Methods and systems for content detection in a reconfigurable hardware

US 20060053295A1
Filed: 08/24/2005
Published: 03/09/2006
Est. Priority Date: 08/24/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method in a data processing system for identifying a repeating content in a data stream, the method comprising the steps of:

computing a hash function for at least one portion of a plurality of portions of the data stream;

incrementing at least one counter of a plurality of counters responsive to the computed hash function result, each counter corresponding to a respective computed hash function result;

identifying the repeating content when the at least one of the plurality of counters exceeds a count value; and

verifying that the identified repeating content is not a benign string.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems consistent with the present invention identify a repeating content in a data stream. A hash function is computed for at least one portion of a plurality of portions of the data stream. The at least one portion of the data stream has benign characters removed therefrom to prevent the identification of a benign string as the repeating content. At least one counter of a plurality of counters is incremented responsive to the computed hash function result. Each counter corresponds to a respective computed hash function result. The repeating content is identified when the at least one of the plurality of counters exceeds a count value. It is verified that the identified repeating content is not a benign string.

272 Citations

33 Claims

1. A method in a data processing system for identifying a repeating content in a data stream, the method comprising the steps of:
- computing a hash function for at least one portion of a plurality of portions of the data stream;
  
  incrementing at least one counter of a plurality of counters responsive to the computed hash function result, each counter corresponding to a respective computed hash function result;
  
  identifying the repeating content when the at least one of the plurality of counters exceeds a count value; and
  
  verifying that the identified repeating content is not a benign string.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein computing the hash function comprises computing a plurality of hash functions in parallel for a plurality of portions of the data stream.
  - 3. The method of claim 2, wherein the plurality of counters are located in a plurality of memory banks.
  - 4. The method of claim 3, further comprising the step of:
    - determining a priority of which counter to increment when a plurality of counters located in a same memory bank are to be incremented in a same clock cycle.
  - 5. The method of claim 1, further comprising the step of:
    - filtering the at least one portion of the plurality of portions of the data stream to remove predetermined data.
  - 6. The method of claim 1, further comprising the step of:
    - periodically decrementing each of the plurality of counters using count averaging.
  - 7. The method of claim 1, further comprising the step of:
    - determining whether the identified repeating content is a false identification.
  - 8. The method of claim 7, wherein the determination of whether the identified repeating content is a false identification is performed by comparing the identified repeating content to previously-identified repeating content.
  - 9. The method of claim 8, wherein the previously-identified repeating content is stored in a memory remote from a local memory that includes the identified repeating content.
  - 10. The method of claim 1, wherein a pipeline is used to increment the at least one of the plurality of counters.
  - 11. The method of claim 1, wherein the repeating content is a worm signature.
  - 12. The method of claim 1, wherein the identified repeating content has a non-pre-defined signature.
  - 13. The method of claim 1, wherein the repeating content is a virus signature.
  - 14. The method of claim 1, wherein the repeating content is a spam signature.
  - 15. The method of claim 1, wherein the repeating content is a repeated exchange of content over a network.
  - 16. The method of claim 1, wherein the repeating content is an occurrence of a number of users visiting a website.

17. A system for identifying a repeating content in a data stream, the system comprising:
- a hash function computation circuit that computes a hash function for the least one portion of the plurality of portions of the data stream;
  
  a plurality of counters, at least one counter of a plurality of counters being incremented responsive to the computed hash function result, each counter corresponding to a respective computed hash function result;
  
  a repeating content identifier that identifies the repeating content when the at least one of the plurality of counters exceeds a count value; and
  
  a verifier that verifies that the identified repeating content is not a benign string.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The system of claim 17, wherein computing the hash function comprises computing a plurality of hash functions in parallel for a plurality of portions of the data stream.
  - 19. The system of claim 18, wherein the plurality of counters are located in a plurality of memory banks.
  - 20. The system of claim 19, comprising:
    - a priority encoder that determines a priority of which counter to increment when a plurality of counters located in a same memory bank are to be incremented in a same clock cycle.
  - 21. The system of claim 17, comprising:
    - a filter that filters the at least one portion of the plurality of portions of the data stream to remove predetermined data.
  - 22. The system of claim 17, wherein each of the plurality of counters are periodically decremented using count averaging.
  - 23. The system of claim 17, comprising:
    - an analyzer that determines whether the identified repeating content is a false identification.
  - 24. The system of claim 23, wherein the determination of whether the identified repeating content is a false identification is performed by comparing the identified repeating content to previously-identified repeating content.
  - 25. The system of claim 24, wherein the previously-identified repeating content is stored in a memory remote from a local memory that includes the identified repeating content.
  - 26. The system of claim 17, wherein a pipeline is used to increment the at least one of the plurality of counters.
  - 27. The system of claim 17, wherein the repeating content is a worm signature.
  - 28. The system of claim 17, wherein the identified repeating content has a non-pre-defined signature.
  - 29. The system of claim 17, wherein the repeating content is a virus signature.
  - 30. The system of claim 17 wherein the repeating content is a spam signature.
  - 31. The system of claim 17 wherein the repeating content is a repeated exchange of content over a network.
  - 32. The system of claim 17, wherein the repeating content is an occurrence of a number of users visiting a website.

33. A system for identifying a repeating content in a data stream, the system comprising:
- means for computing a hash function for at least one portion of a plurality of portions of the data stream, the at least one portion of the data stream having benign characters removed therefrom to prevent the identification of a benign string as the repeating content;
  
  means for incrementing at least one counter of a plurality of counters responsive to the computed hash function result, each counter corresponding to a respective computed hash function result;
  
  means for identifying the repeating content when the at least one of the plurality of counters exceeds a count value; and
  
  means for verifying that the identified repeating content is not a benign string.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Washington University In St Louis
Original Assignee
Washington University In St Louis
Inventors
Lockwood, John W., Madhusudan, Bharath

Application Number

US11/210,639
Publication Number

US 20060053295A1
Time in Patent Office

Days
Field of Search
US Class Current

713/181
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/577   Assessing vulnerabilities a...

H04L 41/06   Management of faults, event...

H04L 41/28   Restricting access to netwo...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Methods and systems for content detection in a reconfigurable hardware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

272 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for content detection in a reconfigurable hardware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

272 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others