Method and system for reassembling packets prior to searching

US 20070047457A1
Filed: 08/29/2005
Published: 03/01/2007
Est. Priority Date: 08/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries comprising:

determining if two or more data packets are consecutive in the data packet stream;

combining data payloads from the consecutive data packets; and

analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations, wherein the maximum length of the combined data payloads is one less than the maximum number of characters for a pattern having a longest length of the plurality of patterns of character combinations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries is disclosed. This includes determining if two or more data packets are consecutive in the data packet stream, combining data payloads from the consecutive data packets, and analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations, wherein the maximum length of the combined data payloads is one less than the maximum number of characters for a pattern having a longest length of the plurality of patterns of character combinations. This can include a content searching engine and/or a regular expression engine. There are optional aspects to return data packets to an outgoing data stream based on predetermined criteria and if the data packets are in the system for over a predetermined time period.

Citations

46 Claims

1. A method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries comprising:
- determining if two or more data packets are consecutive in the data packet stream;
  
  combining data payloads from the consecutive data packets; and
  
  analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations, wherein the maximum length of the combined data payloads is one less than the maximum number of characters for a pattern having a longest length of the plurality of patterns of character combinations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the determining if two or more data packets are consecutive in the data packet stream includes reviewing communication protocol connections for the two or more data packets.
  - 3. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 2, wherein the communication protocol connections includes a destination address, a destination port number, a source address, a source port number and a type of communication protocol.
  - 4. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 3, wherein the type of communication protocol is selected from the group consisting of TCP, UDP, AEP, AMTP, ATP, CUDP, IL, NBP, NetBEUI, RTMP, SMB, SPX, SCTP, or RTP.
  - 5. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the plurality of plurality of patterns of character combinations are stored in a rule table.
  - 6. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations includes utilizing a content search engine.
  - 7. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations includes utilizing a regular expression engine.
  - 8. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations includes utilizing a content search engine and a regular expression engine.
  - 9. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, further comprising parsing a header from each data packet from the data packet stream to form a parsed data packet stream.
  - 10. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 9, further comprising determining if parsed header information from data packets in the data packet stream indicate whether each data packet should be combined with at least one other data packet and analyzed for patterns or returned to an outgoing data packet stream based on predetermined criteria utilized with an exclusion filter.
  - 11. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 10, wherein the predetermined criteria is selected from the group consisting of a destination communication protocol address, a flag, or a destination communication protocol port number.
  - 12. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the combining data payloads from the plurality of consecutive data packets includes utilizing a multiple packet signature scanner.
  - 13. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 12, wherein the multiple packet signature scanner utilizes a first-in and first-out memory buffer.
  - 14. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the combining data payloads from the consecutive data packets includes utilizing a multiple packet signature scanner and the analyzing the combined data payloads for a plurality of patterns with a content search engine and a regular expression engine.
  - 15. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 14, wherein the multiple packet signature scanner, the content search engine, and the regular expression engine are electrically connected to an interface.
  - 16. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 12, further comprising determining if data packets reside in the multiple packet signature scanner for over a predetermined time period and removing these data packets from the multiple packet signature scanner.
  - 17. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 2, wherein the determining if two or more data packets are consecutive includes reviewing an indication of a next communication protocol connection.
  - 18. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 2, wherein the determining if two or more data packets are consecutive further includes reviewing communication protocol connection information which is selected from the group consisting of a source address, a source port number, a designation address, a destination port number, a type of communication protocol, a connection state or a timeout.
  - 19. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 2, wherein the determining if two or more data packets are consecutive further includes reviewing communication protocol connection information includes utilizing at least one protocol connection look-up table.
  - 20. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 19, wherein the at least one protocol connection look-up table includes a plurality of protocol connection look-up tables having an interrelated hierarchy.
  - 21. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations includes determining that the combination of the consecutive data packets, which includes at least one first data packet stored in memory and an incoming second data packet, exceeds the maximum length of the combined data payloads and the length of the at least one first data packet stored in memory is less than the maximum length of the combined data payloads, then truncating the length of the at least one first data packet stored in memory so that the combination of the incoming second data packet and the at least one first data packet stored in memory is equal to the maximum length of the combined data payloads, which is one less than the maximum number of characters for a pattern having the longest length of the plurality of patterns of character combinations.
  - 22. The method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries according to claim 1, wherein the analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations, includes determining that the combination of the consecutive data packets, which includes at least one first data packet stored in memory and an incoming second data packet, exceeds the maximum length of the combined data payloads and the length of the at least one first data packet stored in memory is greater than the maximum length of the combined data payloads, then truncating the length of the incoming second data packet so that the incoming second data packet is equal to the maximum length of the combined data payloads, which is one less than the maximum number of characters for a pattern having the longest length of the plurality of patterns of character combinations.

23. A method for inspecting a data packet stream in a computer network for patterns that fall across data packet boundaries comprising:
- determining if two or more data packets are consecutive in the data packet stream by reviewing communication protocol connections for the plurality of data packets, wherein the communication protocol connections include a destination address, a destination port number, a source address, a source port number and a type of communication protocol;
  
  combining data payloads from the consecutive data packets; and
  
  analyzing the combined data payloads from the consecutive data packets for a plurality of patterns of character combinations with at least one of a content search engine and a regular expression engine, wherein the maximum length of the combined data payloads is one less than the maximum number of characters for a pattern having a longest length of the plurality of patterns of character combinations.

24. A system for inspecting a data packet stream for patterns that fall across data packet boundaries comprising:
- a data packet analyzer that receives an incoming stream of data packets and determines if two or more data packets are consecutive;
  
  a multiple packet signature scanner that combines data payloads from the consecutive data packets; and
  
  a data pattern analyzer for reviewing combined data payloads from the consecutive data packets for a plurality of patterns of character combinations, wherein the maximum length of the combined data payloads is one less than the maximum number of characters for a pattern having a longest length of the plurality of patterns of character combinations.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 25. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data packet analyzer includes a controller.
  - 26. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data packet analyzer includes a header parser.
  - 27. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data packet analyzer reviews communication protocol connections for the two or more data packets.
  - 28. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data packet analyzer reviews communication protocol connections for the two or more data packets with at least one protocol connection look-up table.
  - 29. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 28, wherein the at least one protocol connection look-up table includes a plurality of protocol connection information look-up tables having an interrelated hierarchy.
  - 30. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 27, wherein the communication protocol connections includes a destination address, a destination port number, a source address, a source port number and a type of communication protocol.
  - 31. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data packet analyzer includes an exclusion filter that can return data packets to an outgoing data stream based on predetermined criteria.
  - 32. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 31, wherein the predetermined criteria is selected from the group consisting of a destination communication protocol address, a flag, a destination communication protocol port number or a next communication protocol connection.
  - 33. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the incoming stream of data packets is received by a controller and then has heading information from each data packet parsed with a header parser and then is analyzed and routed based on predetermined criteria with an exclusion filter.
  - 34. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the multiple packet signature scanner is operatively connected to a first-in and first-out memory buffer.
  - 35. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the multiple packet signature scanner is operatively connected to an external memory.
  - 36. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the multiple packet signature scanner is operatively connected to a first-in and first-out memory buffer and the multiple packet signature scanner is operatively connected to an external memory.
  - 37. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data pattern analyzer includes a content search engine.
  - 38. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data pattern analyzer includes a regular expression search engine.
  - 39. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data pattern analyzer includes a rule table that can store a plurality of patterns of character combinations.
  - 40. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, wherein the data pattern analyzer includes a content search engine, a regular expression search engine and a rule table that can store a plurality of patterns of character combinations.
  - 41. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, further comprising an interface that is operatively connected to the multiple packet signature scanner, a content search engine and a regular expression search engine.
  - 42. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, further comprising an output buffer that provides an outgoing data stream that is operatively connected to the data packet analyzer and the data pattern analyzer.
  - 43. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 24, further comprising a timer for determining if data packets reside in the multiple packet signature scanner for over a predetermined time period and removing these data packets from the multiple packet signature scanner.

44. A system for inspecting a data packet stream for patterns that fall across data packet boundaries comprising:
- a data packet analyzer that receives an incoming stream of data packets and determines if two or more data packets are consecutive by reviewing communication protocol connections;
  
  a multiple packet signature scanner that combines data payloads from the consecutive data packets in a buffer; and
  
  a data pattern analyzer for reviewing combined data payloads from the consecutive data packets for a plurality of patterns of character combinations, wherein the maximum length of the combined data payloads is one less than the maximum number of characters for a pattern having a longest length of the plurality of patterns of character combinations, wherein the data pattern analyzer includes a content searching engine and a regular expression engine.
- View Dependent Claims (45, 46)
- - 45. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 44, further comprising a controller electrically connected to a field programmable gate array, wherein the field programmable gate array is electrically connected to a protocol connection look-up table and a content searching engine.
  - 46. The system for inspecting a data packet stream for patterns that fall across data packet boundaries according to claim 44, further comprising a controller electrically connected to a field programmable gate array, wherein the controller is electrically connected to a protocol connection look-up table and the field programmable gate array is electrically connected to a content searching engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Connect Technologies Corporation
Original Assignee
Winnoz Technology Incorporated
Inventors
Yoon, Uooyeol, Lee, Ho, Harijono, Indra

Granted Patent

US 7,486,673 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/250
CPC Class Codes

H04L 49/90   Buffering arrangements

H04L 49/9094   Arrangements for simultaneo...

H04L 63/1416   Event detection, e.g. attac...

H04L 69/22   Parsing or analysis of headers

Y10S 370/902   Packet switching

Method and system for reassembling packets prior to searching

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reassembling packets prior to searching

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links