WO2017138936A1 - Determining pattern match based on circuit match and hash value match - Google Patents

Determining pattern match based on circuit match and hash value match Download PDF

Info

Publication number
WO2017138936A1
WO2017138936A1 PCT/US2016/017360 US2016017360W WO2017138936A1 WO 2017138936 A1 WO2017138936 A1 WO 2017138936A1 US 2016017360 W US2016017360 W US 2016017360W WO 2017138936 A1 WO2017138936 A1 WO 2017138936A1
Authority
WO
WIPO (PCT)
Prior art keywords
pattern
packet
size
circuit
hash
Prior art date
Application number
PCT/US2016/017360
Other languages
French (fr)
Inventor
Bruce E. Lavigne
Shaun Wakumoto
Claudio Enrique VIQUEZ CALDERON
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Priority to PCT/US2016/017360 priority Critical patent/WO2017138936A1/en
Publication of WO2017138936A1 publication Critical patent/WO2017138936A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop computers, laptops, workstations, network printers, network scanners, etc. that are networked together across a local area network (LAN), wide area network (WAN), wireless networks, etc.
  • Networks can include deep packet inspection devices, such as an intrusion prevention system (IPS) and/or an intrusion detection system (IDS) to detect unwanted activity acting on the computer network.
  • IPS intrusion prevention system
  • IDS intrusion detection system
  • networks can be managed using a Software Defined Networking controller.
  • FIGs. 1 and 2 are a block diagrams of network infrastructure devices capable of determining a variable sized pattern match in a packet, according to various examples
  • FIG. 3 is a block diagram of a software defined network including network infrastructure devices capable of determining variable sized pattern
  • FIG. 4 is a flowchart of a method for determining a variable sized pattern match in a packet, according to an example
  • FIG. 5 is a block diagram of a network device including a processing element capable of determining a variable sized pattern match in a packet based on a circuit and a hash value, according to an example;
  • FIG. 6 is a flowchart of a method for configuring a network infrastructure device to use a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example;
  • FIG. 7 is a block diagram of a management device capable of configuring a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example.
  • Deep Packet Inspection devices can examine network packets and flows of packets to detect patterns, for example, to help defend against malware, to prioritize traffic flows, to monitor for data exfiltration, etc.
  • deep packet inspection devices tend to be slow relative to current network speeds, with the performance gap widening. Increasing deep packet inspection device capacity, and/or capability, to check all network data is expensive. Examples of deep packet inspection devices include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Next Generation Firewalls (NGFW).
  • IDS Intrusion Detection Systems
  • IPS Intrusion Prevention Systems
  • NGFW Next Generation Firewalls
  • One option is to inspect the traffic at other network infrastructure devices, such as switches, routers, wireless access points, etc., according to rules to determine whether to perform an action (e.g., drop a packet or packet flow, send the packet or packet flow to an IDS, IPS, NGFW, log the information, etc.).
  • the inspection can be cruder than packet inspection by an IDS, IPS, or NGFW, thus allowing for limited packet inspection that can be performed at various locations within a network environment.
  • An application-specific integrated circuit (ASIC) can be used to perform the packet inspection in the network devices.
  • a network infrastructure device includes a circuit capable of matching a patterns as well as a packet processor to match additional portions of a pattern.
  • the circuit may be capable of matching patterns of a particular size (e.g., between 1 byte and 12 bytes, between 1 byte and 16 bytes, etc.).
  • Circuitry can be implemented using, for example, Bloom tables in hardware.
  • a packet processor can be used in conjunction with the circuit.
  • a portion of the pattern can be matched using the circuit.
  • Another portion or portions of the pattern e.g., an adjacent portion, a superset, a portion with a gap before or after the initial portion, etc.
  • the portion(s) of the pattern to be examined can be hashed by a management device as a precursor to the pattern search.
  • the management device can provide that hash to the packet processor.
  • a data structure such as a table can be stored on the network infrastructure device so that when a match is made by the circuit, the network infrastructure device can compare the match with a data structure (e.g., a table).
  • the match is a complete match for a pattern or string.
  • the match is compared in the data structure to determine what to do with the packet and/or associated packet stream. For example, if a match is made, the data structure may indicate to the network infrastructure to perform an action (e.g., drop a packet or flow, divert the packet or flow to another device (e.g., an IPS device, a data collection device, etc.), tag information to the packet and/or flow, etc.).
  • an action e.g., drop a packet or flow, divert the packet or flow to another device (e.g., an IPS device, a data collection device, etc.), tag information to the packet and/or flow, etc.).
  • the match is partial.
  • the data structure can indicate one or multiple other portions of the packet to compare.
  • the data structure can also associate the portion(s) with a pre-determined hash value as described above.
  • the data structure can provide information of where the packet processor should look for the portion (e.g., via an index) and/or a size of the portion.
  • the packet processor can hash the portion and compare the hashed portion with the pre-determined hash value. If the pre-determined hash value matches the hash value determined by the packet processor, the pattern can be considered a match.
  • variable sized patterns e.g., strings
  • matches can be for any portion of the packets. As such, this can enable actions to occur based on matches of data.
  • the hash function for the pre- hash and the hashing performed by the packet processor can be the same or compatible.
  • the strings "CONFIDENTIAL INFORMATION” and “CONFIDENTIAL DATA” can be searched for as a pattern.
  • the circuit may have a capability to match 10 characters.
  • the string "CONFIDENTI” can be searched for using the circuit.
  • a match in the circuit yields the hash for "AL INFORMATION” and "AL DATA”.
  • the string "CONFIDENTIAL DATA and PRIVILEGED” is present.
  • "CONFIDENTI” is matched using the circuit and then the packet processor processes the next 7 characters "AL DATA” and the next 14 characters “AL DATA and PR.”
  • the hash for "AL DATA” matches, however, the hash for "AL INFORMATION” does not.
  • a network infrastructure device includes a network chip and can be used to forward packets.
  • the network infrastructure device can have a number of network ports for the device for receiving and transmitting packets therefrom, and logic that is encoded with application specific integrated circuit (ASIC) primitives to check header fields and payload content in the packets.
  • ASIC application specific integrated circuit
  • logic can be implemented using other electronic circuitry (e.g., field programmable gate arrays (FPGAs), complex programmable logic devices (CPLDs), etc.).
  • FPGAs field programmable gate arrays
  • CPLDs complex programmable logic devices
  • instructions executable by a packet processor can be used in conjunction with the circuitry.
  • the logic can perform pattern matching on the header fields and the payload content according to a number of rules. As noted above, the logic can be combined with the packet processor to allow for variable length pattern matching.
  • FIGs. 1 and 2 are a block diagrams of network infrastructure devices capable of determining a variable sized pattern match in a packet, according to various examples.
  • Network infrastructure devices 100, 200 include components that can be utilized to determine a variable sized pattern match in a packet.
  • network infrastructure device 100 can include a network interface 1 10, packet processor 1 12, a circuit 1 14, and a management engine 1 16.
  • network infrastructure device 200 can also include a pattern rule(s) 220, a pre-hash calculation 222, a processor 230, and memory 232.
  • the respective network infrastructure devices 100, 200 may be a network device, a switch, a wireless access point, a hub, a router, or other network device capable of performing the functionality described herein.
  • the network interface 1 10 switches traffic between inputs and outputs using standard processing (e.g., a standard switch process based on source and destination addresses of the packets).
  • Traffic includes packetized data ("packets") formatted using multiple layers of protocol, e.g., the Transmission Control Protocol (TCP) Internet Protocol (IP) ("TCP/IP") model, Open Systems Interconnection (OSI) model, or the like.
  • a packet generally includes a header and a payload.
  • the header implements a layer of protocol.
  • the payload includes data, which may be related to packet(s) at another layer of protocol.
  • the network interface 1 10 performs switching of the packets at a network access layer.
  • the network access layer provides links between hosts over which packets are transmitted.
  • the network access layer is sometimes referred to as layer 2, referring to layer 2 of the OSI model.
  • the prevailing network access layer today includes the Ethernet family of protocols, although the network interface 1 10 can switch packets using other types of network access protocols. While the network interface 1 10 can switch traffic at the network access layer, the network interface 1 10 may also process packets at layers above the network access layer to implement various other functions (e.g., quality of service (QoS), such as at a network layer (e.g., IP or other OSI layer 3 protocol) and/or transport layer (e.g., TCP, User Datagram Protocol (UDP), or other OSI layer 4 protocol).
  • QoS quality of service
  • the packet processor 1 12 and/or circuit 1 14 can be used to match patterns in the packets and/or packet flow according to pattern rules 220.
  • the patterns can be byte patterns and/or packet patterns and/or regular expression patterns. Packet(s) matching pattern(s) are deemed to satisfy the rule.
  • the pattern rules 220 can be based on at least one Bloom filter.
  • a Bloom filter can be used to test whether an element (e.g., a character, string of characters, a byte pattern from packet(s)) is a member of a set (e.g., interesting byte patterns).
  • the pattern rules 220 can be based on a regular expression filter.
  • a regular expression filter searches for byte patterns in the packets using regular expressions.
  • the circuit 1 14 can be used to implement pattern rules 220 for patterns that are up to a predetermined pattern size (e.g., K bytes).
  • the match can be communicated to the packet processor 1 12 and the packet processor 1 12 or other resource can be used to facilitate performance of an action (e.g., add a tag to the packet or packet flow and forward via the network interface 1 10, forward to an intrusion prevention system, forward to an intrusion detection system, forward to another device, copy to another device, drop the packet or associated flow, log the match, check a hash value as described further below, etc.).
  • an action e.g., add a tag to the packet or packet flow and forward via the network interface 1 10, forward to an intrusion prevention system, forward to an intrusion detection system, forward to another device, copy to another device, drop the packet or associated flow, log the match, check a hash value as described further below, etc.
  • a pattern rule 220 When a pattern rule 220 is set up for a pattern that is greater than K bytes, a combination of the circuit 1 14 and the packet processor 1 12 can be used to implement search of the pattern.
  • the pattern size can be considered N bytes.
  • a pattern rule 220 can be set up for use with a subset of the N bytes (e.g., the first K bytes, K bytes in the middle, K bytes in the end, a smaller subset, etc.).
  • the circuit 1 14 can be set such that the circuit 1 14 can provide location information of the matched term in the packet. For example, the circuit 1 14 can provide information (e.g., an offset) as to where the beginning of the matched rule is in the packet.
  • the circuit 1 14 may also provide an index value that can be used to actions the packet processor 1 12 or other resource can take in response to a match. The index value can be used by the packet processor 1 12 or other resource to look up, in a data structure (e.g., a table), an action to take based on the match in the circuit 1 14.
  • a data structure e.g., a table
  • One particular action can be for the match of the rule in the circuit 1 14 to be considered a partial match of the first portion and the packet processor 1 12 hashing a second portion of the pattern to compare with a pre-hash value.
  • the pre-hash value can be determined before monitoring of packets for the rule.
  • the pre-hash value can be determined for a second portion of the pattern.
  • the second portion includes the remaining bytes of the pattern (e.g., N - K bytes).
  • the second portion may include a set of the N - K bytes plus another subset of the pattern.
  • the second portion may include the whole pattern.
  • the location information and/or the data structure can include information about the second portion.
  • one match in the circuit 1 14 may lead to multiple possible hashes to be checked as further described below.
  • the packet processor 1 12 can compare the pre-hash value with the newly hashed value to determine whether the pattern is present in the packet or packet flow.
  • the pre-hash value can be calculated before the performing an action on the packet or packet flow.
  • the pre-hash value can be calculated on the second portion using a hash algorithm.
  • a management engine 1 16 can be used to determine the pre-hash value from the second portion and the hash algorithm.
  • another device such as a software defined networking (SDN) controller or other management device may be used to determine the pre-hash value.
  • the pre-hash value can be associated in the data structure so that when a first portion is matched in the circuit 1 14, the data structure points the packet processor 1 12 to hash the second portion and compare to the pre-hash value.
  • the hash algorithm can be communicated so the same or compatible algorithm is used to determine the pre-hash value and during the hashing by the packet processor 1 12.
  • hash algorithms include Cyclic Redundancy Checksum (CRC32), linear feedback shift register (LFSR) hash functions, special purpose hashing functions, etc.
  • the data structure may include hashing parameters (e.g., the hash function to be used and/or any parameters used to set the hash function up).
  • a hash key can be a parameter. The hash key may be received (e.g., from an SDN controller).
  • the management engine 1 16 receives a pattern (e.g., N bytes) to be searched for (e.g., from an SDN controller, an input from user, etc.).
  • the management engine 1 16 determines that the length of the pattern is greater than a capacity (e.g., K bytes) of the circuit 1 14.
  • the management engine 1 16 can choose a first portion of the pattern to create a rule for in the pattern rules 220 to implement using the circuit 1 14.
  • the management engine 1 16 can also provide updates to the data structure(s) used to coordinate the circuit and the packet processor.
  • the management engine 1 16 can hash a second portion of the pattern (e.g., in a simple illustrative case the first K bytes can be the first portion and the next N - K bytes can be the second portion).
  • N - K bytes is the portion of the pattern that is greater than the capability of the circuit (K bytes).
  • the second portion of the hash may include the first portion.
  • the circuit can be in the form of a Bloom table. The Bloom table may have potential for false positives. As such, if the entire pattern or a greater portion of the pattern can be confirmed, thus removing false positives.
  • the management engine 1 16 may receive the hash from another entity (e.g., an external controller).
  • the hashed second portion can be stored in the data structure along with any hash parameters and/or information to help determine the second portion (e.g., length of the second portion, relevant location to the first portion, etc.).
  • the index value can point to multiple hashes that can be performed that are associated with different patterns.
  • an action or multiple actions can be associated with each of the patterns.
  • the network interface 1 10 can be used to switch packets.
  • the circuit 1 14 can be used to monitor the packets switched by the network interface 1 10.
  • the circuit 1 14 can include a pattern matcher that is capable to identify flows in the packets satisfying patterns up to a predetermined pattern size (in the example above, K bytes).
  • a match occurs in the circuit 1 14, the circuit 1 14 can communicate that information to the packet processor 1 12.
  • the communication can include, for example, an index value that can be used in a data structure to look up what pattern was matched and what actions can be taken in response.
  • the circuit 1 14 may also include location information for the matched portion (e.g., identifying an offset for the packet that locates the beginning of the matched part of the pattern).
  • the data structure may provide the size of the second portion to be hashed and matched based on the index value. As noted above, the size can be used as a parameter in the hash function. Further, the data structure may provide information to locate the second portion (e.g., an offset from the start of the first portion that was matched). The second portion of the packet being analyzed is hashed by the packet processor 1 12.
  • the packet processor 1 12 may have additional hardware to help perform this functionality, for example, the packet processor 1 12 may include one or more of: ternary content-addressable memory (TCAMs), hashing circuitry, counters, etc.
  • TCAMs ternary content-addressable memory
  • the packet processor 1 12 can compare the hash value to the corresponding pre- hash value from the data structure. If a match occurs, then an action can be taken. In some examples the action to be taken can be indicated by the data structure.
  • the index value may lead to multiple possible matches. If there are multiple possible matches, multiple hashes can be performed and checked against corresponding pre-hash values. The action to be taken can be based on the hash value to matches.
  • a match in a packet can indicate that the associated flow is matched.
  • the action can be performed on the packet and/or the associated flow.
  • the matching may be stateful.
  • the first portion and/or second portion may extend multiple packets of a flow.
  • example actions can include dropping a packet or multiple packets of the flow, sending the packet or flow to a location (e.g., an IPS, a logger, etc.), incrementing a counter, updating state, etc.
  • the management engine 1 16 can include hardware and/or combinations of hardware and programming to perform functions provided herein. Moreover, the modules (not shown) can include programing functions and/or combinations of programming functions to be executed by hardware as provided herein. When discussing the engines and modules, it is noted that functionality attributed to an engine can also be attributed to the corresponding module and vice versa. Moreover, functionality attributed to a particular module and/or engine may also be implemented using another module and/or engine.
  • a processor 230 such as a central processing unit (CPU) or a microprocessor suitable for retrieval and execution of instructions and/or electronic circuits can be configured to perform the functionality of the management engine described herein and/or various other functionality.
  • instructions and/or other information such as rules, patterns, pre-hash calculations 222, a data structure, etc., can be included in memory 232 or other memory.
  • Input/output interfaces may additionally be provided by the network infrastructure device 200 (e.g., via a network interface). Input/output devices such as communication devices like network communication devices or wireless devices can also be considered devices capable of using the input/output interfaces.
  • FIG. 3 is a block diagram of a software defined network including network infrastructure devices capable of determining variable sized pattern matches and performing an action in response to the matches, according to an example.
  • the network infrastructure devices 306a - 306m can be used to facilitate communications between computing devices, for example, computing devices 330a - 330i.
  • the software defined network 310 is shown between the communication devices 330 in this example, communications may also travel through other network infrastructure devices that are both part of the network or part of other networks (e.g., via the Internet).
  • the SDN 310 can be controlled using an SDN controller 350 and may communicate via a control plane while data communications travel through a data plane.
  • the computing devices 330a - 330i can be implemented via a processing element, memory, and/or other components.
  • the network infrastructure devices 306 can include a packet processor engine 312, a deep packet inspection engine 314, and a management engine 316.
  • the packet processor engine 312 and/or deep packet inspection engine 314 can be implemented using various technologies, for example, a programmable switch ASIC.
  • the programmable packet processor engine 312 can include a series of resources (e.g., TCAM, hashes, counters, etc.) used to host a SDN pipeline.
  • the deep packet inspection engine 314 can be used to implement deep packet inspection functionality, for example, as circuit 1 14.
  • the management engine 316 can include instructions capable of executing on a physical processing element such as a CPU.
  • the management engine 316 can be used to manage and configure the deep packet inspection engine and the packet processor engine 312.
  • the management engine 316 can communicate with the SDN controller 350 using a control plane, in other examples, the management engine 316 can communicate via a data plane of the SDN 310.
  • the management engine 316 can configure the DPI engine 314 to search for patterns, for example, string patterns.
  • the patterns to be searched can be obtained from an external entity such as user input or message and/or the SDN controller 350.
  • the packet processor engine 312 can store the current packet state in a meta-data structure.
  • the current packet state can include, for example, a next table, accumulated actions, internal register values, etc.
  • the packet processor engine 312 can accumulate actions to apply and apply the actions in bulk.
  • the packet along with the metadata structure can be redirected to the deep packet inspection engine (DPI) 314 in order to search for the desired strings.
  • DPI deep packet inspection engine
  • the SDN actions associated with the string-hit are either applied or accumulated to the packet (just as a regular flow table lookup). In some examples, this can be a continuation of the packet processor engine 312 performing regular packet processing. If a miss is obtained from the string match table, the SDN actions associated with a string miss are applied to the packet. In some implementations, this could be to drop the packet. In other implementations, this could be to process the packet regularly. Differing applications can desire to use the DPI engine 314 to look for multiple strings and apply a SDN action if one of the strings is found in the packet. In other implementations, different SDN actions could be associated with different strings.
  • the SDN actions that are applied to the packet can include, but are not limited to: drop, send the packet to a port(s), modify a field of the packet, encapsulate the packet and send it to a tunnel interface, increment a counter, send to a DPI device 302 (e.g., an IPS, an IDS, etc.) for more analysis, send to a logging device, etc.
  • a DPI device 302 e.g., an IPS, an IDS, etc.
  • the SDN 310 and/or other communication network can use wired communications, wireless communications, or combinations thereof.
  • the networks can include multiple sub communication networks such as data networks, wireless networks, telephony networks, etc.
  • Such networks can include, for example, a public data network such as the Internet, local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), cable networks, fiber optic networks, combinations thereof, or the like.
  • LANs local area networks
  • WANs wide area networks
  • MANs metropolitan area networks
  • cable networks fiber optic networks, combinations thereof, or the like.
  • wireless networks may include cellular networks, satellite communications, wireless LANs, etc.
  • Various communication structures and infrastructure can be utilized to implement the communication network(s).
  • the computing devices 330 communicate with each other and other components with access to the communication networks via a communication protocol or multiple protocols.
  • a protocol can be a set of rules that defines how nodes of the communication network interact with other nodes.
  • communications between network nodes can be implemented by exchanging discrete packets of data or sending messages. Packets can include header information associated with a protocol (e.g., information on the location of the network node(s) to contact) as well as payload information.
  • FIG. 4 is a flowchart of a method for determining a variable sized pattern match in a packet, according to an example.
  • FIG. 5 is a block diagram of a device including a processing element capable of determining a variable sized pattern match in a packet based on a circuit and a hash value, according to an example.
  • the device 500 includes, for example, a processing element 510, and a machine-readable storage medium 520 including instructions 522, 524, 526, 528 for determining a variable sized pattern match on packets.
  • Device 500 may be, for example, a network infrastructure device, a switch, a router, an access point, or other computing device with the hardware components and capabilities described herein.
  • Processing element 510 may include, one or multiple central processing unit (CPU), one or multiple semiconductor-based microprocessor, one or multiple graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 520, or combinations thereof.
  • the processing element 510 can be a physical device.
  • the processing element 510 may include multiple cores on a chip, include multiple cores across multiple chips, or combinations thereof.
  • Processing element 510 may fetch, decode, and execute instructions 522, 524, 526, 528 to implement matching of patterns in packets.
  • processing element 510 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 522, 524, 526, 528.
  • the processing element 510 can include a programmable packet processor, which may also include TCAMs, hashes, counters, etc.
  • Machine-readable storage medium 520 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions.
  • machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like.
  • RAM Random Access Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • CD-ROM Compact Disc Read Only Memory
  • the machine- readable storage medium can be non-transitory.
  • machine-readable storage medium 520 may be encoded with a series of executable instructions for determining whether a variable sized pattern is in a packet.
  • Packets can be received at the device 500.
  • Interface instructions 522 can be executed by the processing element 510 to switch the packets (e.g., to a destination device or network infrastructure device).
  • a packet is received at a network interface of the device 500.
  • a hardware circuit 512 can receive packets and determine whether one or more patterns (e.g., strings) are found in the packet. Packets may automatically processed by the circuit 512 or be checked by the circuit 512 in response to an action by the processing element 510. For example, the processing element 510 may check packets that include a source or destination device within the network that the device 500 is in and go external to the network. As noted above, variable sized patterns can be matched for packets by splitting part of the work to the circuit 512, which is quick, but costs hardware resources and part of the work using the processing element 510.
  • patterns e.g., strings
  • a hardware circuit 512 can determine whether a first packet portion of the packet is matched to a first pattern portion of a pattern.
  • the pattern may include a size N and the circuit may be capable of matching a pattern of size K.
  • the size N can be more than K. If the first portion of size K is not matched, then the processing element 510 knows that the pattern is not present in the packet. If the first portion is matched, the circuit 512 can provide information about the match to the processing element 510. For example, the circuit 512 may provide a notification to the processing element that the first packet portion is matched to the first pattern portion.
  • the notification may include location information of the matched part of the pattern in the packet (e.g., an offset).
  • the location information can include, for example, the beginning of the pattern in the packet.
  • information about the pattern can also be communicated.
  • an index value can be provided.
  • the index value can be used to look up possible matches to complete a pattern that was partially matched by the match of the first packet portion.
  • more than one possible patterns can be checked based on the first match.
  • the processing element 510 can receive the notification and execute pattern match instructions 524 to determine parameters for matching a second portion of the pattern.
  • the processing element 510 can determine a second pattern portion to compare to the packet based on the index.
  • the second pattern portion can be the remainder of the N - K portion or can be some other part (e.g., the whole N segment).
  • the second pattern portion and/or second packet portion can be a superset of the first packet portion and/or first pattern portion, be adjacent to the first portion, or sequential in an order to the first portion.
  • the processing element 510 can execute hashing instructions 526 to process hash and the second portion of the packet.
  • the hashing can be based on a size of the pattern (size N) and a location of the first packet portion.
  • the hash can be of size N from the beginning of the location of the first packet portion, can be size N - K from the end of the location of the first packet portion, etc.
  • the end result is a hash value for the second packet portion.
  • the processing element 510 determines whether the hash value matches a pre-hash value corresponding to a second pattern portion of the pattern.
  • Hash match instructions 528 can be executed by the processing element 510 to implement the determination. Determination of the second pattern portion is further described in the description of FIGs. 6 and 7.
  • a match occurs, then a match of the entire pattern is confirmed.
  • an action can be performed in response to the pattern.
  • a data structure such as a table can be used to look up an action to perform based on the pattern match.
  • the action can be applied to the packet or a flow associated with the packet (e.g., based on a session identifier in a header, other header information, etc.).
  • the action can include one or more of: dropping the packet, sending the packet to a location, incrementing a counter, etc.
  • FIG. 6 is a flowchart of a method for configuring a network infrastructure device to use a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example.
  • FIG. 7 is a block diagram of a management device capable of configuring a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example.
  • Management device 700 may be, for example, a part of a network infrastructure device, located at an SDN controller, a computing device with the capabilities described herein, or the like.
  • Processing element 710 may be, one or multiple central processing unit (CPU), one or multiple semiconductor-based microprocessor, one or multiple graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 720, or combinations thereof.
  • the processing element 710 can be a physical device.
  • the processing element 710 may include multiple cores on a chip, include multiple cores across multiple chips, or combinations thereof.
  • Processing element 710 may fetch, decode, and execute instructions 722, 724, 726 to configure a hardware circuit and/or packet processor.
  • processing element 710 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 722, 724, 726.
  • IC integrated circuit
  • Machine-readable storage medium 720 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions.
  • machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like.
  • RAM Random Access Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • CD-ROM Compact Disc Read Only Memory
  • the machine- readable storage medium can be non-transitory.
  • machine-readable storage medium 720 may be encoded with a series of executable instructions for determining whether a variable sized pattern is in a packet.
  • the management device 700 can be used to configure the hardware circuit and/or packet processor of a network infrastructure device.
  • the management device 700 can be implemented at an SDN controller. In other examples, the management device 700 can be implemented at the network infrastructure device.
  • Interface instructions 722 can be executed by the processing element 710 to receive a pattern to implement matching at a network infrastructure device.
  • the pattern can be, for example, N bytes to be searched for.
  • the pattern can be received from a user, input, an SDN controller, etc.
  • the processing element 710 executing the circuit configuration instructions 724 can determine whether the hardware circuit has capacity to match the pattern. As such, the processing element 710 can determine that the length of the pattern is greater than a capacity (e.g., K bytes) of the circuit. The processing element 710 can choose a first portion of the pattern to create a rule for to implement using the circuit and configure the circuit to implement the rule (604). The management device 700 can also provide updates to the data structure(s) used to coordinate the circuit and the packet processor on the network infrastructure device to be configured.
  • a capacity e.g., K bytes
  • the processing element 710 can execute hashing instructions 726 to hash a second portion of the pattern (e.g. , in a simple illustrative case the first K bytes can be the first portion and the next N - K bytes can be the second portion).
  • N - K bytes is the portion of the pattern that is greater than the capability of the circuit (K bytes).
  • the hashed second portion can be stored in the data structure along with any hash parameters and/or information to help determine the second portion (e.g., length of the second portion, relevant location to the first portion, etc.).
  • the pre-hash value can be provided to the packet processor by updating the data structure.
  • the index value can point to multiple hashes that can be performed that are associated with different patterns.
  • an action or multiple actions can be associated with each of the patterns.

Abstract

Examples disclosed herein relate to pattern matching. In one example, a notification from a hardware circuit of a device is received. In the example, the notification indicates that a first packet portion of a packet received by a network interface of the device is matched to a first pattern portion of a pattern. Further, in the example, the device hashes a second packet portion of the packet to generate a hash value based on a hash size determined via information received from the hardware circuit. In the example, the device determines that the hash value matches a pre-hash value corresponding to a second pattern portion of the pattern.

Description

DETERMINING PATTERN MATCH BASED ON
CIRCUIT MATCH AND HASH VALUE MATCH
BACKGROUND
[0001 ] Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop computers, laptops, workstations, network printers, network scanners, etc. that are networked together across a local area network (LAN), wide area network (WAN), wireless networks, etc. Networks can include deep packet inspection devices, such as an intrusion prevention system (IPS) and/or an intrusion detection system (IDS) to detect unwanted activity acting on the computer network. Further, networks can be managed using a Software Defined Networking controller.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] The following detailed description references the drawings, wherein:
[0003] FIGs. 1 and 2 are a block diagrams of network infrastructure devices capable of determining a variable sized pattern match in a packet, according to various examples;
[0004] FIG. 3 is a block diagram of a software defined network including network infrastructure devices capable of determining variable sized pattern
matches and performing an action in response to the matches, according to an example;
[0005] FIG. 4 is a flowchart of a method for determining a variable sized pattern match in a packet, according to an example;
[0006] FIG. 5 is a block diagram of a network device including a processing element capable of determining a variable sized pattern match in a packet based on a circuit and a hash value, according to an example;
[0007] FIG. 6 is a flowchart of a method for configuring a network infrastructure device to use a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example; and
[0008] FIG. 7 is a block diagram of a management device capable of configuring a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example.
DETAILED DESCRIPTION
[0009] Deep Packet Inspection devices can examine network packets and flows of packets to detect patterns, for example, to help defend against malware, to prioritize traffic flows, to monitor for data exfiltration, etc. However, deep packet inspection devices tend to be slow relative to current network speeds, with the performance gap widening. Increasing deep packet inspection device capacity, and/or capability, to check all network data is expensive. Examples of deep packet inspection devices include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Next Generation Firewalls (NGFW).
[0010] One option is to inspect the traffic at other network infrastructure devices, such as switches, routers, wireless access points, etc., according to rules to determine whether to perform an action (e.g., drop a packet or packet flow, send the packet or packet flow to an IDS, IPS, NGFW, log the information, etc.). The inspection can be cruder than packet inspection by an IDS, IPS, or NGFW, thus allowing for limited packet inspection that can be performed at various locations within a network environment. An application-specific integrated circuit (ASIC) can be used to perform the packet inspection in the network devices.
[001 1 ] However, performing packet inspection at network devices (e.g., switches, access points, routers, etc.) can come at a time and/or hardware cost. For example, if a packet is processed using an ASIC, hardware would be needed to quickly identify patterns (e.g., strings) that are matched. As the number of patterns to match grows, the amount of hardware increases. With the growing quantity of patterns increasing, it can be desirable to scale the approach to use these network infrastructure devices. Patterns can be large or small. If a pattern (e.g., a match on a string) is longer than a particular length, additional hardware may be needed.
[0012] Accordingly, various examples disclosed herein relate to using an approach where a network infrastructure device includes a circuit capable of matching a patterns as well as a packet processor to match additional portions of a pattern. The circuit may be capable of matching patterns of a particular size (e.g., between 1 byte and 12 bytes, between 1 byte and 16 bytes, etc.). Circuitry can be implemented using, for example, Bloom tables in hardware.
[0013] If a string or pattern to be matched is longer than the capability of the circuit, a packet processor can be used in conjunction with the circuit. A portion of the pattern can be matched using the circuit. Another portion or portions of the pattern (e.g., an adjacent portion, a superset, a portion with a gap before or after the initial portion, etc.) can be compared based on the match using the circuit. This can be facilitated by using hashing. For example, the portion(s) of the pattern to be examined can be hashed by a management device as a precursor to the pattern search. The management device can provide that hash to the packet processor. Further a data structure, such as a table can be stored on the network infrastructure device so that when a match is made by the circuit, the network infrastructure device can compare the match with a data structure (e.g., a table).
[0014] In one example, the match is a complete match for a pattern or string. In that example, the match is compared in the data structure to determine what to do with the packet and/or associated packet stream. For example, if a match is made, the data structure may indicate to the network infrastructure to perform an action (e.g., drop a packet or flow, divert the packet or flow to another device (e.g., an IPS device, a data collection device, etc.), tag information to the packet and/or flow, etc.).
[0015] In another example, the match is partial. When the match is compared to the data structure, the data structure can indicate one or multiple other portions of the packet to compare. The data structure can also associate the portion(s) with a pre-determined hash value as described above. Moreover, in some examples, the data structure can provide information of where the packet processor should look for the portion (e.g., via an index) and/or a size of the portion. The packet processor can hash the portion and compare the hashed portion with the pre-determined hash value. If the pre-determined hash value matches the hash value determined by the packet processor, the pattern can be considered a match. With this approach, variable sized patterns (e.g., strings) can be searched for in packets. Further, because this approach is not limited to header fields, matches can be for any portion of the packets. As such, this can enable actions to occur based on matches of data. The hash function for the pre- hash and the hashing performed by the packet processor can be the same or compatible.
[0016] For example, the strings "CONFIDENTIAL INFORMATION" and "CONFIDENTIAL DATA" can be searched for as a pattern. In this example, the circuit may have a capability to match 10 characters. Further, in this example, the string "CONFIDENTI" can be searched for using the circuit. In this example, a match in the circuit yields the hash for "AL INFORMATION" and "AL DATA". In one example, the string "CONFIDENTIAL DATA and PRIVILEGED" is present. "CONFIDENTI" is matched using the circuit and then the packet processor processes the next 7 characters "AL DATA" and the next 14 characters "AL DATA and PR." The hash for "AL DATA" matches, however, the hash for "AL INFORMATION" does not. The match can lead to an action to be performed. [0017] As used herein, a network infrastructure device includes a network chip and can be used to forward packets. In one example, the network infrastructure device can have a number of network ports for the device for receiving and transmitting packets therefrom, and logic that is encoded with application specific integrated circuit (ASIC) primitives to check header fields and payload content in the packets. In other examples, logic can be implemented using other electronic circuitry (e.g., field programmable gate arrays (FPGAs), complex programmable logic devices (CPLDs), etc.). Further, instructions executable by a packet processor can be used in conjunction with the circuitry. In certain examples, the logic can perform pattern matching on the header fields and the payload content according to a number of rules. As noted above, the logic can be combined with the packet processor to allow for variable length pattern matching.
[0018] FIGs. 1 and 2 are a block diagrams of network infrastructure devices capable of determining a variable sized pattern match in a packet, according to various examples. Network infrastructure devices 100, 200 include components that can be utilized to determine a variable sized pattern match in a packet. In one example, network infrastructure device 100 can include a network interface 1 10, packet processor 1 12, a circuit 1 14, and a management engine 1 16. In some examples, network infrastructure device 200 can also include a pattern rule(s) 220, a pre-hash calculation 222, a processor 230, and memory 232. The respective network infrastructure devices 100, 200 may be a network device, a switch, a wireless access point, a hub, a router, or other network device capable of performing the functionality described herein.
[0019] The network interface 1 10 switches traffic between inputs and outputs using standard processing (e.g., a standard switch process based on source and destination addresses of the packets). Traffic includes packetized data ("packets") formatted using multiple layers of protocol, e.g., the Transmission Control Protocol (TCP) Internet Protocol (IP) ("TCP/IP") model, Open Systems Interconnection (OSI) model, or the like. A packet generally includes a header and a payload. The header implements a layer of protocol. The payload includes data, which may be related to packet(s) at another layer of protocol. In an example, the network interface 1 10 performs switching of the packets at a network access layer. The network access layer provides links between hosts over which packets are transmitted. The network access layer is sometimes referred to as layer 2, referring to layer 2 of the OSI model. The prevailing network access layer today includes the Ethernet family of protocols, although the network interface 1 10 can switch packets using other types of network access protocols. While the network interface 1 10 can switch traffic at the network access layer, the network interface 1 10 may also process packets at layers above the network access layer to implement various other functions (e.g., quality of service (QoS), such as at a network layer (e.g., IP or other OSI layer 3 protocol) and/or transport layer (e.g., TCP, User Datagram Protocol (UDP), or other OSI layer 4 protocol).
[0020] In certain examples, the packet processor 1 12 and/or circuit 1 14 can be used to match patterns in the packets and/or packet flow according to pattern rules 220. The patterns can be byte patterns and/or packet patterns and/or regular expression patterns. Packet(s) matching pattern(s) are deemed to satisfy the rule.
[0021 ] In an example, the pattern rules 220 can be based on at least one Bloom filter. A Bloom filter can be used to test whether an element (e.g., a character, string of characters, a byte pattern from packet(s)) is a member of a set (e.g., interesting byte patterns). In another example, the pattern rules 220 can be based on a regular expression filter. A regular expression filter searches for byte patterns in the packets using regular expressions. As noted above, the circuit 1 14 can be used to implement pattern rules 220 for patterns that are up to a predetermined pattern size (e.g., K bytes). For matched patterns up to that size, the match can be communicated to the packet processor 1 12 and the packet processor 1 12 or other resource can be used to facilitate performance of an action (e.g., add a tag to the packet or packet flow and forward via the network interface 1 10, forward to an intrusion prevention system, forward to an intrusion detection system, forward to another device, copy to another device, drop the packet or associated flow, log the match, check a hash value as described further below, etc.).
[0022] When a pattern rule 220 is set up for a pattern that is greater than K bytes, a combination of the circuit 1 14 and the packet processor 1 12 can be used to implement search of the pattern. For descriptive purposes, the pattern size can be considered N bytes. A pattern rule 220 can be set up for use with a subset of the N bytes (e.g., the first K bytes, K bytes in the middle, K bytes in the end, a smaller subset, etc.).
[0023] Various reasons can be used to choose the subset. In one example, if the pattern was a string "Privileged and Confidential," and K was 12 bytes, one reason to use a rule to match a first portion of the string, "Confidential," in the circuit 1 14 could be that the 12 byte pattern of "Confidential" is already being searched for in another pattern rule 220. In the same example, another pattern "Confidential Material" may also choose "Confidential" for the pattern rule to implement in the circuit 1 14 though it is at the beginning of the pattern instead of the end.
[0024] The circuit 1 14 can be set such that the circuit 1 14 can provide location information of the matched term in the packet. For example, the circuit 1 14 can provide information (e.g., an offset) as to where the beginning of the matched rule is in the packet. The circuit 1 14 may also provide an index value that can be used to actions the packet processor 1 12 or other resource can take in response to a match. The index value can be used by the packet processor 1 12 or other resource to look up, in a data structure (e.g., a table), an action to take based on the match in the circuit 1 14.
[0025] As noted above, various actions can be taken. One particular action can be for the match of the rule in the circuit 1 14 to be considered a partial match of the first portion and the packet processor 1 12 hashing a second portion of the pattern to compare with a pre-hash value. [0026] The pre-hash value can be determined before monitoring of packets for the rule. The pre-hash value can be determined for a second portion of the pattern. In one example, the second portion includes the remaining bytes of the pattern (e.g., N - K bytes). In other examples, the second portion may include a set of the N - K bytes plus another subset of the pattern. In further examples, the second portion may include the whole pattern. In some examples, the location information and/or the data structure can include information about the second portion. Moreover, as noted above, one match in the circuit 1 14 may lead to multiple possible hashes to be checked as further described below. Conceptually, if the pattern rule 220 does not match in the circuit 1 14, it is known that the larger pattern cannot match and if the rule does match, the packet processor 1 12 can compare the pre-hash value with the newly hashed value to determine whether the pattern is present in the packet or packet flow.
[0027] The pre-hash value can be calculated before the performing an action on the packet or packet flow. The pre-hash value can be calculated on the second portion using a hash algorithm. A management engine 1 16 can be used to determine the pre-hash value from the second portion and the hash algorithm. In some examples, another device, such as a software defined networking (SDN) controller or other management device may be used to determine the pre-hash value. The pre-hash value can be associated in the data structure so that when a first portion is matched in the circuit 1 14, the data structure points the packet processor 1 12 to hash the second portion and compare to the pre-hash value.
[0028] The hash algorithm can be communicated so the same or compatible algorithm is used to determine the pre-hash value and during the hashing by the packet processor 1 12. Examples of hash algorithms that can be used include Cyclic Redundancy Checksum (CRC32), linear feedback shift register (LFSR) hash functions, special purpose hashing functions, etc. In some examples, the data structure may include hashing parameters (e.g., the hash function to be used and/or any parameters used to set the hash function up). In some examples, a hash key can be a parameter. The hash key may be received (e.g., from an SDN controller).
[0029] In one example, the management engine 1 16 receives a pattern (e.g., N bytes) to be searched for (e.g., from an SDN controller, an input from user, etc.). The management engine 1 16 determines that the length of the pattern is greater than a capacity (e.g., K bytes) of the circuit 1 14. The management engine 1 16 can choose a first portion of the pattern to create a rule for in the pattern rules 220 to implement using the circuit 1 14. The management engine 1 16 can also provide updates to the data structure(s) used to coordinate the circuit and the packet processor. Moreover, the management engine 1 16 can hash a second portion of the pattern (e.g., in a simple illustrative case the first K bytes can be the first portion and the next N - K bytes can be the second portion). In the illustrative case, N - K bytes is the portion of the pattern that is greater than the capability of the circuit (K bytes). As noted above, in other examples, the second portion of the hash may include the first portion. In one example, the circuit can be in the form of a Bloom table. The Bloom table may have potential for false positives. As such, if the entire pattern or a greater portion of the pattern can be confirmed, thus removing false positives.
[0030] In some examples, the management engine 1 16 may receive the hash from another entity (e.g., an external controller). The hashed second portion can be stored in the data structure along with any hash parameters and/or information to help determine the second portion (e.g., length of the second portion, relevant location to the first portion, etc.). As noted above, the index value can point to multiple hashes that can be performed that are associated with different patterns. Moreover, an action or multiple actions can be associated with each of the patterns.
[0031 ] When the network infrastructure device 100 is used, the network interface 1 10 can be used to switch packets. The circuit 1 14 can be used to monitor the packets switched by the network interface 1 10. As noted above, the circuit 1 14 can include a pattern matcher that is capable to identify flows in the packets satisfying patterns up to a predetermined pattern size (in the example above, K bytes). When a match occurs in the circuit 1 14, the circuit 1 14 can communicate that information to the packet processor 1 12. The communication can include, for example, an index value that can be used in a data structure to look up what pattern was matched and what actions can be taken in response.
[0032] In the example that the match is a partial match, the circuit 1 14 may also include location information for the matched portion (e.g., identifying an offset for the packet that locates the beginning of the matched part of the pattern). The data structure may provide the size of the second portion to be hashed and matched based on the index value. As noted above, the size can be used as a parameter in the hash function. Further, the data structure may provide information to locate the second portion (e.g., an offset from the start of the first portion that was matched). The second portion of the packet being analyzed is hashed by the packet processor 1 12. In some examples, the packet processor 1 12 may have additional hardware to help perform this functionality, for example, the packet processor 1 12 may include one or more of: ternary content-addressable memory (TCAMs), hashing circuitry, counters, etc. The packet processor 1 12 can compare the hash value to the corresponding pre- hash value from the data structure. If a match occurs, then an action can be taken. In some examples the action to be taken can be indicated by the data structure.
[0033] Further, in some examples, the index value may lead to multiple possible matches. If there are multiple possible matches, multiple hashes can be performed and checked against corresponding pre-hash values. The action to be taken can be based on the hash value to matches.
[0034] A match in a packet can indicate that the associated flow is matched. Thus, the action can be performed on the packet and/or the associated flow. In some examples, the matching may be stateful. For example, the first portion and/or second portion may extend multiple packets of a flow. As noted above, example actions can include dropping a packet or multiple packets of the flow, sending the packet or flow to a location (e.g., an IPS, a logger, etc.), incrementing a counter, updating state, etc.
[0035] The management engine 1 16 can include hardware and/or combinations of hardware and programming to perform functions provided herein. Moreover, the modules (not shown) can include programing functions and/or combinations of programming functions to be executed by hardware as provided herein. When discussing the engines and modules, it is noted that functionality attributed to an engine can also be attributed to the corresponding module and vice versa. Moreover, functionality attributed to a particular module and/or engine may also be implemented using another module and/or engine.
[0036] A processor 230, such as a central processing unit (CPU) or a microprocessor suitable for retrieval and execution of instructions and/or electronic circuits can be configured to perform the functionality of the management engine described herein and/or various other functionality. In certain scenarios, instructions and/or other information, such as rules, patterns, pre-hash calculations 222, a data structure, etc., can be included in memory 232 or other memory. Input/output interfaces may additionally be provided by the network infrastructure device 200 (e.g., via a network interface). Input/output devices such as communication devices like network communication devices or wireless devices can also be considered devices capable of using the input/output interfaces.
[0037] FIG. 3 is a block diagram of a software defined network including network infrastructure devices capable of determining variable sized pattern matches and performing an action in response to the matches, according to an example. In certain examples, the network infrastructure devices 306a - 306m can be used to facilitate communications between computing devices, for example, computing devices 330a - 330i. Though the software defined network 310 is shown between the communication devices 330 in this example, communications may also travel through other network infrastructure devices that are both part of the network or part of other networks (e.g., via the Internet). The SDN 310 can be controlled using an SDN controller 350 and may communicate via a control plane while data communications travel through a data plane. The computing devices 330a - 330i can be implemented via a processing element, memory, and/or other components.
[0038] The network infrastructure devices 306 can include a packet processor engine 312, a deep packet inspection engine 314, and a management engine 316. The packet processor engine 312 and/or deep packet inspection engine 314 can be implemented using various technologies, for example, a programmable switch ASIC. The programmable packet processor engine 312 can include a series of resources (e.g., TCAM, hashes, counters, etc.) used to host a SDN pipeline. Further, the deep packet inspection engine 314 can be used to implement deep packet inspection functionality, for example, as circuit 1 14. The management engine 316 can include instructions capable of executing on a physical processing element such as a CPU. The management engine 316 can be used to manage and configure the deep packet inspection engine and the packet processor engine 312. In some examples, the management engine 316 can communicate with the SDN controller 350 using a control plane, in other examples, the management engine 316 can communicate via a data plane of the SDN 310.
[0039] The management engine 316 can configure the DPI engine 314 to search for patterns, for example, string patterns. The patterns to be searched can be obtained from an external entity such as user input or message and/or the SDN controller 350.
[0040] When the packets arrive to the packet processor engine 312, regular table lookups are performed in SDN tables. If one of the SDN actions to be applied contains a go-to table where the next table is a string match table, the packet processor engine 312 can store the current packet state in a meta-data structure. The current packet state can include, for example, a next table, accumulated actions, internal register values, etc. Moreover, in some examples, the packet processor engine 312 can accumulate actions to apply and apply the actions in bulk. [0041 ] The packet along with the metadata structure can be redirected to the deep packet inspection engine (DPI) 314 in order to search for the desired strings. If a string is found in the packet, the SDN actions associated with the string-hit are either applied or accumulated to the packet (just as a regular flow table lookup). In some examples, this can be a continuation of the packet processor engine 312 performing regular packet processing. If a miss is obtained from the string match table, the SDN actions associated with a string miss are applied to the packet. In some implementations, this could be to drop the packet. In other implementations, this could be to process the packet regularly. Differing applications can desire to use the DPI engine 314 to look for multiple strings and apply a SDN action if one of the strings is found in the packet. In other implementations, different SDN actions could be associated with different strings. The SDN actions that are applied to the packet can include, but are not limited to: drop, send the packet to a port(s), modify a field of the packet, encapsulate the packet and send it to a tunnel interface, increment a counter, send to a DPI device 302 (e.g., an IPS, an IDS, etc.) for more analysis, send to a logging device, etc.
[0042] The SDN 310 and/or other communication network can use wired communications, wireless communications, or combinations thereof. Further, the networks can include multiple sub communication networks such as data networks, wireless networks, telephony networks, etc. Such networks can include, for example, a public data network such as the Internet, local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), cable networks, fiber optic networks, combinations thereof, or the like. In certain examples, wireless networks may include cellular networks, satellite communications, wireless LANs, etc. Various communication structures and infrastructure can be utilized to implement the communication network(s).
[0043] By way of example, the computing devices 330 communicate with each other and other components with access to the communication networks via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the communication network interact with other nodes. Further, communications between network nodes can be implemented by exchanging discrete packets of data or sending messages. Packets can include header information associated with a protocol (e.g., information on the location of the network node(s) to contact) as well as payload information.
[0044] FIG. 4 is a flowchart of a method for determining a variable sized pattern match in a packet, according to an example. FIG. 5 is a block diagram of a device including a processing element capable of determining a variable sized pattern match in a packet based on a circuit and a hash value, according to an example. The device 500 includes, for example, a processing element 510, and a machine-readable storage medium 520 including instructions 522, 524, 526, 528 for determining a variable sized pattern match on packets. Device 500 may be, for example, a network infrastructure device, a switch, a router, an access point, or other computing device with the hardware components and capabilities described herein.
[0045] Processing element 510 may include, one or multiple central processing unit (CPU), one or multiple semiconductor-based microprocessor, one or multiple graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 520, or combinations thereof. The processing element 510 can be a physical device. Moreover, in one example, the processing element 510 may include multiple cores on a chip, include multiple cores across multiple chips, or combinations thereof. Processing element 510 may fetch, decode, and execute instructions 522, 524, 526, 528 to implement matching of patterns in packets. As an alternative or in addition to retrieving and executing instructions, processing element 510 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 522, 524, 526, 528. For example, the processing element 510 can include a programmable packet processor, which may also include TCAMs, hashes, counters, etc.
[0046] Machine-readable storage medium 520 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As such, the machine- readable storage medium can be non-transitory. As described in detail herein, machine-readable storage medium 520 may be encoded with a series of executable instructions for determining whether a variable sized pattern is in a packet.
[0047] Packets can be received at the device 500. Interface instructions 522 can be executed by the processing element 510 to switch the packets (e.g., to a destination device or network infrastructure device). In one example, a packet is received at a network interface of the device 500.
[0048] As noted above, a hardware circuit 512 can receive packets and determine whether one or more patterns (e.g., strings) are found in the packet. Packets may automatically processed by the circuit 512 or be checked by the circuit 512 in response to an action by the processing element 510. For example, the processing element 510 may check packets that include a source or destination device within the network that the device 500 is in and go external to the network. As noted above, variable sized patterns can be matched for packets by splitting part of the work to the circuit 512, which is quick, but costs hardware resources and part of the work using the processing element 510.
[0049] At 402, a hardware circuit 512 can determine whether a first packet portion of the packet is matched to a first pattern portion of a pattern. The pattern may include a size N and the circuit may be capable of matching a pattern of size K. The size N can be more than K. If the first portion of size K is not matched, then the processing element 510 knows that the pattern is not present in the packet. If the first portion is matched, the circuit 512 can provide information about the match to the processing element 510. For example, the circuit 512 may provide a notification to the processing element that the first packet portion is matched to the first pattern portion. The notification may include location information of the matched part of the pattern in the packet (e.g., an offset). The location information can include, for example, the beginning of the pattern in the packet. In some examples, information about the pattern can also be communicated. For example, an index value can be provided. The index value can be used to look up possible matches to complete a pattern that was partially matched by the match of the first packet portion. As noted above, more than one possible patterns can be checked based on the first match. The processing element 510 can receive the notification and execute pattern match instructions 524 to determine parameters for matching a second portion of the pattern. For example, the processing element 510 can determine a second pattern portion to compare to the packet based on the index. As noted above, the second pattern portion can be the remainder of the N - K portion or can be some other part (e.g., the whole N segment). For example, the second pattern portion and/or second packet portion can be a superset of the first packet portion and/or first pattern portion, be adjacent to the first portion, or sequential in an order to the first portion.
[0050] At 404, the processing element 510 can execute hashing instructions 526 to process hash and the second portion of the packet. The hashing can be based on a size of the pattern (size N) and a location of the first packet portion. For example, the hash can be of size N from the beginning of the location of the first packet portion, can be size N - K from the end of the location of the first packet portion, etc. The end result is a hash value for the second packet portion.
[0051 ] At 406, the processing element 510 determines whether the hash value matches a pre-hash value corresponding to a second pattern portion of the pattern. Hash match instructions 528 can be executed by the processing element 510 to implement the determination. Determination of the second pattern portion is further described in the description of FIGs. 6 and 7.
[0052] If a match occurs, then a match of the entire pattern is confirmed. As such, an action can be performed in response to the pattern. A data structure, such as a table can be used to look up an action to perform based on the pattern match. The action can be applied to the packet or a flow associated with the packet (e.g., based on a session identifier in a header, other header information, etc.). In some examples, the action can include one or more of: dropping the packet, sending the packet to a location, incrementing a counter, etc.
[0053] FIG. 6 is a flowchart of a method for configuring a network infrastructure device to use a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example. FIG. 7 is a block diagram of a management device capable of configuring a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example. Management device 700 may be, for example, a part of a network infrastructure device, located at an SDN controller, a computing device with the capabilities described herein, or the like.
[0054] Processing element 710 may be, one or multiple central processing unit (CPU), one or multiple semiconductor-based microprocessor, one or multiple graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 720, or combinations thereof. The processing element 710 can be a physical device. Moreover, in one example, the processing element 710 may include multiple cores on a chip, include multiple cores across multiple chips, or combinations thereof. Processing element 710 may fetch, decode, and execute instructions 722, 724, 726 to configure a hardware circuit and/or packet processor. As an alternative or in addition to retrieving and executing instructions, processing element 710 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 722, 724, 726.
[0055] Machine-readable storage medium 720 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As such, the machine- readable storage medium can be non-transitory. As described in detail herein, machine-readable storage medium 720 may be encoded with a series of executable instructions for determining whether a variable sized pattern is in a packet.
[0056] The management device 700 can be used to configure the hardware circuit and/or packet processor of a network infrastructure device. In some examples, the management device 700 can be implemented at an SDN controller. In other examples, the management device 700 can be implemented at the network infrastructure device.
[0057] Interface instructions 722 can be executed by the processing element 710 to receive a pattern to implement matching at a network infrastructure device. The pattern can be, for example, N bytes to be searched for. The pattern can be received from a user, input, an SDN controller, etc.
[0058] At 602, the processing element 710 executing the circuit configuration instructions 724 can determine whether the hardware circuit has capacity to match the pattern. As such, the processing element 710 can determine that the length of the pattern is greater than a capacity (e.g., K bytes) of the circuit. The processing element 710 can choose a first portion of the pattern to create a rule for to implement using the circuit and configure the circuit to implement the rule (604). The management device 700 can also provide updates to the data structure(s) used to coordinate the circuit and the packet processor on the network infrastructure device to be configured.
[0059] Moreover, at 606, the processing element 710 can execute hashing instructions 726 to hash a second portion of the pattern (e.g. , in a simple illustrative case the first K bytes can be the first portion and the next N - K bytes can be the second portion). In the illustrative case, N - K bytes is the portion of the pattern that is greater than the capability of the circuit (K bytes).
[0060] The hashed second portion can be stored in the data structure along with any hash parameters and/or information to help determine the second portion (e.g., length of the second portion, relevant location to the first portion, etc.). As such, the pre-hash value can be provided to the packet processor by updating the data structure. As noted above, the index value can point to multiple hashes that can be performed that are associated with different patterns. Moreover, an action or multiple actions can be associated with each of the patterns.

Claims

CLAIMS What is claimed is:
1 . A network infrastructure device comprising:
a network interface;
a packet processor;
a circuit to monitor packets switched by the network interface,
wherein the circuit further comprises a pattern matcher capable to identify flows in the packets satisfying patterns up to a predetermined pattern size; and a management engine to receive a pattern rule to match a pattern of a first pattern size that is larger than the predetermined pattern size and to configure the circuit to match a first portion of the pattern,
wherein the first portion is the predetermined pattern size,
wherein the management engine is further to determine a pre-hash calculation of a second portion of the pattern that is greater than the predetermined pattern size,
wherein the circuit determines that one of the flows matches the first portion; and
wherein the packet processor determines whether the second portion of the pattern is matched in the one flow based on the pre-hash calculation.
2. The network infrastructure device of claim 1 , wherein the circuit provides location information in the one flow including the first portion to the packet processor.
3. The network infrastructure device of claim 2, wherein the packet processor determines whether the second portion of the pattern is matched based on the location information.
4. The network infrastructure device of claim 3, wherein the packet processor is further to:
hash another portion of the one flow based on the location information and an index; compare the hashed other portion and the pre-hash calculation to determine whether the second portion of the pattern is matched.
5. The network infrastructure device of claim 4, wherein the other portion has a same size as the second portion, wherein the index is provided by the circuit, and wherein the index is used to determine the same size.
6. The network infrastructure device of claim 4, wherein the network device is further to receive a hash key to hash the other portion.
7. The network infrastructure device of claim 1 , wherein the packet processor performs an action on the one flow based on the determination that the second portion of the pattern is matched and the first portion of the pattern is matched.
8. The network infrastructure device of claim 7, wherein the action includes at least one of: dropping a packet of the one flow, sending the packet to a location, and incrementing a counter.
9. A method comprising:
determining, by a hardware circuit, that a first packet portion of a packet is matched to a first pattern portion of a pattern,
wherein the packet is received at a network interface for switching;
hashing, at a programmable packet processor, a second packet portion of the packet based on a size of the pattern and a location of the first packet portion to generate a hash value; and
determining, at the programmable packet processor, whether the hash value matches a pre-hash value corresponding to a second pattern portion of the pattern.
10. The method of claim 9, further comprising:
performing an action in response to a determination that the first packet portion is matched and the hash value matches the pre-hash value.
1 1 . The method of claim 9, further comprising:
receiving the pattern,
wherein the hardware circuit is capable of matching up to a predetermined pattern size,
wherein the pattern has a first size that is larger than the predetermined pattern size,
wherein the first pattern portion has second size equal to the predetermined pattern size,
wherein the second pattern portion has a third size that is a difference between the predetermined pattern size and the second size,
configuring, by a management processor, the hardware circuit to monitor for the first pattern portion.
12. The method of claim 1 1 , further comprising:
hashing, by the management processor, the second pattern portion to determine the pre-hash value.
13. A non-transitory machine-readable storage medium storing instructions that, if executed by a physical processing element of a device, cause the device to:
receive a notification from a hardware circuit of the device that a first packet portion of a packet received by a network interface of the device is matched to a first pattern portion of a pattern;
hash a second packet portion of the packet to generate a hash value based on a hash size determined via information from the hardware circuit; and determine that the hash value matches a pre-hash value corresponding to a second pattern portion of the pattern.
14. The non-transitory machine-readable storage medium of claim 13, wherein the hardware circuit is capable of matching up to a predetermined pattern size,
wherein the pattern has a first size that is larger than the predetermined pattern size, wherein the first pattern portion has second size equal to the predetermined pattern size,
wherein the second pattern portion has a third size that is a difference between the predetermined pattern size and the second size.
15. The non-transitory machine-readable storage medium of claim 13, further comprising instructions that, if executed by the physical processing element, cause the device to:
perform an action on a flow associated with the packet based on the determination,
wherein the action includes at least one of: dropping the packet, sending the packet to a location, and incrementing a counter, and
wherein the second packet portion is one of: a superset of the first packet portion, adjacent to the first packet portion, and sequential in an order to the first packet portion.
PCT/US2016/017360 2016-02-10 2016-02-10 Determining pattern match based on circuit match and hash value match WO2017138936A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2016/017360 WO2017138936A1 (en) 2016-02-10 2016-02-10 Determining pattern match based on circuit match and hash value match

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2016/017360 WO2017138936A1 (en) 2016-02-10 2016-02-10 Determining pattern match based on circuit match and hash value match

Publications (1)

Publication Number Publication Date
WO2017138936A1 true WO2017138936A1 (en) 2017-08-17

Family

ID=59563398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/017360 WO2017138936A1 (en) 2016-02-10 2016-02-10 Determining pattern match based on circuit match and hash value match

Country Status (1)

Country Link
WO (1) WO2017138936A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080201772A1 (en) * 2007-02-15 2008-08-21 Maxim Mondaeev Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
US20090028143A1 (en) * 2007-07-26 2009-01-29 Anand Eswaran Pattern Matching In A Network Flow Across Multiple Packets
US20100266215A1 (en) * 2009-04-17 2010-10-21 Alcatel-Lucent Usa Inc. Variable-stride stream segmentation and multi-pattern matching
US20140153435A1 (en) * 2011-08-31 2014-06-05 James Rolette Tiered deep packet inspection in network devices
US20140188822A1 (en) * 2012-12-28 2014-07-03 Futurewei Technologies, Inc. Efficient De-Duping Using Deep Packet Inspection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080201772A1 (en) * 2007-02-15 2008-08-21 Maxim Mondaeev Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
US20090028143A1 (en) * 2007-07-26 2009-01-29 Anand Eswaran Pattern Matching In A Network Flow Across Multiple Packets
US20100266215A1 (en) * 2009-04-17 2010-10-21 Alcatel-Lucent Usa Inc. Variable-stride stream segmentation and multi-pattern matching
US20140153435A1 (en) * 2011-08-31 2014-06-05 James Rolette Tiered deep packet inspection in network devices
US20140188822A1 (en) * 2012-12-28 2014-07-03 Futurewei Technologies, Inc. Efficient De-Duping Using Deep Packet Inspection

Similar Documents

Publication Publication Date Title
US9031959B2 (en) Method and apparatus for identifying application protocol
US11032190B2 (en) Methods and systems for network security universal control point
US9736115B2 (en) Firewall packet filtering
US7813350B2 (en) System and method to process data packets in a network using stateful decision trees
CN108701187B (en) Apparatus and method for hybrid hardware-software distributed threat analysis
JP6383578B2 (en) Apparatus and method for uniquely enumerating paths in a parse tree
Chen et al. A survey on the application of FPGAs for network infrastructure security
US7688761B2 (en) Method and system for classifying packets in a network based on meta rules
US7706378B2 (en) Method and apparatus for processing network packets
CN115037575A (en) Message processing method and device
WO2009128881A1 (en) Intrusion detection system (ids) and intrusion prevention system (ips) rule processing
US10176187B2 (en) Method and apparatus for generating a plurality of indexed data fields
US20170208037A1 (en) Method and system for providing deep packet inspection as a service
WO2014041451A1 (en) Using special-case hardware units for facilitating access control lists on networking element
Fiessler et al. Hypafilter+: Enhanced hybrid packet filtering using hardware assisted classification and header space analysis
US10944724B2 (en) Accelerating computer network policy search
US20180198704A1 (en) Pre-processing of data packets with network switch application -specific integrated circuit
WO2016171690A1 (en) Pre-filter rules for network infrastructure devices
WO2017138936A1 (en) Determining pattern match based on circuit match and hash value match
Liu et al. A de-compositional approach to regular expression matching for network security
US10205658B1 (en) Reducing size of policy databases using bidirectional rules
Halder et al. A graph based formalism for detecting flow conflicts in software defined network
Gupta et al. DeeP4R: Deep Packet Inspection in P4 using Packet Recirculation
US20230069844A1 (en) Methods and systems for distributed high speed state synchronization
Subramanian et al. Bitmaps and bitmasks: Efficient tools to Compress deterministic automata

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16890052

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16890052

Country of ref document: EP

Kind code of ref document: A1