Intrusion detection accelerator

US 7,146,643 B2
Filed: 12/31/2002
Issued: 12/05/2006
Est. Priority Date: 10/29/2002
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection system comprising:

a character buffer to store a plurality of bytes of a document;

a state table addressable in accordance with a byte of the document and a state to access at least one of an interrupt, an exception, or a command to store a token and next state data from said state table, wherein the command to store the token is accessed when a state in the state table is reached that indicates a valid token has been parsed;

a register to store said next state data;

means for combining contents of said register with a subsequent byte of the document to form a further address into said state table;

a token buffer to store a plurality of tokens, wherein said plurality of tokens are available for further processing by a host processor; and

a bus to communicate said interrupt or said exception to said host processor,wherein the intrusion detection system simultaneously performs a function of accessing said state table, storing said token, and combining said stored next state data with a second portion of said document in parallel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Signatures of character strings in a document which may indicate a possible intrusion into or attack on a networked computer system or node thereof or other security breach are detected at high speed using a hardware accelerator within the environment of a hardware parser accelerator. An interrupt or exception can thus be issued to a host CPU before a command which may constitute such a security breach, intrusion or attack can be made executable by parsing of a document. The CPU can initiate network control measures to prevent or limit the intrusion.

237 Citations

25 Claims

1. An intrusion detection system comprising:
- a character buffer to store a plurality of bytes of a document;
  
  a state table addressable in accordance with a byte of the document and a state to access at least one of an interrupt, an exception, or a command to store a token and next state data from said state table, wherein the command to store the token is accessed when a state in the state table is reached that indicates a valid token has been parsed;
  
  a register to store said next state data;
  
  means for combining contents of said register with a subsequent byte of the document to form a further address into said state table;
  
  a token buffer to store a plurality of tokens, wherein said plurality of tokens are available for further processing by a host processor; and
  
  a bus to communicate said interrupt or said exception to said host processor,wherein the intrusion detection system simultaneously performs a function of accessing said state table, storing said token, and combining said stored next state data with a second portion of said document in parallel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The intrusion detection system as recited in claim 1, wherein said intrusion detection system is implemented within a parser.
  - 3. The intrusion detection system as recited in claim 2, wherein said state table is implemented in an external memory.
  - 4. The intrusion detection system as recited in claim 3, further including a memory on the same chip as at least one of said register and said means for combining for storing said state table when said state table does not require implementation in said external memory.
  - 5. The intrusion detection system as recited in claim 1, wherein said state table is implemented in memory on the same chip as at least one of said register and said means for combining.
  - 6. The intrusion detection system as recited in claim 1, wherein said state table is accessed at a rate greater than a network packet transmission rate.
  - 7. The intrusion detection system as recited in claim 1, further including means for presenting a pattern matching alert to be presented to said host processor in response to detection of an occurrence of an input sequence which matches a signature of one or more sequences encoded in said state table, to increase response speed.
  - 8. The intrusion detection system as recited in claim 7, wherein an intrusion alert corresponding to said interrupt or said exception is communicated to said host processor to initiate an intrusion prevention action to prevent or limit an intrusion attempt.
  - 9. The intrusion detection system as recited in claim 1, wherein said state table is accessed at a rate substantially equal to a network data packet transmission rate.

10. An intrusion detection method comprising:
- accessing a state table addressable in accordance with a byte of a document and a current state;
  
  retrieving at least one of an interrupt or an exception from said state table, if said interrupt or said exception is available;
  
  retrieving a token-storing command from said state table in response to determining that no interrupt or exception is available and that a valid token has been parsed;
  
  storing a token in a token buffer in response to said token-storing command;
  
  retrieving next state data from said state table;
  
  storing said next state data;
  
  combining said stored next state data with a subsequent byte of said document to form a further address into said state table; and
  
  simultaneously performing the accessing said state table, storing said token, and combining said stored next state data with a second portion of said document in parallel.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The intrusion detection method as recited in claim 10, wherein said intrusion detection method is implemented within a parser.
  - 12. The intrusion detection method as recited in claim 11, wherein said state table is implemented in an external memory.
  - 13. The intrusion detection method as recited in claim 10, wherein said state table is accessed at a rate greater than a network packet transmission rate.
  - 14. The intrusion detection method as recited in claim 10, further comprising:
    - presenting a pattern matching alert to be presented to said host processor in response to detection of an occurrence of an input sequence, which matches a signature of one or more sequences encoded in said state table, to increase response speed.
  - 15. The intrusion detection method as recited in claim 14, wherein an intrusion alert corresponding to said interrupt or said exception is communicated to said host processor to initiate an intrusion prevention action to prevent or limit an intrusion attempt.
  - 16. The intrusion detection method as recited in claim 10, wherein said state table is accessed at a rate substantially equal to a network data packet transmission rate.

17. A computer program product for enabling a computer to accelerate the detection of intrusions comprising:
- software instructions for enabling the computer to perform predetermined operations; and
  
  a computer readable medium bearing the software instructions;
  
  the predetermined operations including;
  
  accessing a state table addressable in accordance with a byte of a document and a previous state;
  
  retrieving at least one of an interrupt or an exception from said state table, if said interrupt or said exception is available;
  
  retrieving a command to store a token from said state table, if said command is available and said token has been fully parsed, and storing said token in response to said command to store said token;
  
  retrieving next state data from said state table;
  
  storing said next state data;
  
  combining said stored next state data with a subsequent byte of said document to form a further address into said state table;
  
  making said token available for subsequent processing for a different purpose after said token has been parsed and stored; and
  
  simultaneously performing the accessing said table, storing said token, and combining said stored next state data with a second portion of said document in parallel.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein said different purpose is a contextual analysis to detect an intrusion at a document level.
  - 19. The computer program product of claim 17, wherein said different purpose is an end use of the document.
  - 20. The computer program product as recited in claim 17, wherein said different purpose is unrelated to intrusion detection.

21. An intrusion detection system comprising:
- means for accessing a state table addressable in accordance with a first portion of a document and a current state;
  
  means for retrieving at least one of an interrupt or an exception from said state table, if said interrupt or said exception is available;
  
  means for retrieving a command from said state table, if said command is available, and storing a token in response to a command to store a token;
  
  means for retrieving next state data from said state table;
  
  means for storing said next state data;
  
  means for combining said stored next state data with a second portion of said document to form a further address into said state table;
  
  means for simultaneously performing the functions of accessing said state table, storing said token, and combining said stored next state data with said second portion of said document in parallel; and
  
  means for communicating said interrupt or said exception to a host processor.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The intrusion detection system of claim 21, wherein said intrusion detection system is implemented within a parser.
  - 23. The intrusion detection system of claim 21, further including means for presenting a pattern matching alert to be presented to said host processor in response to detection of an occurrence of an input sequence which matches a signature of one or more sequences encoded in said state table to increase response speed.
  - 24. The intrusion detection system of claim 21, wherein an intrusion alert corresponding to said interrupt or exception is communicated to said host processor to initiate an intrusion prevention action to prevent or limit an intrusion attempt.
  - 25. The intrusion detection system of claim 21, wherein said first portion and said second portion represent a character.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Dapp, Michael C., Lett, Eric C.
Primary Examiner(s)
Louis-Jacques, Jacques
Assistant Examiner(s)
Tran, Tongoc

Application Number

US10/331,879
Publication Number

US 20040083387A1
Time in Patent Office

1,435 Days
Field of Search

713200-201, 713/188, 713/164, 714/819, 726 23- 25
US Class Current

726/23
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1416 Event detection, e.g. attac...

Intrusion detection accelerator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

237 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection accelerator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links