Hardware-based detection devices for detecting unsafe network traffic content and methods of using the same
First Claim
1. A computer-implemented method, in a firewall device, for detecting network traffic content on a data communication network, the method comprising:
- compiling signatures associated with content considered unsafe and translating the compiled signatures into a byte stream executable by a processor of the firewall device to control the processor when determining whether network traffic content matches the compiled signatures, the signatures created using at least one predicates, wherein each of the at least one predicates is represented in a signature by one or more of a letter, a word, a sentence, a number, a logical operator, and a mathematical operator, and the signatures received via a first input port of the firewall device communicatively coupled to the data communication network;
receiving, by a network device via a second input port of the firewall device communicatively coupled to the data communication network, network traffic content;
examining headers of network traffic content and the executing byte stream to determine the content type of the network traffic content;
in response to a determination that the content type is considered safe, the network traffic content is passed to a packet processing module wherein the packet processing module passes the network traffic content to a network output port communicatively coupled to the data communication network, wherein the network output port is configured to communicatively couple the firewall device to a computer system of an intended recipient of the network traffic content; and
in response to a determination that the content type is considered unsafe, the network traffic content is sent to a stack module, wherein the stack module converts the traffic network content into a content stream to be processed by a processor,wherein the processor translates at least one signature codified with the at least one predicate representative of at least one function to be performed to detect network traffic content to be detected into a byte stream executable by the processor to determine whether network traffic content matches content to be detected, the at least one signature is received via a first input port of the network device, andblocking network traffic content matching content to be detected.
0 Assignments
0 Petitions
Accused Products
Abstract
A device for detecting network traffic content is provided. The device includes a first input port configured to receive one or more signatures, each of the one or more signatures associated with content desired to be detected, a second input port configured to receive data associated with network traffic content. The device also includes a processor configured to process the one or more signatures and the data to determine whether the network traffic content matches the content desired to be detected, and an output port configured to couple the device to a computer system of an intended recipient of the network traffic content. The output port passes the network traffic content to the computer system when it is determined that the network traffic content does not match the content desired to be detected.
87 Citations
17 Claims
-
1. A computer-implemented method, in a firewall device, for detecting network traffic content on a data communication network, the method comprising:
-
compiling signatures associated with content considered unsafe and translating the compiled signatures into a byte stream executable by a processor of the firewall device to control the processor when determining whether network traffic content matches the compiled signatures, the signatures created using at least one predicates, wherein each of the at least one predicates is represented in a signature by one or more of a letter, a word, a sentence, a number, a logical operator, and a mathematical operator, and the signatures received via a first input port of the firewall device communicatively coupled to the data communication network; receiving, by a network device via a second input port of the firewall device communicatively coupled to the data communication network, network traffic content; examining headers of network traffic content and the executing byte stream to determine the content type of the network traffic content; in response to a determination that the content type is considered safe, the network traffic content is passed to a packet processing module wherein the packet processing module passes the network traffic content to a network output port communicatively coupled to the data communication network, wherein the network output port is configured to communicatively couple the firewall device to a computer system of an intended recipient of the network traffic content; and in response to a determination that the content type is considered unsafe, the network traffic content is sent to a stack module, wherein the stack module converts the traffic network content into a content stream to be processed by a processor, wherein the processor translates at least one signature codified with the at least one predicate representative of at least one function to be performed to detect network traffic content to be detected into a byte stream executable by the processor to determine whether network traffic content matches content to be detected, the at least one signature is received via a first input port of the network device, and blocking network traffic content matching content to be detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer product includes a computer-readable medium in a firewall device, for detecting network traffic content on a data communication network, the computer-readable medium having a set of stored instructions, an execution of which causes a process to be performed, the process comprising:
-
compiling signatures associated with content considered unsafe and translating the compiled signatures into a byte stream executable by a processor of the firewall device to control the processor when determining whether network traffic content matches the compiled signatures, the signatures created using at least one predicates, wherein each of the at least one predicates is represented in a signature by one or more of a letter, a word, a sentence, a number, a logical operator, and a mathematical operator, and the signatures received via a first input port of the firewall device communicatively coupled to the data communication network; receiving, by a network device via a second input port of the firewall device communicatively coupled to the data communication network, network traffic content; examining headers of network traffic content and the executing byte stream to determine the content type of the network traffic content; in response to a determination that the content type is considered safe, the network traffic content is passed to a packet processing module wherein the packet processing module passes the network traffic content to a network output port communicatively coupled to the data communication network, wherein the network output port is configured to communicatively couple the firewall device to a computer system of an intended recipient of the network traffic content; and in response to a determination that the content type is considered unsafe, the network traffic content is sent to a stack module, wherein the stack module converts the traffic network content into a content stream to be processed by a processor, wherein the processor translates at least one signature codified with the at least one predicate representative of at least one function to be performed to detect network traffic content to be detected into a byte stream executable by the processor to determine whether network traffic content matches content to be detected, the at least one signature is received via a first input port of the network device, and blocking network traffic content matching content to be detected. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification