Binary state machine system and method for REGEX processing of a data stream in an intrusion detection system
First Claim
1. A method for using a binary state machine for processing a data stream in an intrusion detection system, the method comprising:
- maintaining a state table, the state table indexed such that inputs comprising a current state and a current character yield an output of a new state, the new state related to an indication of an attack on a computer network;
maintaining the current state;
receiving an input stream comprising a first plurality of characters, a second plurality of characters, and at least one variable character between the first plurality and the second plurality of characters, wherein the first plurality and the second plurality of characters together constitute a REGEX signature;
processing the first plurality of characters using the state table;
after processing the first plurality of characters, for each one of the at least one variable character;
selecting the variable character as the current character;
generating a state for the current character that is independent of the current character;
after generating the state, selecting a first character of the second plurality of characters as the current character; and
after selecting the first character, comparing the current character and the current state to the state table to generate a new state.
1 Assignment
0 Petitions
Accused Products
Abstract
A binary state machine system and method for REGEX processing of a data stream in an intrusion detection system are disclosed. The method comprises maintaining a state table. The state table is indexed such that inputs comprising a current state and a current character yield an output of a new state. The new state is related to an indication of an attack on a computer network. The method further includes maintaining the current state. An input stream comprising a plurality of characters is received. A first character of the input stream is selected as the current character. The current character and the current state are compared to the state table to generate a new state.
-
Citations
20 Claims
-
1. A method for using a binary state machine for processing a data stream in an intrusion detection system, the method comprising:
-
maintaining a state table, the state table indexed such that inputs comprising a current state and a current character yield an output of a new state, the new state related to an indication of an attack on a computer network;
maintaining the current state;
receiving an input stream comprising a first plurality of characters, a second plurality of characters, and at least one variable character between the first plurality and the second plurality of characters, wherein the first plurality and the second plurality of characters together constitute a REGEX signature;
processing the first plurality of characters using the state table;
after processing the first plurality of characters, for each one of the at least one variable character;
selecting the variable character as the current character;
generating a state for the current character that is independent of the current character;
after generating the state, selecting a first character of the second plurality of characters as the current character; and
after selecting the first character, comparing the current character and the current state to the state table to generate a new state. - View Dependent Claims (2, 3, 4, 5, 6, 20)
-
-
7. A system for use as a binary state machine for processing a data stream in an intrusion detection system, the system comprising:
-
a state table indexed such that inputs comprising a current state and a current character yield an output of a new state, the new state related to an attack on a computer network; and
a state machine communicatively coupled to the state table, the state machine operable to;
maintain the current state;
receive an input stream, the input stream comprising a first plurality of characters, a second plurality of characters, and at least one variable character between the first plurality and the second plurality of characters, wherein the first plurality and the second plurality of characters together constitute a REGEX signature process the first plurality of characters using the state table;
after processing the first plurality of characters, for each one of the at least one variable character;
select the variable character as the current character;
generate a state for the current character that is independent of the current character;
after generating the state, select a first character of the second plurality of characters as the current character; and
after selecting the first character compare the current character and the current state to the state table to generate a new state. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for use as an intrusion detection system, the system comprising:
-
a computer readable medium;
a network interface for receiving an input stream comprising a first plurality of characters, a second plurality of characters, and at least one variable character between the first plurality and the second plurality of characters, wherein the first plurality and the second plurality of characters together constitute a REGEX signature;
a processor communicatively coupled to the computer readable medium and the network interface;
a state table stored upon the computer readable medium, the state table indexed such that inputs comprising a current state and a current character yield an output of a new state, the new state related to an attack on a computer network; and
a state machine comprising instructions stored upon the computer readable medium and executable by the processor, the state machine communicatively coupled to the state table, the state machine operable to;
maintain the current state;
process the first plurality of characters using the state table;
after processing the first plurality of characters, for each one of the at least one variable character;
select the variable character as the current character;
generate a state for the current character that is independent of the current character;
after generating the state, select a first character of the second plurality of characters as the current character; and
after selecting the first character, compare the current character and the current state to the state table to generate a new state.
-
-
14. A logic for using a binary state machine for processing a data stream in an intrusion detection system, the logic embodied in a computer-readable medium and operable to:
-
maintain a state table, the state table indexed such that inputs comprising a current state and a current character yield an output of a new state, the new state related to an indication of an attack on a computer network;
maintain the current state;
receive an input stream comprising a first plurality of characters, a second plurality of characters, and at least one variable character between the first plurality and the second plurality of characters, wherein the first plurality and the second plurality of characters together constitute a REGEX signature process the first plurality of characters using the state table;
after processing the first plurality of characters, for each one of the at least one variable character;
select the variable character as the current character;
generate a state for the current character that is independent of the current character;
after generating the state, select a first character of the second plurality of characters as the current character; and
after selecting the first character, compare the current character and the current state to the state table to generate a new state. - View Dependent Claims (15, 16, 17, 18)
-
-
19. An intrusion detection system, comprising:
-
means for maintaining a state table, the state table indexed such that inputs comprising a current state and a current character yield an output of a new state, the new state related to an indication of an attack on a computer network;
means for maintaining the current state;
means for receiving an input stream comprising a first plurality of characters, a second plurality of characters, and at least one variable character between the first plurality and the second plurality of characters, wherein the first plurality and the second plurality of characters together constitute a REGEX signature;
means for processing the first plurality of characters using the state table;
means for selecting, after the first plurality of characters has been processed, each one of the at least one variable character as the current character and generating, for each selected variable character, a state for the current character that is independent of the current character;
means for selecting a first character of the second plurality of characters as the current character; and
means for comparing the current character and the current state to the state table to generate a new state; and
means for transmitting the copy of the input stream to the first network device if an attack on the computer network is not detected.
-
Specification