Intrusion detection using a network processor and a parallel pattern detection engine
First Claim
1. A method for rapid intrusion detection for network communication comprising the steps of:
- receiving packets of network data in a network processor coupled to a network fabric;
forwarding routed network data to the network fabric; and
coupling selected data from the network data to a parallel pattern detection engine (PPDE), for comparing the selected data in parallel to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.
-
Citations
21 Claims
-
1. A method for rapid intrusion detection for network communication comprising the steps of:
-
receiving packets of network data in a network processor coupled to a network fabric;
forwarding routed network data to the network fabric; and
coupling selected data from the network data to a parallel pattern detection engine (PPDE), for comparing the selected data in parallel to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for rapid intrusion detection for a network communication comprising:
-
a network processor;
circuitry in the network processor for receiving network data from a network fabric;
circuitry in the network processor in the network processor for forwarding routed network data to the network fabric; and
circuitry for coupling the network processor to a parallel pattern detection engine (PPDE) for comparing in parallel selected data from the network data to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An intrusion detection system comprising;
-
a network processor having an input connection to a network fabric and an output connection to the network fabric; and
a parallel pattern detection engine (PPDE) coupled to the network processor, the PPDE for comparing selected from the network data, in parallel, to M sequences of intrusion signature data corresponding to M intrusion signatures stored in the PPDE and generating a match output signal when one of the M intrusion signatures is detected within the network data, wherein the network processor receives network input data, processes the network input data for forwarding as valid network output data, and couples the valid network output data to the PPDE for real-time detection of intrusion patterns within the valid network output data.
-
Specification