Intrusion detection accelerator
First Claim
Patent Images
1. An intrusion detection system comprising:
- a character buffer to store a plurality of bytes of a document;
a state table addressable in accordance with a byte of the document and a state to access at least one of an interrupt, an exception, or a command to store a token and next state data from said state table, wherein the command to store the token is accessed when a state in the state table is reached that indicates a valid token has been parsed;
a register to store said next state data;
means for combining contents of said register with a subsequent byte of the document to form a further address into said state table;
a token buffer to store a plurality of tokens, wherein said plurality of tokens are available for further processing by a host processor; and
a bus to communicate said interrupt or said exception to said host processor,wherein the intrusion detection system simultaneously performs a function of accessing said state table, storing said token, and combining said stored next state data with a second portion of said document in parallel.
1 Assignment
0 Petitions
Accused Products
Abstract
Signatures of character strings in a document which may indicate a possible intrusion into or attack on a networked computer system or node thereof or other security breach are detected at high speed using a hardware accelerator within the environment of a hardware parser accelerator. An interrupt or exception can thus be issued to a host CPU before a command which may constitute such a security breach, intrusion or attack can be made executable by parsing of a document. The CPU can initiate network control measures to prevent or limit the intrusion.
237 Citations
25 Claims
-
1. An intrusion detection system comprising:
-
a character buffer to store a plurality of bytes of a document; a state table addressable in accordance with a byte of the document and a state to access at least one of an interrupt, an exception, or a command to store a token and next state data from said state table, wherein the command to store the token is accessed when a state in the state table is reached that indicates a valid token has been parsed; a register to store said next state data; means for combining contents of said register with a subsequent byte of the document to form a further address into said state table; a token buffer to store a plurality of tokens, wherein said plurality of tokens are available for further processing by a host processor; and a bus to communicate said interrupt or said exception to said host processor, wherein the intrusion detection system simultaneously performs a function of accessing said state table, storing said token, and combining said stored next state data with a second portion of said document in parallel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An intrusion detection method comprising:
-
accessing a state table addressable in accordance with a byte of a document and a current state; retrieving at least one of an interrupt or an exception from said state table, if said interrupt or said exception is available; retrieving a token-storing command from said state table in response to determining that no interrupt or exception is available and that a valid token has been parsed; storing a token in a token buffer in response to said token-storing command; retrieving next state data from said state table; storing said next state data; combining said stored next state data with a subsequent byte of said document to form a further address into said state table; and simultaneously performing the accessing said state table, storing said token, and combining said stored next state data with a second portion of said document in parallel. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer program product for enabling a computer to accelerate the detection of intrusions comprising:
-
software instructions for enabling the computer to perform predetermined operations; and a computer readable medium bearing the software instructions; the predetermined operations including; accessing a state table addressable in accordance with a byte of a document and a previous state; retrieving at least one of an interrupt or an exception from said state table, if said interrupt or said exception is available; retrieving a command to store a token from said state table, if said command is available and said token has been fully parsed, and storing said token in response to said command to store said token; retrieving next state data from said state table; storing said next state data; combining said stored next state data with a subsequent byte of said document to form a further address into said state table; making said token available for subsequent processing for a different purpose after said token has been parsed and stored; and simultaneously performing the accessing said table, storing said token, and combining said stored next state data with a second portion of said document in parallel. - View Dependent Claims (18, 19, 20)
-
-
21. An intrusion detection system comprising:
-
means for accessing a state table addressable in accordance with a first portion of a document and a current state; means for retrieving at least one of an interrupt or an exception from said state table, if said interrupt or said exception is available; means for retrieving a command from said state table, if said command is available, and storing a token in response to a command to store a token; means for retrieving next state data from said state table; means for storing said next state data; means for combining said stored next state data with a second portion of said document to form a further address into said state table; means for simultaneously performing the functions of accessing said state table, storing said token, and combining said stored next state data with said second portion of said document in parallel; and means for communicating said interrupt or said exception to a host processor. - View Dependent Claims (22, 23, 24, 25)
-
Specification