Integrated circuit apparatus and method for high throughput signature based network applications
First Claim
1. An integrated circuit apparatus for high throughput pattern matching in network applications, the apparatus comprising:
- a rigid support member comprising a connector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the connector region into a network system;
one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including;
a network interface module coupled to the rigid support member;
the network interface module including one or more network interface ports;
the one or more network interface ports being coupled via the connector region to a packet based network;
the one or more network interface ports containing one or more ingress network ports;
a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module;
a network module coupled to the rigid support member, the network module being coupled to the network interface bus;
a network event module coupled to the rigid support member, the network event module being coupled to the network module;
a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory being associated with a plurality of pre-stored patterns;
a host interface module coupled to the rigid support member, the host interface module being coupled to at least the network event module or at least the network module or both the network event module and the network module; and
a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module, the host interface bus being capable of connecting to the host system via the connector region.
1 Assignment
0 Petitions
Accused Products
Abstract
An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.
155 Citations
91 Claims
-
1. An integrated circuit apparatus for high throughput pattern matching in network applications, the apparatus comprising:
-
a rigid support member comprising a connector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the connector region into a network system;
one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including;
a network interface module coupled to the rigid support member;
the network interface module including one or more network interface ports;
the one or more network interface ports being coupled via the connector region to a packet based network;
the one or more network interface ports containing one or more ingress network ports;
a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module;
a network module coupled to the rigid support member, the network module being coupled to the network interface bus;
a network event module coupled to the rigid support member, the network event module being coupled to the network module;
a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory being associated with a plurality of pre-stored patterns;
a host interface module coupled to the rigid support member, the host interface module being coupled to at least the network event module or at least the network module or both the network event module and the network module; and
a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module, the host interface bus being capable of connecting to the host system via the connector region. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 75, 76, 77, 78, 79, 80, 82)
-
-
58. Apparatus of 17 wherein the update module is coupled to a management port;
- the management port being coupled to an ingress network interface port.
-
70. A method for performing high throughput pattern matching wherein the high throughput pattern matching operation is performed using one or more of a plurality of patterns;
- the patterns being defined by a regular language;
the regular language being implemented as a finite automaton;
the finite automaton including a transition table representation of the regular language, the transition table describing a transition function for the finite automaton;
the transition table being adapted to be stored in a compressed form;
the compressed form being adapted such that the transition function of the finite automaton is able to be computed from the compressed form in a maximum time that is constant with respect to the size of the compressed form. - View Dependent Claims (71, 72, 73, 74)
- the patterns being defined by a regular language;
-
81. An apparatus for performing high throughput pattern matching wherein the high throughput pattern matching operation is performed using one or more of a plurality of patterns;
- the patterns being defined by a regular language;
the regular language being implemented as a finite automaton;
the finite automaton including a transition table representation of the regular language, the transition table describing a transition function for the finite automaton;
wherein the patterns are represented as a single pattern database;
the single pattern database comprising the patterns from one or more of a plurality of applications;
the pattern matching operation being able to uniquely identify the application from the matching pattern.
- the patterns being defined by a regular language;
-
83. A method for converting a network system into an accelerated signature based network system, the method comprising:
-
providing a network system, the network system comprising;
one or more input ports;
a host processor coupled to the one or more input ports;
a host memory coupled to the host processor;
a host interface bus coupled to the host processor; and
a host connector coupled to the host interface bus;
providing an integrated circuit apparatus for high throughput pattern matching for network applications, the apparatus comprising;
a rigid support member comprising a connector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the connector region into a network system;
one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including;
a network interface module coupled to the rigid support member, the network interface module including one or more network interface ports, the one or more network interface ports being coupled via the connector region to a packet based network, the one or more network interface ports containing one or more ingress network ports;
a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module to the network module;
a network module coupled to the rigid support member, the network module being coupled to the network interface bus;
a network event module coupled to the rigid support member, the network event module being coupled to the network module;
a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory associated with a plurality of pre-stored patterns;
a host interface module coupled to the rigid support member, the host interface module being coupled to the network event module and/or the network module;
a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module, the host interface bus being capable of connecting to the host system via the connector region;
connecting the host interface connector region of the integrated circuit apparatus with the host connector on the network system to mechanically and electrically couple the host interface bus of the network system to the host interface bus of the integrated circuit apparatus;
transferring selected driver software to the network system, the driver software being configured to facilitate communication between the integrated circuit apparatus and the network system via the host interface bus; and
initializing the integrated circuit apparatus via the driver software. - View Dependent Claims (84, 85, 86, 87, 88, 89)
-
-
90. A method for signature based pattern recognition using an integrated circuit apparatus, the method comprising:
-
providing an integrated circuit apparatus for high throughput pattern matching for network applications, the apparatus comprising;
a rigid support member comprising a connector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the connector region into a network system;
one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including;
a network interface module coupled to the rigid support member, the network interface module including one or more network interface ports, the one or more network interface ports being coupled via the connector region to a packet based network, the one or more network interface ports containing one or more ingress network ports;
a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module to the network module;
a network module coupled to the rigid support member, the network module being coupled to the network interface bus;
a network event module coupled to the rigid support member, the network event module being coupled to the network module;
a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory associated with a plurality of pre-stored patterns;
a host interface module coupled to the rigid support member, the host interface module being coupled to the network event module and/or the network module;
a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module, the host interface bus being capable of connecting to the host system via the connector region;
transferring information from a packet based network to a network interface port;
transferring the information from the network interface port through a network interface bus;
receiving the information from the network interface bus at a processing unit;
identifying an association between one or more packets and a flow from the information using the processing unit;
reordering the one or more packets into one or more respective flows;
determining if the one or more packets for the one or more respective flows is associated with a signature based pattern stored in memory through a memory bus coupled to the processing unit, where upon the determining occurs using the memory having a random access time of less than 8 nanoseconds; and
initiating a signal to a policy engine if an association occurs. - View Dependent Claims (91)
-
Specification