EFFICIENT APPLICATION IDENTIFICATION WITH NETWORK DEVICES

US 20100192225A1
Filed: 01/28/2009
Published: 07/29/2010
Est. Priority Date: 01/28/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

storing, with a network device, first data that defines a group deterministic finite automata (DFA), wherein the group DFA is formed by a merger of;

(i) an individual non-explosive DFA generated from a corresponding non-explosive regular expression, and (ii) a fingerprint DFA (f-DFA) generated from a corresponding signature fingerprint, wherein the non-explosive regular expression comprises a regular expression determined not to cause state explosion during the merge to form the group DFA, wherein the signature fingerprint comprises a segment of an explosive regular expression that uniquely identifies the explosive regular expression, and wherein the explosive regular expression comprises a regular expression determined to cause state explosion during the merge;

storing, with the network device, second data that defines, for the explosive regular expression, an individual DFA separate from the group DFA, wherein the signature fingerprint uniquely identifies the explosive regular expression from which the individual DFA is generated;

receiving, with a network device, a packet;

traversing, with the network device prior to traversing the individual DFA, the group DFA in order to determine whether the packet includes the segment of the explosive regular expression defined by the signature fingerprint; and

traversing, with the network device, the individual DFA associated with the signature fingerprint based on the determination that the packet includes the segment of the explosive regular expression to identify a network application to which the packet corresponds.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA. The network device includes an interface that receives a packet and the control unit traverses first the group DFA and then, in some instances, the individual DFAs to more efficiently identify network applications to which packets correspond.

624 Citations

33 Claims

1. A method comprising:
- storing, with a network device, first data that defines a group deterministic finite automata (DFA), wherein the group DFA is formed by a merger of;
  
  (i) an individual non-explosive DFA generated from a corresponding non-explosive regular expression, and (ii) a fingerprint DFA (f-DFA) generated from a corresponding signature fingerprint, wherein the non-explosive regular expression comprises a regular expression determined not to cause state explosion during the merge to form the group DFA, wherein the signature fingerprint comprises a segment of an explosive regular expression that uniquely identifies the explosive regular expression, and wherein the explosive regular expression comprises a regular expression determined to cause state explosion during the merge;
  
  storing, with the network device, second data that defines, for the explosive regular expression, an individual DFA separate from the group DFA, wherein the signature fingerprint uniquely identifies the explosive regular expression from which the individual DFA is generated;
  
  receiving, with a network device, a packet;
  
  traversing, with the network device prior to traversing the individual DFA, the group DFA in order to determine whether the packet includes the segment of the explosive regular expression defined by the signature fingerprint; and
  
  traversing, with the network device, the individual DFA associated with the signature fingerprint based on the determination that the packet includes the segment of the explosive regular expression to identify a network application to which the packet corresponds.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 18)
- - 2. The method of claim 1,wherein the non-explosive regular expression defines a first pattern associated with a first network application,wherein the explosive regular expression defines a second pattern associated with a second network application,wherein the group DFA includes a first plurality of interconnected nodes, wherein at least some of the first plurality of interconnected nodes comprise a first set of transition nodes, one of the first plurality of interconnected nodes comprises a first terminal node and another of the first plurality of nodes comprises a second terminal node, wherein the first set of transition nodes each defines a first transition by which to reach another one of the first plurality of nodes and a first condition associated with the first transition, wherein the first terminal node is associated with the non-explosive DFA and identifies the first network application, and wherein the second terminal node is associated with the f-DFA and identifies the individual DFA generated from the explosive regular expression, andwherein the individual DFA includes a second plurality of interconnected nodes, wherein at least some of the second plurality of nodes comprise a second set of transition nodes and one of the second plurality of nodes comprises a third terminal node, wherein the second set of transition nodes each defines a second transition by which to reach another one of the second plurality of nodes and a second condition associated with the second transition, wherein the third terminal node is associated with the explosive DFA and identifies the second network application.
  - 3. The method of claim 2, wherein traversing the group DFA comprises:
    - extracting a string of characters from the packet;
      
      identifying a first character in the extracted string;
      
      evaluating the first character with respect to the first condition of one of the first set of transition nodes to determine whether the first character satisfies the first condition associated with the first transition defined by the first one of the first set of transition nodes;
      
      identifying a next character after the first character based on the determination that the first character satisfies the first condition associated with the first transition defined by the first one of the first set of transition nodes; and
      
      traversing to a next one of the first plurality of nodes identified by the first transition based on the determination that the first character satisfies the first condition associated with the first transition defined by the first one of the first set of transition nodes.
  - 4. The method of claim 3,wherein the next one of the first plurality of nodes comprises the first terminal node, andwherein traversing the group DFA further comprises traversing the group DFA to reach the first terminal node identifying the first network application,the method further comprising outputting a first application identifier associated with the first network application upon reaching the first terminal node to identify the first network application as the network application to which the packet corresponds without traversing the individual DFA.
  - 5. The method of claim 3,wherein the next one of the first plurality of nodes comprises the second terminal node,wherein traversing the group DFA further comprises:
    - traversing the group DFA to reach the second terminal node identifying the individual DFA; and
      
      upon reaching the second terminal node, determining that the packet includes the segment of the explosive regular expression defined by the signature fingerprint,wherein traversing the individual DFA comprises;
      
      upon reaching the second terminal node, identifying the first character in the extracted string;
      
      evaluating the first character with respect to the second condition of one of the second set of transition nodes to determine whether the first character satisfies the second condition associated with the second transition defined by the first one of the second set of transition nodes;
      
      identifying the next character after the first character based on the determination that the first character satisfies the second condition associated with the second transition defined by the first one of the second set of transition nodes; and
      
      traversing to a next one of the second plurality of nodes identified by the second transition based on the determination that the first character satisfies the second condition associated with the second transition defined by the first one of the second set of transition nodes.
  - 6. The method of claim 5, wherein the next one of the second plurality of nodes comprises the third terminal node, andwherein traversing the individual DFA further comprises traversing the individual DFA to reach the third terminal node identifying the second network application,the method further comprising outputting a second application identifier associated with the second network application upon reaching the third terminal node to identify the second network application as the network application to which the packet corresponds.
  - 7. The method of claim 1, further comprising:
    - determining whether the packet corresponds to a new flow, wherein traversing the group DFA comprises traversing the group DFA based on the determination that the packet corresponds to a new flow; and
      
      determining an application identifier based on the traversal of either the group DFA or the individual DFA that identifies the network application to which the packet corresponds.
  - 8. The method of claim 7,wherein the network device comprises a router, andthe method further comprising:
    - selecting a Quality of Service (QoS) class from a plurality of QoS classes based on the determined application identifier;
      
      associating the selected QoS class with a packet flow to which the packet corresponds; and
      
      forwarding the packet in accordance with the selected QoS class.
  - 9. The method of claim 7,wherein the network device comprises a Intrusion Detection and Prevention (IDP) device, andthe method further comprising:
    - selecting a profile from a plurality of profiles based on the determined application identifier, wherein each of the plurality of profiles specify a different set of one or more of a plurality of attack patterns;
      
      associating the selected profile with a packet flow to which the packet corresponds;
      
      applying the set of one or more of the plurality of attack patterns specified by the selected policy to the packet; and
      
      forwarding the packet based on the application of the set of one or more of the plurality of attack patterns specified by the selected policy.
  - 18. The network device of claim 7,wherein the network device comprises a Intrusion Detection and Prevention (IDP) device, andthe control unit further includes:
    - a classifier module that selects a profile from a plurality of profiles based on the determined application identifier, wherein each of the plurality of profiles specify a different set of one or more of a plurality of attack patterns and associates the selected profile with a packet flow to which the packet corresponds; and
      
      a servicing engine that applies the set of one or more of the plurality of attack patterns specified by the selected policy to the packet and forwards the packet based on the application of the set of one or more of the plurality of attack patterns specified by the selected policy.

10. A network device comprising:
- a control unit that stores first data that defines a group deterministic finite automata (DFA), wherein the group DFA is formed by a merger of;
  
  (i) an individual non-explosive DFA generated from a corresponding non-explosive regular expression, and (ii) a fingerprint DFA (f-DFA) generated from a corresponding signature fingerprint, wherein the non-explosive regular expression comprises a regular expression determined not to cause state explosion during the merge to form the group DFA, wherein the signature fingerprint comprises a segment of an explosive regular expression that uniquely identifies the explosive regular expression, and wherein the explosive regular expression comprises a regular expression determined to cause state explosion during the merge and stores second data that defines, for the explosive regular expression, an individual DFA separate from the group DFA, wherein the signature fingerprint uniquely identifies the explosive regular expression from which the individual DFA is generated; and
  
  at least one interface card that receives a packet,wherein the control unit traverses, prior to traversing the individual DFA, the group DFA in order to determine whether the packet includes the segment of the explosive regular expression defined by the signature fingerprint, traverses the individual DFA associated with the signature fingerprint based on the determination that the packet includes the segment of the explosive regular expression to identify a network application to which the packet corresponds.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The network device of claim 10,wherein the non-explosive regular expression defines a first pattern associated with a first network application,wherein the explosive regular expression defines a second pattern associated with a second network application,wherein the group DFA includes a first plurality of interconnected nodes, wherein at least some of the first plurality of interconnected nodes comprise a first set of transition nodes, one of the first plurality of interconnected nodes comprises a first terminal node and another of the first plurality of nodes comprises a second terminal node, wherein the first set of transition nodes each defines a first transition by which to reach another one of the first plurality of nodes and a first condition associated with the first transition, wherein the first terminal node is associated with the non-explosive DFA and identifies the first network application, and wherein the second terminal node is associated with the f-DFA and identifies the individual DFA generated from the explosive regular expression, andwherein the individual DFA includes a second plurality of interconnected nodes, wherein at least some of the second plurality of nodes comprise a second set of transition nodes and one of the second plurality of nodes comprises a third terminal node, wherein the second set of transition nodes each defines a second transition by which to reach another one of the second plurality of nodes and a second condition associated with the second transition, wherein the third terminal node is associated with the explosive DFA and identifies the second network application.
  - 12. The network device of claim 11, wherein the control unit includes an application identification (AI) module that extracts a string of characters from the packet, identifies a first character in the extracted string, evaluates the first character with respect to the first condition of one of the first set of transition nodes to determine whether the first character satisfies the first condition associated with the first transition defined by the first one of the first set of transition nodes, identifies a next character after the first character based on the determination that the first character satisfies the first condition associated with the first transition defined by the first one of the first set of transition nodes, and traverses to a next one of the first plurality of nodes identified by the first transition based on the determination that the first character satisfies the first condition associated with the first transition defined by the first one of the first set of transition nodes.
  - 13. The network device of claim 12,wherein the next one of the first plurality of nodes comprises the first terminal node, andwherein the AI module further traverses the group DFA to reach the first terminal node identifying the first network application and outputs a first application identifier associated with the first network application upon reaching the first terminal node to identify the first network application as the network application to which the packet corresponds without traversing the individual DFA.
  - 14. The network device of claim 12,wherein the next one of the first plurality of nodes comprises the second terminal node,wherein the AI module further traverses the group DFA to reach the second terminal node identifying the individual DFA, determines upon reaching the second terminal node that the packet includes the segment of the explosive regular expression defined by the signature fingerprint, identifies upon reaching the second terminal node the first character in the extracted string, evaluates the first character with respect to the second condition of one of the second set of transition nodes to determine whether the first character satisfies the second condition associated with the second transition defined by the first one of the second set of transition nodes, identifies the next character after the first character based on the determination that the first character satisfies the second condition associated with the second transition defined by the first one of the second set of transition nodes, and traverses to a next one of the second plurality of nodes identified by the second transition based on the determination that the first character satisfies the second condition associated with the second transition defined by the first one of the second set of transition nodes.
  - 15. The network device of claim 14, wherein the next one of the second plurality of nodes comprises the third terminal node, andwherein the AI module further traverses the individual DFA to reach the third terminal node identifying the second network application and outputs a second application identifier associated with the second network application upon reaching the third terminal node to identify the second network application as the network application to which the packet corresponds.
  - 16. The network device of claim 10,wherein the control unit determines whether the packet corresponds to a new flow,wherein the control unit includes an application identification (AI) module that traverses the group DFA based on the determination that the packet corresponds to a new flow and determines an application identifier based on the traversal of either the group DFA or the individual DFA that identifies the network application to which the packet corresponds.
  - 17. The network device of claim 16,wherein the network device comprises a router,wherein the control unit further selects a Quality of Service (QoS) class from a plurality of QoS classes based on the determined application identifier and associates the selected QoS class with a packet flow to which the packet corresponds, andthe network device further comprises a forwarding plane that forwards the packet in accordance with the selected QoS class.

19. A computer-readable medium comprising instructions for causing a programmable processor to:
- store, with a network device, first data that defines a group deterministic finite automata (DFA), wherein the group DFA is formed by a merger of;
  
  (i) an individual non-explosive DFA generated from a corresponding non-explosive regular expression, and (ii) a fingerprint DFA (f-DFA) generated from a corresponding signature fingerprint, wherein the non-explosive regular expression comprises a regular expression determined not to cause state explosion during the merge to form the group DFA, wherein the signature fingerprint comprises a segment of an explosive regular expression that uniquely identifies the explosive regular expression, and wherein the explosive regular expression comprises a regular expression determined to cause state explosion during the merge;
  
  store, with the network device, second data that defines, for the explosive regular expression, an individual DFA separate from the group DFA, wherein the signature fingerprint uniquely identifies the explosive regular expression from which the individual DFA is generated;
  
  receive, with a network device, a packet;
  
  traverse, with the network device prior to traversing the individual DFA, the group DFA in order to determine whether the packet includes the segment of the explosive regular expression defined by the signature fingerprint; and
  
  traverse, with the network device, the individual DFA associated with the signature fingerprint based on the determination that the packet includes the segment of the explosive regular expression to identify a network application to which the packet corresponds.

20. A method comprising:
- storing, with a computing device, data defining a plurality of regular expressions;
  
  determining whether each of the plurality of regular expressions causes state explosion;
  
  classifying, with the computing device, each of the plurality of regular expressions as non-explosive or explosive depending on the determination, wherein one of the plurality of regular expression is classified as non-explosive and another one of the plurality the plurality of regular expressions is classified as an explosive regular expression;
  
  for each of the explosive regular expressions, extracting, with the computing device, a corresponding signature fingerprint from the explosive regular expressions, wherein the signature fingerprint comprises a segment of the corresponding one of the explosive regular expressions that uniquely identifies the corresponding one of the explosive regular expressions;
  
  generating, with the computing device, a non-explosive Deterministic Finite Automata (DFA) from each of the plurality of regular expressions classified as non-explosive;
  
  generating, with the computing device, an individual DFA from each of the plurality of regular expressions classified as explosive;
  
  generating, with the computing device, a fingerprint DFA (f-DFA) from each of the signature fingerprints extracted from a corresponding one of the plurality of regular expressions classified as explosive; and
  
  merging, with the computing device, the non-explosive DFA and the f-DFA to generate a group DFA, wherein the group DFA comprises at least one node that identifies the individual DFAs and thereby links the group DFA to the individual DFA.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The method of claim 20, wherein determining whether each of the plurality of regular expressions causes state explosion comprises:
    - generating a temporary DFA from one of the plurality of regular expressions;
      
      determining a first size of the temporary DFA in terms of a number of nodes included within the temporary DFA;
      
      determining a second size of a test DFA in terms of a number of nodes included within the test DFA;
      
      merging the temporary DFA with the test DFA to generate a merged DFA;
      
      determining a third size of the merged DFA in terms of a number of nodes included within the merged DFA;
      
      comparing the third size determined for the merged DFA to both the first and second sizes determined for the temporary DFA and test DFA respectively; and
      
      determining that the one of the plurality of regular expressions causes state explosion based on the comparison.
  - 22. The method of claim 21,wherein comparing the third size comprises calculating an explosion factor, beta (β
    - ), by dividing the third size determined for the merged DFA by the addition of the first and second sizes determined respectively for the temporary and test DFAs, andwherein determining that the one of the plurality of regular expressions causes state explosion comprises;
      
      determining that the one of the plurality of regular expressions causes state explosion when the explosion factor, beta (β
      
      ), is greater than one (1); and
      
      determining that the one of the plurality of regular expressions does not cause state explosion when the explosion factor, beta (β
      
      ), is less than or equal to one (1).
  - 23. The method of claim 20, wherein extracting the corresponding signature fingerprint comprises:
    - analyzing a starting portion of one of the plurality of regular expressions classified as explosive to determine whether the starting portion meets a first requirement to qualify as the signature fingerprint;
      
      analyzing, based on the determination that the starting portion does not qualify, an ending portion of this one of the plurality of regular expressions to determine whether the ending portion meets the first requirement to qualify as the signature fingerprint;
      
      analyzing, based on the determination that the ending portion does not qualify, a middle portion of the one of the plurality of regular expressions classified as explosive to determine whether the middle portion meets a second requirement different from the first requirement to qualify as the signature fingerprint;
      
      iteratively analyzing, based on the determination that the middle portion does not qualify, the one of the plurality of regular expressions until either the starting, ending, or middle portion of this one of the plurality of regular expression satisfies a probability requirement; and
      
      extracting either the starting, ending or middle portion of the one of the plurality of regular expressions under analysis upon determining that the respective portion satisfies the first, second or probability requirement.
  - 24. The method of claim 20, wherein generating each of the non-explosive DFAs, each of the f-DFAs and each of the individual DFAs comprises:
    - generating a Non-deterministic Finite Automata (DFA) from the respective one of the plurality of regular expressions in accordance with either a Thompson algorithm or a Glushkov algorithm; and
      
      converting the NFA into an un-minimized version of each of the corresponding one of the non-explosive DFAs, f-DFAs and individual DFAs in accordance with a subset algorithm; and
      
      minimizing each of the un-minimized versions in accordance with a Hopcroft algorithm to generate each of the non-explosive DFAs, f-DFAs and individual DFAs.
  - 25. The method of claim 20, further comprising automatically forwarding the group DFA and individual DFA to one or more network devices after generating the group DFA and individual DFAs from the plurality of regular expressions so as to update an application identification module included within each of the network devices with the plurality of regular expressions.

26. A computing device comprising:
- a control unit that stores data defining a plurality of regular expressions,wherein the control unit includes;
  
  a classification module that determines whether each of the plurality of regular expressions causes state explosion and classifies each of the plurality of regular expressions as non-explosive or explosive depending on the determination, wherein one of the plurality of regular expression is classified as non-explosive and another one of the plurality the plurality of regular expressions is classified as an explosive regular expression;
  
  a fingerprint extraction module that, for each of the explosive regular expressions, extracts a corresponding signature fingerprint from the explosive regular expressions, wherein the signature fingerprint comprises a segment of the corresponding one of the explosive regular expressions that uniquely identifies the corresponding one of the explosive regular expressions;
  
  a Deterministic Finite Automata (DFA) construction module that generates a non-explosive DFA from each of the plurality of regular expressions classified as non-explosive, an individual DFA from each of the plurality of regular expressions classified as explosive, and a fingerprint DFA (f-DFA) from each of the signature fingerprints extracted from a corresponding one of the plurality of regular expressions classified as explosive; and
  
  a DFA merge module that merges the non-explosive DFA and the f-DFA to generate a group DFA, wherein the group DFA comprises at least one node that identifies the individual DFAs and thereby links the group DFA to the individual DFA.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The computing device of claim 26, wherein the classification module further generates a temporary DFA from one of the plurality of regular expressions, determines a first size of the temporary DFA in terms of a number of nodes included within the temporary DFA, determines a second size of a test DFA in terms of a number of nodes included within the test DFA, merges the temporary DFA with the test DFA to generate a merged DFA, determines a third size of the merged DFA in terms of a number of nodes included within the merged DFA, compares the third size determined for the merged DFA to both the first and second sizes determined for the temporary DFA and test DFA respectively, and determines that the one of the plurality of regular expressions causes state explosion based on the comparison.
  - 28. The computing device of claim 27,wherein the classification module also calculates an explosion factor, beta (β
    - ), by dividing the third size determined for the merged DFA by the addition of the first and second sizes determined respectively for the temporary and test DFAs, determines that the one of the plurality of regular expressions causes state explosion when the explosion factor, beta (β
      
      ), is greater than one (1) and determines that the one of the plurality of regular expressions does not cause state explosion when the explosion factor, beta (β
      
      ), is less than or equal to one (1).
  - 29. The computing device of claim 26, wherein the fingerprint extraction module further analyzes a starting portion of one of the plurality of regular expressions classified as explosive to determine whether the starting portion meets a first requirement to qualify as the signature fingerprint, analyzes, based on the determination that the starting portion does not qualify, an ending portion of this one of the plurality of regular expressions to determine whether the ending portion meets the first requirement to qualify as the signature fingerprint, analyzes, based on the determination that the ending portion does not qualify, a middle portion of the one of the plurality of regular expressions classified as explosive to determine whether the middle portion meets a second requirement different from the first requirement to qualify as the signature fingerprint, iteratively analyzes, based on the determination that the middle portion does not qualify, the one of the plurality of regular expressions until either the starting, ending, or middle portion of this one of the plurality of regular expression satisfies a probability requirement, and extracts either the starting, ending or middle portion of the one of the plurality of regular expressions under analysis upon determining that the respective portion satisfies the first, second or probability requirement.
  - 30. The computing device of claim 26, wherein the DFA construction module further generates a Non-deterministic Finite Automata (DFA) from the respective one of the plurality of regular expressions in accordance with either a Thompson algorithm or a Glushkov algorithm, and converts the NFA into an un-minimized version of each of the corresponding one of the non-explosive DFAs, f-DFAs and individual DFAs in accordance with a subset algorithm, and minimizes each of the un-minimized versions in accordance with a Hopcroft algorithm to generate each of the non-explosive DFAs, f-DFAs and individual DFAs.
  - 31. The computing device of claim 26, wherein the control unit further automatically forwards the group DFA and individual DFA to one or more network devices after generating the group DFA and individual DFAs from the plurality of regular expressions so as to update an application identification module included within each of the network devices with the plurality of regular expressions.

32. A computer-readable medium comprising instructions for causing a programmable processor to:
- store, with a computing device, data defining a plurality of regular expressions;
  
  determine whether each of the plurality of regular expressions causes state explosion;
  
  classify, with the computing device, each of the plurality of regular expressions as non-explosive or explosive depending on the determination, wherein one of the plurality of regular expression is classified as non-explosive and another one of the plurality the plurality of regular expressions is classified as an explosive regular expression;
  
  for each of the explosive regular expressions, extract, with the computing device, a corresponding signature fingerprint from the explosive regular expressions, wherein the signature fingerprint comprises a segment of the corresponding one of the explosive regular expressions that uniquely identifies the corresponding one of the explosive regular expressions;
  
  generate, with the computing device, a non-explosive Deterministic Finite Automata (DFA) from each of the plurality of regular expressions classified as non-explosive;
  
  generate, with the computing device, an individual DFA from each of the plurality of regular expressions classified as explosive;
  
  generate, with the computing device, a fingerprint DFA (f-DFA) from each of the signature fingerprints extracted from a corresponding one of the plurality of regular expressions classified as explosive; and
  
  merge, with the computing device, the non-explosive DFA and the f-DFA to generate a group DFA, wherein the group DFA comprises at least one node that identifies the individual DFAs and thereby links the group DFA to the individual DFA.

33. A method comprising:
- storing, with a network device, first data that defines a group deterministic finite automata (DFA), wherein the group DFA is formed by a merger of;
  
  (i) an individual non-explosive DFA generated from a corresponding non-explosive regular expression, and (ii) a fingerprint DFA (f-DFA) generated from a corresponding signature fingerprint, wherein the non-explosive regular expression comprises a regular expression determined not to cause state explosion during the merge to form the group DFA, wherein the signature fingerprint comprises a segment of an explosive regular expression that uniquely identifies the explosive regular expression, and wherein the explosive regular expression comprises a regular expression determined to cause state explosion during the merge;
  
  storing, with the network device, second data that defines, for the explosive regular expression, an individual DFA separate from the group DFA, wherein the signature fingerprint uniquely identifies the explosive regular expression from which the individual DFA is generated;
  
  receiving, with a network device, a packet;
  
  traversing, with the network device prior to traversing the individual DFA, the group DFA in order to determine whether the packet includes the segment of the explosive regular expression defined by the signature fingerprint; and
  
  traversing, with the network device, the individual DFA associated with the signature fingerprint based on the determination that the packet includes the segment of the explosive regular expression to identify a pattern identified by the explosive regular expression.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Ma, Qingming, Burns, Bryan, Oliveira, Ricardo

Application Number

US12/361,364
Publication Number

US 20100192225A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 16/90344   by using string matching te...

G06F 21/552   involving long-term monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

EFFICIENT APPLICATION IDENTIFICATION WITH NETWORK DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

624 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

EFFICIENT APPLICATION IDENTIFICATION WITH NETWORK DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

624 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links