to generate H distinct hash indices, thus simplifying the task of generating distinct hash indices for each Ghash unit. It will also be appreciated that in embodiments of filter apparatus 101 where, unlike the Bloom filter, input windows 111-151 are independently configurable to store Wi bytes of data from input data steam 120, the filter apparatus 101 may be used to solve multiple problems of different sizes (e.g. a 2-byte match, a 3-byte match, a 6-byte match, and an 8-byte match, etc.) at the same time in parallel.
Slice circuits 110-150, respectively, also include memories 113-153 coupled with the Ghash units 112-152 and configurable to access respective storage locations responsive to their respective indices (e.g. at the addresses specified by some field of bits from respective indices) to each generate an ith slice-hit signal and to provide the an ith slice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals 115-155. Some embodiments of memories 113-153 are configurable from a larger memory 130 to serve as individual memories 113-153 for slice circuits 110-150 respectively. Some alternative embodiments of memories 113-153 may be N-entry (e.g. 1K entries) read/write random-access memories (RAMs) of fixed width (e.g. 64-bits wide) and are configurable to be combined into larger memories (e.g. memory 130) as necessary (e.g. when a very large set of patterns is required). Slice circuits 110-150 may also include multiplexers 114-154, respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the ith slice-hit signal and to provide the ith slice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals 115-155.
AND-OR logic array 140 is configurable to receive a set of H slice-hit signals 115-155 and to combine the set of H slice-hit signals 115-155 into a match result 145, a copy of which may be stored as a match result 185. Some embodiments of AND-OR logic array 140 may be configurable to perform a simple AND (e.g. as in a Bloom filter) or a simple OR (e.g. as in solving multiple problems of different sizes in parallel) of the set of H slice-hit signals 115-155 to get a match result 145. Alternative embodiments of AND-OR logic array 140 may be configurable to perform a complex AND-OR of the set of H slice-hit signals 115-155 (e.g. tempk=(AND slice-hit signali for all i in a set Sk) and then the final match result=(OR tempk for all k) ) to get a match result 145. The complex AND-OR of the set of H slice-hit signals 115-155 may be used, for example, in embodiments of filter apparatus 101 to provide multiple Bloom filters in parallel.
It will be appreciated that when a final match result is positive, a verification process may be used to check against false positives. Such verification process may be relatively slower than using filter apparatus 101 and so the configuration of filter apparatus 101 should be carefully made to avoid frequent false positives.
FIG. 2 illustrates a flow diagram for one embodiment of a process 201 to initialize a filter apparatus for string matching in packet inspection. Process 201 and other processes herein disclosed are performed by processing blocks that may comprise dedicated hardware or software or firmware operation codes executable by general purpose machines or by special purpose machines or by a combination of both.
In processing block 211 a set of H slice circuits are configured. In processing block 212, i is set to zero (0). In processing block 213, i is incremented. In processing block 214, i is checked to see if it has exceeded H. It will be appreciated that even though initialization of the H slice circuits is shown as an iterative process 201, in at least some preferred embodiment of process 201, the set of H slice circuits are configured to concurrently perform initialization according to processing blocks 215-220 of process 201 for use in string matching during network packet inspections. Therefore, for each of the H slice circuits processing blocks 215-220 are executed as follows, before proceeding to processing block 222.
In processing block 215 Wi bytes of data is stored from an input data steam in an ith input window. In processing block 216 the Wi bytes of data are padded if necessary. Then in processing block 217 the Wi bytes of data are multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an ith hash index. In processing block 218 a storage location of a memory corresponding to the ith hash index is accessed, and in processing block 220 an ith slice-hit signal is stored (i.e. set) in the storage location of the memory corresponding to the ith hash index. When all of the H slice circuits have completed processing blocks 215-220 of process 201, processing proceeding to processing block 222 where a pointer in the input data stream is moved (e.g. to a new string in the database). Then from processing block 224, if the data stream is empty processing terminates. Otherwise processing repeats in processing block 212.
It will be appreciated that the process 201 may be iterated for hundreds to hundreds of thousands of times in order to initialize a filter apparatus for string matching patterns in packet inspection. Thus when the set of H slice circuits are configured to concurrently perform initialization substantial performance improvements may be realized. It will also be appreciated that the process 201 of initializing a filter apparatus (by setting slice-hit signals) may be performed in a manner substantially similar to a process of utilizing a filter apparatus for string matching (by reading the slice-hit signals) in packet inspection. In some embodiments of processing block 222 a pointer into the input data stream may moved for each ith slice, in such a way as to provide each ith slice with a new compete pattern, whereas in utilizing a filter apparatus for string matching a pointer into the input data stream may be simply incremented.
FIG. 3 illustrates a flow diagram for one embodiment of a process 301 to utilize a filter apparatus for string matching in packet inspection. In processing block 311 a set of H slice circuits are configured. In processing block 312, i is set to zero (0). In processing block 313, i is incremented. In processing block 314, i is checked to see if it has exceeded H. Again, it will be appreciated that even though utilization of the H slice circuits is shown as an iterative process 301, in at least some preferred embodiment of process 301, the set of H slice circuits are configured to concurrently perform string matching according to processing blocks 315-321 of process 301 for use during network packet inspections. Therefore, for each of the H slice circuits processing blocks 315-321 are executed as follows, before proceeding to processing block 323.
In processing block 315 Wi bytes of data is stored from an input data steam in an ith input window. In processing block 316 the Wi bytes of data are padded if necessary. Then in processing block 317 the Wi bytes of data are multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an ith hash index. In processing block 319 a storage location of a memory corresponding to the ith hash index is accessed to generate an ith slice-hit signal of a set of H slice-hit signals. In processing block 321 the ith slice-hit signal is provided to an AND-OR logic array as one of the set of H slice-hit signals. When all of the H slice circuits have completed processing blocks 315-321 of process 301, processing proceeding to processing block 323 where the AND-OR logic array is configured to receive the set of H slice-hit signals and to combine the set of H slice-hit signals into a match result. Then from processing block 323 processing terminates.
It will be appreciated that iterations of process 301 may be configured in accordance with embodiments of filter apparatus 101 to substantially accelerate string matching in packet inspection.
FIG. 4 illustrates one embodiment of a system 401 employing a filter 480 to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
System 401 includes an input data stream 420, which may be in system memory 470 as shown, or may comprise an optional data stream buffer of filter 480 for storing packed data for inspection and/or a pattern database to initialize filter 480.
Filter 480 includes a set of H slice circuits 410-450, each ith slice circuit of the set is configurable for providing an ith slice-hit signal to a configurable AND-OR logic array 440 as one of a set of H slice-hit signals. Slice circuits 410-450, respectively include input windows 411-451 each configurable to store Wi bytes of data from input data steam 420, and Ghash units 412-452 coupled with input windows 411-451 and configurable to receive the Wi bytes of data, to pad the Wi bytes of data if necessary, and to multiply their respective WI bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
Slice circuits 410-450, respectively, also include memories 413-453 coupled with the Ghash units 412-452 and configurable to access respective storage locations responsive to their respective indices to each generate an ith slice-hit signal and to provide the an ith slice-hit signal to AND-OR logic array 440 as one of the set of H slice-hit signals 415-455. Memories 413-453 may be N-entry read/write RAMs of any fixed width and configurable to be combined into larger memories (e.g. memory 430) as necessary. Alternatively some embodiments of memories 413-453 may be configurable from a larger memory 430. Slice circuits 410-450 may also include multiplexers 414-454, respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the ith slice-hit signal and to provide the ith slice-hit signal to AND-OR logic array 440 as one of the set of H slice-hit signals 415-455. AND-OR logic array 440 may receive the set of H slice-hit signals 415-455 and combine the set of H slice-hit signals 415-455 into a match result 445.
System 401 also includes system processor 460 to executed a program 471 in system memory 470 to accelerate string matching in packet inspection for network applications using filter 480, and to move or increment a pointer 461 into input data stream 420 until a match result 445 is positive (in the case of string matching for packet inspections) or until an end-of-file is reached in the input data steam 420. In some embodiments of system 401, processor 460 may check a copy of match result 445 stored in system memory 470 as a match result 485 when string matching for packet inspections to determine if match result 445 was positive.
The above description is intended to illustrate preferred embodiments of the present invention. From the discussion above it should also be apparent that especially in such an area of technology, where growth is fast and further advancements are not easily foreseen, the invention can may be modified in arrangement and detail by those skilled in the art without departing from the principles of the present invention within the scope of the accompanying claims and their equivalents.

Claims (24)

What is claimed is:
1. A method to perform string matching for network packet inspection, the method comprising:
configuring a set of H slice circuits, each ith slice circuit of the set of H slice circuits being configured to perform the steps of:
independently storing an ith input window of Wi bytes of data from an input data stream;
padding the Wi bytes of data if necessary, and multiplying the Wi bytes of data by a Galois-field polynomial modulo an irreducible Galois-field polynomial combined with a randomly generated polynomial multiplier to generate an ith hash index;
accessing a storage location of a memory corresponding to the ith hash index to generate an ith slice-hit signal of a set of H slice-hit signals; and
providing the ith slice-hit signal to an AND-OR logic array as one of the set of H slice-hit signals; and
configuring the AND-OR logic array to receive the set of H slice-hit signals and to combine the set of H slice-hit signals into a match result.
2. The method of claim 1 wherein configuring each ith slice circuit of the set of H slice circuits to perform the step of providing the ith slice-hit signal to the AND-OR logic array comprises:
storing the ith slice-hit signal in the storage location of the memory corresponding to the ith hash index.
3. The method of claim 2 wherein each ith input window of Wi bytes of data from the input data steam comprises a complete data pattern.
4. The method of claim 2 wherein providing the ith slice-hit signal to the AND-OR logic array comprises:
reading out the ith slice-hit signal, from the storage location of the memory corresponding to the ith hash index, to the AND-OR logic array as the ith one of the set of H slice-hit signals.
5. The method of claim 2 wherein providing the ith slice-hit signal to the AND-OR logic array comprises:
multiplexing the ith slice-hit signal from the storage location of the memory corresponding to the ith hash index, to the AND-OR logic array as the ith one of the set of H slice-hit signals.
6. The method of claim 1, wherein the AND-OR logic array is configured to receive the set of H slice-hit signals and to logically AND the set of H slice-hit signals into a match result.
7. The method of claim 1, wherein the AND-OR logic array is configured to receive the set of H slice-hit signals and to logically OR the set of H slice-hit signals into a match result.
8. The method of claim 1, wherein the AND-OR logic array is configured to receive the set of H slice-hit signals and to logically AND subsets of the set of H slice-hit signals into temporary results, and to logically OR the temporary results into a match result.
9. An apparatus comprising:
an AND-OR logic array configurable to receive a set of H slice-hit signals and to combine the set of H slice-hit signals into a match result; and
a set of H slice circuits, each ith slice circuit of the set comprising:
an input window configurable to independently store Wi bytes of data from an input data steam;
a Ghash unit coupled with the input window and configurable to receive the Wi bytes of data, pad the Wi bytes of data if necessary, and multiply the Wi bytes of data by a Galois-field polynomial modulo an irreducible Galois-field polynomial combined with a randomly generated polynomial multiplier to generate an index; and
a memory coupled with the Ghash unit and configurable to access a storage location responsive to the index to generate a slice-hit signal and to provide the slice-hit signal to said AND-OR logic array as one of the set of H slice-hit signals.
10. The apparatus of claim 9 wherein providing the slice-hit signal to the AND-OR logic array comprises:
reading out the slice-hit signal, from the storage location of the memory corresponding to the index of the ith slice circuit, to the AND-OR logic array as the ith one of the set of H slice-hit signals.
11. The apparatus of claim 9 wherein providing the slice-hit signal to the AND-OR logic array comprises:
multiplexing the slice-hit signal, from the storage location of the memory corresponding to the index of the ith slice circuit, to the AND-OR logic array as the ith one of the set of H slice-hit signals.
12. The apparatus of claim 9 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND the set of H slice-hit signals into a match result.
13. The apparatus of claim 9 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically OR the set of H slice-hit signals into a match result.
14. The apparatus of claim 9 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND subsets of the set of H slice-hit signals into temporary results, and to logically OR the temporary results into a match result.
15. The apparatus of claim 9 wherein the same irreducible Galois-field polynomial is used in each ith slice circuit of the set of H slice circuits.
16. The apparatus of claim 15 wherein each the Wi bytes of data are multiplied by a different distinct Galois-field polynomial in each ith slice circuit of the set of H slice circuits.
17. A packet processing system to perform string matching for network packet inspection, the system comprising:
a system processor;
an AND-OR logic array configurable to receive a set of H slice-hit signals and to combine the set of H slice-hit signals into a match result; and
a set of H slice circuits, each ith slice circuit of the set comprising:
an input window configurable to independently store Wi bytes of data from an input data steam;
a Ghash unit coupled with the input window and configurable to receive the Wi bytes of data, pad the Wi bytes of data if necessary, and multiply the Wi bytes of data by a Galois-field polynomial modulo an irreducible Galois-field polynomial combined with a randomly generated polynomial multiplier to generate an index; and
a memory coupled with the Ghash unit and configurable to access a storage location responsive to the index to generate a slice-hit signal and to provide the slice-hit signal to said AND-OR logic array as one of the set of H slice-hit signals; and
a machine readable medium to store executable instructions, such that when said executable instructions are executed by the system processor, the system processor is caused to:
set a pointer to a first character of the input data steam to establish a starting point for the input window of each ith slice circuit, and
increment the pointer until the match result is positive or until an end-of-file is reached in the input data steam.
18. The system of claim 17 wherein the same irreducible Galois-field polynomial is used in each ith slice circuit of the set of H slice circuits.
19. The system of claim 18 wherein each the Wi bytes of data are multiplied by a different distinct Galois-field polynomial in each ith slice circuit of the set of H slice circuits.
20. The system of claim 17 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND the set of H slice-hit signals into a match result.
21. The system of claim 17 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically OR the set of H slice-hit signals into a match result.
22. The system of claim 17 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND subsets of the set of H slice-hit signals into temporary results, and to logically OR the temporary results into a match result.
23. The system of claim 18 wherein providing the slice-hit signal to the AND-OR logic array comprises:
reading out the slice-hit signal, from the storage location of the memory corresponding to the index of the ith slice circuit, to the AND-OR logic array as the ith one of the set of H slice-hit signals.
24. The system of claim 17 wherein providing the slice-hit signal to the AND-OR logic array comprises:
multiplexing the slice-hit signal, from the storage location of the memory corresponding to the index of the ith slice circuit, to the AND-OR logic array as the ith one of the set of H slice-hit signals.
US12/346,734 2008-12-30 2008-12-30 Filter for network intrusion and virus detection Expired - Fee Related US9270698B2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US12/346,734 US9270698B2 (en) 2008-12-30 2008-12-30 Filter for network intrusion and virus detection
EP09836863A EP2382739A4 (en) 2008-12-30 2009-12-16 Filter for network intrusion and virus detection
CN200980153566.5A CN102273137B (en) 2008-12-30 2009-12-16 Filter for network intrusion and virus detection
PCT/US2009/068168 WO2010077904A2 (en) 2008-12-30 2009-12-16 Filter for network intrusion and virus detection
US15/049,519 US10218739B2 (en) 2008-12-30 2016-02-22 Filter for network intrusion and virus detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/346,734 US9270698B2 (en) 2008-12-30 2008-12-30 Filter for network intrusion and virus detection

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/049,519 Continuation US10218739B2 (en) 2008-12-30 2016-02-22 Filter for network intrusion and virus detection

Publications (2)

Publication Number Publication Date
US20100169401A1 US20100169401A1 (en) 2010-07-01
US9270698B2 true US9270698B2 (en) 2016-02-23

Family

ID=42286195

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/346,734 Expired - Fee Related US9270698B2 (en) 2008-12-30 2008-12-30 Filter for network intrusion and virus detection
US15/049,519 Active 2029-05-25 US10218739B2 (en) 2008-12-30 2016-02-22 Filter for network intrusion and virus detection

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/049,519 Active 2029-05-25 US10218739B2 (en) 2008-12-30 2016-02-22 Filter for network intrusion and virus detection

Country Status (4)

Country Link
US (2) US9270698B2 (en)
EP (1) EP2382739A4 (en)
CN (1) CN102273137B (en)
WO (1) WO2010077904A2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130239213A1 (en) * 2011-03-08 2013-09-12 Hewlett-Packard Development Company, L.P. Methods and systems for full pattern matching in hardware
WO2017196428A3 (en) * 2016-03-30 2018-01-11 Intel Corporation Pattern matching circuit
CN109698835A (en) * 2019-01-19 2019-04-30 郑州轻工业学院 A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS
US20220240091A1 (en) * 2019-04-29 2022-07-28 Sonicwall Inc. Elastic Security Services and Load Balancing in a Wireless Mesh Network
US20220368698A1 (en) * 2014-04-28 2022-11-17 Sophos Limited Using reputation to avoid false malware detections
US11800598B2 (en) 2019-04-29 2023-10-24 Sonicwall Inc. Method for providing an elastic content filtering security service in a mesh network
US11863987B2 (en) 2019-04-29 2024-01-02 Sonicwall Inc. Method for providing an elastic content filtering security service in a mesh network
US11882136B2 (en) 2014-12-18 2024-01-23 Sophos Limited Process-specific network access control based on traffic monitoring
US11997117B2 (en) 2014-04-28 2024-05-28 Sophos Limited Intrusion detection using a heartbeat

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080313708A1 (en) * 2007-06-12 2008-12-18 Alcatel Lucent Data content matching
US9270698B2 (en) 2008-12-30 2016-02-23 Intel Corporation Filter for network intrusion and virus detection
US20110145205A1 (en) * 2009-12-14 2011-06-16 Sanjeev Jain Packet Boundary Spanning Pattern Matching Based At Least In Part Upon History Information
US9513843B2 (en) * 2010-04-13 2016-12-06 Dot Hill Systems Corporation Method and apparatus for choosing storage components within a tier
WO2012010930A2 (en) * 2010-07-21 2012-01-26 Freescale Semiconductor, Inc. Integrated circuit device, data storage array system and method therefor
US20130094515A1 (en) * 2011-08-31 2013-04-18 Nils Gura Systems, apparatus, and methods for removing duplicate data packets from a traffic flow of captured data packets transmitted via a communication network
US9223618B2 (en) 2011-09-20 2015-12-29 Intel Corporation Multi-threaded queuing system for pattern matching
US9471244B2 (en) * 2012-01-09 2016-10-18 International Business Machines Corporation Data sharing using difference-on-write
US9460018B2 (en) * 2012-05-09 2016-10-04 Qualcomm Incorporated Method and apparatus for tracking extra data permissions in an instruction cache
US9690703B1 (en) * 2012-06-27 2017-06-27 Netapp, Inc. Systems and methods providing storage system write elasticity buffers
CN103514404A (en) * 2012-06-29 2014-01-15 网秦无限(北京)科技有限公司 Safety detection method and safety detection device
US9697111B2 (en) * 2012-08-02 2017-07-04 Samsung Electronics Co., Ltd. Method of managing dynamic memory reallocation and device performing the method
KR101563059B1 (en) * 2012-11-19 2015-10-23 삼성에스디에스 주식회사 Anti-malware system and data processing method in same
JP6229990B2 (en) * 2014-08-21 2017-11-15 学校法人明治大学 Associative memory device, index generator, and registration information update method
US9678681B2 (en) * 2015-06-17 2017-06-13 International Business Machines Corporation Secured multi-tenancy data in cloud-based storage environments
CN109729582B (en) * 2018-12-27 2021-12-10 维沃移动通信有限公司 Information interaction method and device and computer readable storage medium
CN113051569B (en) * 2021-03-31 2024-05-28 深信服科技股份有限公司 Virus detection method and device, electronic equipment and storage medium
CN113076562A (en) * 2021-05-08 2021-07-06 北京炼石网络技术有限公司 Database encryption field fuzzy retrieval method based on GCM encryption mode

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020006195A1 (en) 1998-06-23 2002-01-17 Ramarathnam R. Venkatesan Lightweight word-oriented technique for generating a pseudo-random sequence for use in a keystream of a stream cipher
US6430184B1 (en) 1998-04-10 2002-08-06 Top Layer Networks, Inc. System and process for GHIH-speed pattern matching for application-level switching of data packets
US20050086520A1 (en) 2003-08-14 2005-04-21 Sarang Dharmapurikar Method and apparatus for detecting predefined signatures in packet payload using bloom filters
US20050283714A1 (en) 2004-06-19 2005-12-22 Samsung Electronics Co., Ltd. Method and apparatus for multiplication in Galois field, apparatus for inversion in Galois field and apparatus for AES byte substitution operation
US7085988B1 (en) 2002-04-08 2006-08-01 Maxtor Corporation Hashing system utilizing error correction coding techniques
US20070014395A1 (en) 2005-01-06 2007-01-18 Nikhil Joshi Invariance based concurrent error detection for the advanced encryption standard
US20080130894A1 (en) 2006-11-30 2008-06-05 Zheng Qj Multi-data rate security architecture for network security
US20080148025A1 (en) 2006-12-19 2008-06-19 Vinodh Gopal High performance raid-6 system architecture with pattern matching
US20090024826A1 (en) * 2007-07-16 2009-01-22 Ming Zhang Galois-based incremental hash module
WO2010077904A2 (en) 2008-12-30 2010-07-08 Intel Corporation Filter for network intrusion and virus detection

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6430184B1 (en) 1998-04-10 2002-08-06 Top Layer Networks, Inc. System and process for GHIH-speed pattern matching for application-level switching of data packets
US20020006195A1 (en) 1998-06-23 2002-01-17 Ramarathnam R. Venkatesan Lightweight word-oriented technique for generating a pseudo-random sequence for use in a keystream of a stream cipher
US7085988B1 (en) 2002-04-08 2006-08-01 Maxtor Corporation Hashing system utilizing error correction coding techniques
US20050086520A1 (en) 2003-08-14 2005-04-21 Sarang Dharmapurikar Method and apparatus for detecting predefined signatures in packet payload using bloom filters
US7444515B2 (en) * 2003-08-14 2008-10-28 Washington University Method and apparatus for detecting predefined signatures in packet payload using Bloom filters
US20050283714A1 (en) 2004-06-19 2005-12-22 Samsung Electronics Co., Ltd. Method and apparatus for multiplication in Galois field, apparatus for inversion in Galois field and apparatus for AES byte substitution operation
US20070014395A1 (en) 2005-01-06 2007-01-18 Nikhil Joshi Invariance based concurrent error detection for the advanced encryption standard
US20080130894A1 (en) 2006-11-30 2008-06-05 Zheng Qj Multi-data rate security architecture for network security
US20080148025A1 (en) 2006-12-19 2008-06-19 Vinodh Gopal High performance raid-6 system architecture with pattern matching
US20090024826A1 (en) * 2007-07-16 2009-01-22 Ming Zhang Galois-based incremental hash module
WO2010077904A2 (en) 2008-12-30 2010-07-08 Intel Corporation Filter for network intrusion and virus detection

Non-Patent Citations (14)

* Cited by examiner, † Cited by third party
Title
Aho et al., "Efficient string matching: an aid to bibliographic search" Communications of the ACM, 18(6):333-340, 1975.
Boyer et al., "A fast string searching algorithm" Communications of the ACM, 20(10), 1977.
China Office Action from related China Application 200980153566.5 mailed May 21, 2013.
David A. McGrew, "The Galois/Counter Mode of Operation (GCM)", Updated submission to NIST, Modes of Operation Process, May 31, 2005, pp. 1-25. Available at: ,.
David A. McGrew, "The Galois/Counter Mode of Operation (GCM)", Updated submission to NIST, Modes of Operation Process, May 31, 2005, pp. 1-25. Available at: <http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf>,.
Dharmapurikar et al., "Deep packet inspection using parallel Bloom filters" Proceedings of the 11th Symposium on High-performance interconnects, Aug. 2003.
EP Search Report from Related EPO Application 09836863.2 mailed May 29, 2012 (8 pages).
International Preliminary Report on Patentability and Written Opinion received for PCT Patent Application No. PCT/US2009/068168, mailed on Jul. 14, 2011, 6 Pages.
International Search Report and Written Opinion for PCT Patent Application No. PCT/US2009/068168, mailed on Jul. 29, 2010, 9 Pages.
Office Action received for Chinese Patent Application No. 200980153566.5, mailed on Apr. 25, 2014, 3 pages of Office Action and 3 pages of English Translation.
Office Action Received for Chinese Patent Application No. 200980153566.5, mailed on Dec. 19, 2013, 8 pages of Office Action including 5 pages of English Translation.
Ramaswamy et al, "Approximate Fingerprinting to Accelerate Pattern Matching", Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006, ACM New York, USA, 6 pages.
Sertc et al. "Aggregated Bloom Filters for Intrusion Detection and Prevention Hardware", Proceedings of the Global Telecommunications Conference. 2007.GLOBECOM '07 IEEE Piscataway , NJ, USA, 12 pages.
Supplementary Search Report received for European Patent Application No. 09836863.2, mailed on Jun. 15, 2012, 1 page only.

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9602522B2 (en) * 2011-03-08 2017-03-21 Trend Micro Incorporated Methods and systems for full pattern matching in hardware
US20130239213A1 (en) * 2011-03-08 2013-09-12 Hewlett-Packard Development Company, L.P. Methods and systems for full pattern matching in hardware
US20230403297A1 (en) * 2014-04-28 2023-12-14 Sophos Limited Using reputation to avoid false malware detections
US12074904B2 (en) * 2014-04-28 2024-08-27 Sophos Limited Using reputation to avoid false malware detections
US11997117B2 (en) 2014-04-28 2024-05-28 Sophos Limited Intrusion detection using a heartbeat
US20220368698A1 (en) * 2014-04-28 2022-11-17 Sophos Limited Using reputation to avoid false malware detections
US11722516B2 (en) * 2014-04-28 2023-08-08 Sophos Limited Using reputation to avoid false malware detections
US11882136B2 (en) 2014-12-18 2024-01-23 Sophos Limited Process-specific network access control based on traffic monitoring
WO2017196428A3 (en) * 2016-03-30 2018-01-11 Intel Corporation Pattern matching circuit
CN109698835B (en) * 2019-01-19 2021-03-26 郑州轻工业学院 Encrypted Trojan horse detection method facing HTTPS hidden tunnel
CN109698835A (en) * 2019-01-19 2019-04-30 郑州轻工业学院 A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS
US11800598B2 (en) 2019-04-29 2023-10-24 Sonicwall Inc. Method for providing an elastic content filtering security service in a mesh network
US11863987B2 (en) 2019-04-29 2024-01-02 Sonicwall Inc. Method for providing an elastic content filtering security service in a mesh network
US11729621B2 (en) * 2019-04-29 2023-08-15 Sonicwall Inc. Elastic security services and load balancing in a wireless mesh network
US20220240091A1 (en) * 2019-04-29 2022-07-28 Sonicwall Inc. Elastic Security Services and Load Balancing in a Wireless Mesh Network
US12069480B2 (en) 2019-04-29 2024-08-20 Sonicwall Inc. Elastic security services load balancing in a wireless mesh network

Also Published As

Publication number Publication date
US20160255100A1 (en) 2016-09-01
EP2382739A2 (en) 2011-11-02
WO2010077904A2 (en) 2010-07-08
US20100169401A1 (en) 2010-07-01
CN102273137B (en) 2015-02-25
US10218739B2 (en) 2019-02-26
CN102273137A (en) 2011-12-07
EP2382739A4 (en) 2012-06-27
WO2010077904A3 (en) 2010-09-23

Similar Documents

Publication Publication Date Title
US10218739B2 (en) Filter for network intrusion and virus detection
Xiao et al. One bit flips, one cloud flops:{Cross-VM} row hammer attacks and privilege escalation
US10503716B2 (en) Systems and methods for generating bit matrices for hash functions using fast filtering
US9392005B2 (en) System and method for matching pattern
CN111971931B (en) Method for verifying transactions in a blockchain network and nodes constituting the network
US20110179281A1 (en) Hash function using a quasi-group operation
US9244857B2 (en) Systems and methods for implementing low-latency lookup circuits using multiple hash functions
WO2012051802A1 (en) Website scanning device and method
KR100960120B1 (en) Signature String Storing Memory Structure and the Storing Method for the Same, Signature String Pattern Matching Method
US20160196427A1 (en) System and Method for Detecting Branch Oriented Programming Anomalies
CN110018811B (en) Cache data processing method and Cache
CN104881439A (en) Method and system for space-efficient multi-pattern matching
Chhabra et al. Engineering order‐preserving pattern matching with SIMD parallelism
Cui et al. Towards privacy-preserving malware detection systems for android
US7774587B2 (en) Dynamic redundancy checker against fault injection
CN101030897B (en) Method for matching mode in invading detection
Ho et al. PERG: A scalable FPGA-based pattern-matching engine with consolidated bloomier filters
US20120023388A1 (en) Parity Look-Ahead Scheme for Tag Cache Memory
Akoto-Adjepong et al. An Enhanced Non-Cryptographic Hash Function
Wang et al. Hardware accelerator to detect multi-segment virus patterns
Champagne et al. The reduced address space (ras) for application memory authentication
Tseng et al. A parallel automaton string matching with pre-hashing and root-indexing techniques for content filtering coprocessor
US11537522B2 (en) Determining a tag value for use in a tag-guarded memory
Soewito et al. Hybrid pattern matching for trusted intrusion detection
Francillon et al. Comments on Refutation of On the difficulty of software-based attestation of embedded devices

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTEL CORPORATION,CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOPAL, VINODH;CLARK, CHRISTOPHER F.;WOLRICH, GILBERT;AND OTHERS;SIGNING DATES FROM 20090113 TO 20090313;REEL/FRAME:022800/0236

Owner name: INTEL CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOPAL, VINODH;CLARK, CHRISTOPHER F.;WOLRICH, GILBERT;AND OTHERS;SIGNING DATES FROM 20090113 TO 20090313;REEL/FRAME:022800/0236

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20200223

AS Assignment

Owner name: TAHOE RESEARCH, LTD., IRELAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTEL CORPORATION;REEL/FRAME:061175/0176

Effective date: 20220718