Hierarchical pattern matching for deep packet analysis

US 10,397,263 B2
Filed: 04/25/2017
Issued: 08/27/2019
Est. Priority Date: 04/25/2017
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a first content addressable memory (CAM) storing a substring of a string of a regular expression as a plurality of bits that are individually searchable;

a memory comprising executable instructions; and

one or more processors coupled to the memory wherein the one or more processors execute the instructions to;

receive a data packet comprising a plurality of bits;

search the received data packet at a first hierarchical level using, at least in part, the first CAM and compare in parallel the plurality of bits of the received data packet to the plurality of bits of the substring to determine whether the substring of the string of the regular expression exists in the received data packet;

search the received data packet at a second hierarchical level when the search of the received data packet at the first hierarchical level finds a match, to determine whether the string of the regular expression exists in the received data packet; and

transmit the received data packet to a next network element along an original path of the received data packet without searching the received data packet at a third hierarchical level when the search of the received data packet at the first or second hierarchical level does not find a match.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method comprising receiving, by a network element, a data packet, searching, by the network element, the received data packet at a first hierarchical level to determine whether a substring of a string of a regular expression exists in the received data packet, searching, by the network element when the search of the received data packet at the first hierarchical level finds a match, the received data packet at a second hierarchical level to determine whether the string of the regular expression exists in the received data packet, and transmitting, by the network element, the received data packet to a next network element along an original path of the received data packet without searching the received data packet at a third hierarchical level when the search of the received data packet at the first or second hierarchical level does not find a match.

Citations

16 Claims

1. An apparatus, comprising:
- a first content addressable memory (CAM) storing a substring of a string of a regular expression as a plurality of bits that are individually searchable;
  
  a memory comprising executable instructions; and
  
  one or more processors coupled to the memory wherein the one or more processors execute the instructions to;
  
  receive a data packet comprising a plurality of bits;
  
  search the received data packet at a first hierarchical level using, at least in part, the first CAM and compare in parallel the plurality of bits of the received data packet to the plurality of bits of the substring to determine whether the substring of the string of the regular expression exists in the received data packet;
  
  search the received data packet at a second hierarchical level when the search of the received data packet at the first hierarchical level finds a match, to determine whether the string of the regular expression exists in the received data packet; and
  
  transmit the received data packet to a next network element along an original path of the received data packet without searching the received data packet at a third hierarchical level when the search of the received data packet at the first or second hierarchical level does not find a match.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1, further comprising a second CAM, wherein the one or more processors execute the instructions to search the received data packet at the second hierarchical level at least in part using the second CAM.
  - 3. The apparatus of claim 2, wherein the second CAM stores the string as a binary value comprising a plurality of binary bits which are each individually searchable.
  - 4. The apparatus of claim 1, wherein the one or more processors further execute the instructions to:
    - receive a second data packet;
      
      search the received second data packet at the first hierarchical level to determine whether a second substring of a second string of a second regular expression exists in the received second data packet;
      
      search the received second data packet at the second hierarchical level when the search of the received second data packet at the first hierarchical level finds a match to determine whether the second string of the second regular expression exists in the received second data packet;
      
      search the received second data packet at a third hierarchical level to determine whether the second regular expression exists in the received second data packet;
      
      prevent transmission of the received second data packet to the next network element along an original path of the received data packet when the search of the received data packet at the third hierarchical level finds a match; and
      
      transmit the received second data packet to the next network element along an original path of the received second data packet when the search of the received data packet at the third hierarchical level does not find a match.

5. An apparatus, comprising:
- a first binary content addressable memory (BCAM) configured to search for a substring of a string of a regular expression in a received data packet;
  
  a second BCAM configured to search for the string in the received data packet when the substring is found in the received data packet;
  
  a first processor programmed to search for the regular expression in the received data packet when the string is found in the received data packet; and
  
  a second processor programmed to;
  
  schedule the received data packet for analysis by the second BCAM when the first BCAM determines that the substring is found in the received data packet, andtransmit the received data packet according to a bypass path that bypasses the second BCAM and the first processor when the first BCAM determines that the substring is not found in the received data packet.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The apparatus of claim 5, wherein the first processor is programmed to implement a finite state machine to search for the regular expression.
  - 7. The apparatus of claim 6, wherein the finite state machine is at least one of a deterministic finite state machine or a non-deterministic finite state machine.
  - 8. The apparatus of claim 5, wherein the first BCAM is configured to:
    - store a binary representation of the substring comprising a plurality of bits;
      
      compare the plurality of bits of the substring to a plurality of bits of the received data packet; and
      
      output a match result indicating a match between the substring and the received data packet when the plurality of bits of the substring matches the plurality of bits of the received data packet.
  - 9. The apparatus of claim 5, wherein the second BCAM is configured to:
    - store a binary representation of the string comprising a plurality of bits;
      
      compare the plurality of bits of the string to a plurality of bits of the received data packet; and
      
      output a match result indicating a match between the string and the received data packet when the plurality of bits of the string matches the plurality of bits of the received data packet.
  - 10. The apparatus of claim 5, further comprising a third processor configured to:
    - schedule the received data packet for analysis by the first processor when the second BCAM determines that the string is found in the received data packet; and
      
      transmit the received data packet according to a bypass path that bypasses the first processor when the second BCAM determines that the string is not found in the received data packet.

11. A method, comprising:
- receiving, by a network element, a data packet comprising a plurality of bits;
  
  searching, by the network element, the received data packet at a first hierarchical level using, at least in part, a first content addressable memory (CAM) storing a substring of a string of a regular expression as a plurality of bits that are individually searchable and comparing in parallel the plurality of bits of the received data packet to the plurality of bits of the substring to determine whether the substring of the string of the regular expression exists in the received data packet;
  
  searching, by the network element the received data packet at a second hierarchical level when the search of the received data packet at the first hierarchical level finds a match, to determine whether the string of the regular expression exists in the received data packet; and
  
  transmitting, by the network element, the received data packet to a next network element along an original path of the received data packet without searching the received data packet at a third hierarchical level when the search of the received data packet at the first or second hierarchical level does not find a match.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, further comprising:
    - searching, by the network element when the search of the received data packet at the second hierarchical level finds a match, the received data packet at the third hierarchical level to determine whether the regular expression exists in the received data packet;
      
      preventing, by the network element, transmission of the received data packet to the next network element along the original path of the received data packet when the search of the received data packet at the third hierarchical level finds a match;
      
      transmitting, by the network element, the received data packet to the next network element along an original path of the received data packet when the search of the received data packet at the third hierarchical level does not find a match.
  - 13. The method of claim 11, wherein the network element performs the searching at the first hierarchical level and the second hierarchical level using a plurality of content addressable memories (CAMs).
  - 14. The method of claim 13, wherein at least one of the CAMs is a binary CAM.
  - 15. The method of claim 11, wherein the network element performs the searching at the third hierarchical level using a finite state machine.
  - 16. The method of claim 11, wherein the network element is further configured to transmit the received data packet to a second network element for further analysis when the search of the received data packet at the third hierarchical level finds a match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Sun, Yan, Xu, Wei
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Teng, Louis C

Application Number

US15/496,322
Publication Number

US 20180309776A1
Time in Patent Office

854 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Hierarchical pattern matching for deep packet analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical pattern matching for deep packet analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links