System security approaches using multiple processing units

US 20050278783A1
Filed: 03/11/2005
Published: 12/15/2005
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring a plurality of data units, comprising:

performing a set of tasks by a first processing unit prior to identifying a set of suspected data units out of said plurality of said data units by a second processing unit, wherein said set of said tasks includes;

identifying a plurality of patterns from the content of said plurality of said data units;

splitting a regular expression that corresponds to said patterns into a plurality of sub-expressions; and

causing the maintenance of dependency relationships among a plurality of finite automata that correspond to said sub-expressions; and

identifying said set of said suspected data units by moving said plurality of said data units through said finite automata in a sequence specified by said dependency relationships, wherein the content of said set of said suspected data units collectively matches any of said patterns by merging results from said finite automata.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for ensuring system security is disclosed. The method and system utilize a first processing unit to split a regular expression that corresponds to a number of patterns into sub-expressions and maintain the dependency relationships among the finite automata that correspond to the sub-expressions. Then, the method and system utilize a second processing unit to move the data units through these finite automata in a sequence that is based on the dependency relationships to identify the suspected data units. The suspected data units are the ones containing content that collectively matches one or more of the aforementioned patterns. Identification of the suspected data units is based on the merged results of the finite automata.

48 Citations

View as Search Results

24 Claims

1. A method for monitoring a plurality of data units, comprising:
- performing a set of tasks by a first processing unit prior to identifying a set of suspected data units out of said plurality of said data units by a second processing unit, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a plurality of sub-expressions; and
  
  causing the maintenance of dependency relationships among a plurality of finite automata that correspond to said sub-expressions; and
  
  identifying said set of said suspected data units by moving said plurality of said data units through said finite automata in a sequence specified by said dependency relationships, wherein the content of said set of said suspected data units collectively matches any of said patterns by merging results from said finite automata.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, further comprising:
    - distributing said plurality of said data units to said first processing unit and said second processing unit according to the types of said data units and the data contained in said data units.
  - 3. The method as recited in claim 2, further comprising:
    - decompressing the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 4. The method as recited in claim 2, further comprising:
    - responding to an anomaly associated with said plurality of said data units according to an anomaly policy, wherein said anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 5. The method as recited in claim 4, wherein said anomaly policy is configurable.
  - 6. The method as recited in claim 4, further comprising rectifying said set of said suspected data units or said anomaly.

7. A system for monitoring a plurality of data units, comprising:
- first processing means for performing a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by a second processing means, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a plurality of sub-expressions; and
  
  causing the maintenance of dependency relationships among a plurality of finite automata that correspond to said sub-expressions;
  
  second processing means for identifying said set of said suspected data units by moving said plurality of said data units through said finite automata in a sequence specified by said dependency relationships, wherein the content of said set of said suspected data units collectively matches any of said patterns by merging results from said finite automata.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system as recited in claim 7, further comprising:
    - means for distributing said plurality of said data units to said first processing means and said second processing means according to the types of said data units and the data contained in said data units.
  - 9. The system as recited in claim 8, wherein said first processing means further:
    - decompresses the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 10. The system as recited in claim 8, wherein said first processing means further:
    - responds to an anomaly associated with said plurality of said data units according to an anomaly policy, wherein said anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 11. The system as recited in claim 10, wherein said anomaly policy is configurable.
  - 12. The system as recited in claim 10, wherein said first processing unit further rectifies said set of said suspected data units or said anomaly.

13. A system for monitoring a plurality of data units, comprising:
- a distribution engine;
  
  a processing unit, coupled to said distribution engine;
  
  a content inspection engine, coupled to said distribution engine and said processing unit;
  
  a memory controller, coupled to said distribution engine, said processing unit, and said content inspection engine, wherein;
  
  said processing unit performs a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by said content inspection engine, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a plurality of sub-expressions; and
  
  causing said memory controller to maintain dependency relationships among a plurality of finite automata that correspond to said sub-expressions; and
  
  said content inspection engine identifies said set of said suspected data units by moving said plurality of said data units through said finite automata in a sequence specified by said dependency relationships, wherein the content of said set of said suspected data units collectively matches any of said patterns by merging results from said finite automata.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system as recited in claim 13, wherein said distribution engine distributes said plurality of said data units to said processing unit, said content inspection engine, and said memory controller according to the types of said data units and the data contained in said data units.
  - 15. The system as recited in claim 14, wherein said processing unit further decompresses the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 16. The system as recited in claim 14, wherein said processing unit further responds to an anomaly associated with said plurality of said data units according to an anomaly policy, wherein:
    - said anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 17. The system as recited in claim 16, wherein said anomaly policy is configurable.
  - 18. The system as recited in claim 16, wherein said processing unit further rectifies said set of said suspected data units or said anomaly.

19. A system for monitoring a plurality of data units, comprising:
- a general purpose processor;
  
  a content inspection co-processor directly or indirectly coupled to said general purpose processor, wherein said content inspection co-processor further includes;
  
  a distribution engine;
  
  a content inspection engine, coupled to said distribution engine;
  
  a memory controller, coupled to said distribution engine and said content inspection engine, wherein;
  
  said general purpose processor performs a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by said content inspection engine, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a plurality of sub-expressions; and
  
  causing said memory controller to maintain dependency relationships among a plurality of finite automata that correspond to said sub-expressions; and
  
  said content inspection engine identifies said set of said suspected data units by moving said plurality of said data units through said finite automata in a sequence specified by said dependency relationships, wherein the content of said set of said suspected data units collectively matches any of said patterns by merging results from said finite automata.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system as recited in claim 19, wherein said distribution engine distributes said plurality of said data units to said general purpose processor, said content inspection engine, and said memory controller according to the types of said data units and the data contained in said data units.
  - 21. The system as recited in claim 20, wherein said general purpose processor further decompresses the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 22. The system as recited in claim 20, wherein said general purpose processor further responds to an anomaly associated with said plurality of said data units according to an anomaly policy, wherein:
    - said anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 23. The system as recited in claim 22, wherein said anomaly policy is configurable.
  - 24. The system as recited in claim 22, wherein said general purpose processor further rectifies said set of said suspected data units or said anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lionic Corp.
Original Assignee
Lionic Corp.
Inventors
Zhao, Shi-Ming, Chien, Shih-Wei

Granted Patent

US 7,596,809 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/563   by source code analysis

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

System security approaches using multiple processing units

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System security approaches using multiple processing units

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links