Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
First Claim
1. A network intrusion detection system for determining whether a data stream includes unauthorized data, the system comprising:
- a hardware filter, including;
a storage unit to store a first set of data patterns, each one indicative of possible unauthorized data, and a comparator coupled to the storage unit to compare a portion of a packet in the data stream to the first set of data patterns;
a switch coupled to the hardware filter to selectively direct the packet for further packet inspection based on whether the packet is associated with one of a set of further packet inspection enabled flows; and
a packet inspection module coupled to the switch to apply packet inspection rules to deeply inspect packets that are associated with one of the packet inspection enabled flows.
2 Assignments
0 Petitions
Accused Products
Abstract
In a method of determining whether a data stream includes unauthorized data, the data stream is analyzed using a hardware filter to detect a presence of one or more of a first set of patterns in the data stream. It is determined whether a packet in the data stream belongs to one of a plurality of data flows to be further inspected based on the analysis of the data stream by the hardware filter. A set of rules is applied to the packet to produce rule match status data if it is determined that the packet belongs to one of the plurality of data flows to be further inspected. The packet is analyzed to determine if the packet includes unauthorized data using software stored on a computer-readable medium and implemented on a processor if the rule match status data indicates that the packet potentially includes unauthorized data.
-
Citations
61 Claims
-
1. A network intrusion detection system for determining whether a data stream includes unauthorized data, the system comprising:
-
a hardware filter, including; a storage unit to store a first set of data patterns, each one indicative of possible unauthorized data, and a comparator coupled to the storage unit to compare a portion of a packet in the data stream to the first set of data patterns; a switch coupled to the hardware filter to selectively direct the packet for further packet inspection based on whether the packet is associated with one of a set of further packet inspection enabled flows; and a packet inspection module coupled to the switch to apply packet inspection rules to deeply inspect packets that are associated with one of the packet inspection enabled flows. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method of determining whether a data stream includes unauthorized data, the method comprising:
-
analyzing the data stream using a hardware filter to detect a presence of one or more of a first set of patterns in the data stream; determining whether a packet in the data stream belongs to one of a plurality of data flows to be further inspected based on the analysis of the data stream by the hardware filter; applying a set of rules to the packet to produce a rule match status data if it is determined that the packet belongs to one of the plurality of data flows to be further inspected and if a presence of one or more of the first set of patterns has been detected in the packet; and analyzing the packet payload to determine if the packet includes unauthorized data. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A method of determining whether a data stream includes unauthorized data, the method comprising:
-
filtering the data stream via a first hardware filter by testing each of a plurality of packets in the data stream against a first set of patterns to determine whether the packet includes one or more of the first set of patterns, wherein the first set of patterns includes a first set of root patterns and a first set of non-root patterns; applying a plurality of pattern matching rules to at least some of the plurality packets in the data stream, wherein the plurality of pattern matching rules is associated with a second set of patterns including a second set of root patterns and a second set of non-root patterns, and wherein applying each of the plurality of pattern matching rules to an individual packet includes; checking whether the packet includes at least one of the second set of root patterns in a first location within the packet consistent with a rule associated with the at least one of the set of root patterns; and if the packet includes at least one of the set of root patterns; checking whether the packet includes at least one of the second set of non-root patterns associated with the rule in a second location within the packet consistent with the rule; and generating an alarm indicative of a suspected presence of unauthorized data in the data stream.
-
-
35. A packet inspection hardware module comprising:
-
a first memory unit to store a set of patterns, wherein the first memory unit has a first set of physical parameters; a second memory unit to store a plurality of rules indicative of logic for comparing the set of patterns to the packet, wherein the second memory unit has a second set of physical parameters distinct from the first set of physical parameters; and a packet inspection engine to apply the plurality of rules to the packet, including; a matching unit coupled to the first memory unit to compare a section of the packet to the set of patterns; a rule retrieval unit coupled to the second memory unit and the matching unit to conditionally retrieve rule information corresponding to patterns in the packet detected by the matching unit, the rule information including a set of additional patterns; and a rule application unit to compare the packet to the set of additional patterns according to logic specified by the retrieved rule information. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
-
-
47. A method of inspecting a data stream for unauthorized data, comprising:
-
comparing a data segment to a first set of patterns stored in a content-addressable memory; if a pattern from the first set of patterns is in the data segment, retrieving a set of packet processing rules corresponding to the pattern and a second set of patterns associated with the set of packet processing rules; adding the set of packet processing rules to a packet processing rule list; adding the second set of patterns to a third pattern list; applying the processing rule list and the third pattern list to the data segment to populate a rule status registry stored in a random-access memory unit separate from the content-addressable memory; and repeating the acts of comparing, retrieving, and applying for a different data segment. - View Dependent Claims (48, 49)
-
-
50. A method of inspecting a data stream, the method including:
-
processing a packet to determine if the packet is one of a candidate for further packet inspection; generating a descriptor for the packet, the descriptor including an indicator of candidacy for further packet inspection; storing the packet in a memory buffer; if the packet is a candidate for further packet inspection; queuing the descriptor in one of a plurality of queues according to a policy associated with the packet, wherein each of the plurality of queues is associated with a corresponding priority level; conditionally performing further packet inspection of the packet according to an ordering of the descriptor in one of the plurality of queues; and the method further comprising; if the packet is not a candidate for further packet inspection; not queuing the descriptor in the plurality of queues. - View Dependent Claims (44, 45, 46, 51, 52, 53, 54, 55, 56, 57)
and applying policy logic to a header of the packet to produce a policy match indicator.
-
-
52. The method of claim 51, wherein performing further packet inspection of the packet includes applying a plurality of pattern processing rules to the packet, wherein each of the plurality of pattern processing rules specifies a set of patterns and a logic defining a relationship between patterns in the set of patterns.
-
53. The method of claim 52, wherein conditionally performing further packet inspection of the packet includes directing the descriptor to a packet inspection bypass buffer if the pattern match indicator associated with the descriptor does indicate that the packet includes at least one of the first set of patterns.
-
54. The method of claim 52, further comprising restoring a sequence of a group of packets in the data stream, wherein the sequence corresponds to an order in which the group of packets was received, and wherein the group of packets includes at least one candidate for further packet inspection and at least one non-candidate for further packet inspection.
-
55. The method of claim 54, wherein conditionally performing a further packet inspection of the packet includes directing the descriptor to a packet inspection bypass buffer if the pattern match indicator associated with the descriptor does indicate that the packet includes at least one of the first set of patterns;
- and wherein restoring the sequence of the group of packets includes restoring an ordering between the packets leaving the further packet inspection bypass buffer and the further inspected packets.
-
56. The method of claim 50, wherein queuing the descriptor in one of a plurality of queues further includes resolving congestion associated with further packet inspection by conditionally directing the descriptor around the plurality of queues to bypass further packet inspection according to a policy associated with the packet corresponding to the descriptor.
-
57. The method of claim 50, wherein processing a packet includes receiving the packet from a non-volatile memory storage.
-
58. A packet inspection module comprising:
-
a packet descriptor queuing module including a plurality of queues, each storing a plurality of descriptors corresponding to a plurality of packets; a packet inspection engine operatively connected to the packet descriptor queuing module and adapted to; receive a packet descriptor from one of the plurality of queues; extract a packet corresponding to the packet descriptor; and apply one or more pattern matching rules to the packet to determine whether the packet includes unauthorized data; and the packet inspection module further comprising; a bypass module operatively connected to the packet descriptor queuing module for temporarily storing packets that belong to a stream with which the extracted packet is associated. - View Dependent Claims (59, 60, 61)
-
Specification