Intrusion detection accelerator

US 20040083387A1
Filed: 12/31/2002
Published: 04/29/2004
Est. Priority Date: 10/29/2002
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection system comprising a character buffer for a plurality of bytes of a document, a state table addressable in accordance with a byte of a document and a state to access at least one of an interrupt or exception and next state data from said state table, a register for storing said next state data, means for combining contents of said register with a subsequent byte of a document to form a further address into said state memory, and a bus for communicating said interrupt or exception to a host CPU.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Signatures of character strings in a document which may indicate a possible intrusion into or attack on a networked computer system or node thereof or other security breach are detected at high speed using a hardware accelerator within the environment of a hardware parser accelerator. An interrupt or exception can thus be issued to a host CPU before a command which may constitute such a security breach, intrusion or attack can be made executable by parsing of a document. The CPU can initiate network control measures to prevent or limit the intrusion.

168 Citations

View as Search Results

16 Claims

1. An intrusion detection system comprising a character buffer for a plurality of bytes of a document, a state table addressable in accordance with a byte of a document and a state to access at least one of an interrupt or exception and next state data from said state table, a register for storing said next state data, means for combining contents of said register with a subsequent byte of a document to form a further address into said state memory, and a bus for communicating said interrupt or exception to a host CPU.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The intrusion detection system as recited in claim 1, wherein said intrusion detection system is implemented within a parser.
  - 3. The intrusion detection system as recited in claim 1, wherein said state table is implemented in memory on the same chip as at least one of said register and said means for combining.
  - 4. The intrusion detection system as recited in claim 2, wherein said state table is implemented in external memory.
  - 5. The intrusion detection system as recited in claim 4, further including a memory on the same chip as at least one of said register and said means for combining for storing said state table when said state table does not require implementation in said external memory.
  - 6. The intrusion detection system as recited in claim 1, wherein said state table is accessed at a rate greater than a network packet transmission rate.
  - 7. The intrusion detection system as recited in claim 1, further including means for presenting a pattern matching alert to be presented to said CPU in response to detection of an occurrence of an input sequence which matches the signature of one or more sequences encoded in said state table, whereby response speed is increased.
  - 8. The intrusion detection system as recited in claim 7, wherein an intrusion alert corresponding to a said interrupt or exception is communicated to said CPU to initiate intrusion prevention action which prevents or limits an intrusion attempt.
  - 9. The intrusion detection system as recited in claim 1, wherein said state table is accessed at a rate which is substantially equal to a network data packet transmission rate.

10. An intrusion detection method comprising steps of accessing a state table addressable in accordance with a byte of a document and a state to access at least one of an interrupt or exception and next state data from said state table, storing said next state data, combining said stored next state data with a subsequent byte of a document to form a further address into said state memory, and communicating said interrupt or exception to a host CPU.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The intrusion detection method as recited in claim 10, wherein said intrusion detection method is implemented within a parser.
  - 12. The intrusion detection method as recited in claim 11, wherein said state table is implemented in external memory.
  - 13. The intrusion detection method as recited in claim 10, wherein said state table is accessed at a rate greater than a network packet transmission rate.
  - 14. The intrusion detection method as recited in claim 10, further including a step of presenting a pattern matching alert to be presented to said CPU in response to detection of an occurrence of an input sequence which matches the signature of one or more sequences encoded in said state table, whereby response speed is increased.
  - 15. The intrusion detection method as recited in claim 14, wherein an intrusion alert corresponding to a said interrupt or exception is communicated to said CPU to initiate intrusion prevention action which prevents or limits an intrusion attempt.
  - 16. The intrusion detection method as recited in claim 10, wherein said state table is accessed at a rate which is substantially equal to a network data packet transmission rate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Dapp, Michael C., Lett, Eric C.

Granted Patent

US 7,146,643 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1416 Event detection, e.g. attac...

Intrusion detection accelerator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

168 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection accelerator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links