Intrusion detection using a network processor and a parallel pattern detection engine
First Claim
1. A method for rapid intrusion detection for network communication comprising the steps of:
- receiving packets of network data in a network processor coupled to a network fabric;
forwarding routed network data to the network fabric;
coupling selected data from the network data to a parallel pattern detection engine (PPDE), for comparing the selected data in parallel to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data;
storing N intrusion signatures in the M PUs sequences of pattern data with corresponding identification (ID) data used to identify which of the N intrusion signatures is detected;
storing action code indicating action to take in response to detecting a particular one of the N intrusion signatures;
analyzing the packets of network data for validity thereby generating valid packets of network data as the selected data;
comparing the selected data to the store N intrusion signatures and generating, at network data speed, a pattern compare signal and particular ID data when a particular one of the N intrusion signatures is detected; and
executing the action code corresponding to the particular one of the N intrusion signatures detected;
wherein the PPDE comprises;
an input/output (I/O) interface for coupling data into and out of the PPDE;
M processing units (PUs), each of the M PUs having compare circuitry for comparing each of the sequence of input data to pattern data stored in each of the M PUs and generating a compare output, wherein an address pointer selecting the pattern data in each of the M PUs is modified in response to a logic state of the compare output and an operation code stored with the pattern data;
an input bus for coupling the sequence of input data to each of the M PUs in parallel;
an output bus coupled to the I/O interface for sending output data to the I/O interface;
control circuitry coupled to the I/O interface and coupling control data on a control data bus and identification (ID) on an ID bus to each of the M processing units; and
ID selection circuitry for selecting a match ID from ID data identifying the M PUs in response to a pattern match signal and match mode data, wherein the match ID and match data corresponding to the match ID are saved in a temporary register as the output data.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.
166 Citations
2 Claims
-
1. A method for rapid intrusion detection for network communication comprising the steps of:
-
receiving packets of network data in a network processor coupled to a network fabric; forwarding routed network data to the network fabric; coupling selected data from the network data to a parallel pattern detection engine (PPDE), for comparing the selected data in parallel to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data; storing N intrusion signatures in the M PUs sequences of pattern data with corresponding identification (ID) data used to identify which of the N intrusion signatures is detected; storing action code indicating action to take in response to detecting a particular one of the N intrusion signatures; analyzing the packets of network data for validity thereby generating valid packets of network data as the selected data; comparing the selected data to the store N intrusion signatures and generating, at network data speed, a pattern compare signal and particular ID data when a particular one of the N intrusion signatures is detected; and executing the action code corresponding to the particular one of the N intrusion signatures detected; wherein the PPDE comprises; an input/output (I/O) interface for coupling data into and out of the PPDE; M processing units (PUs), each of the M PUs having compare circuitry for comparing each of the sequence of input data to pattern data stored in each of the M PUs and generating a compare output, wherein an address pointer selecting the pattern data in each of the M PUs is modified in response to a logic state of the compare output and an operation code stored with the pattern data; an input bus for coupling the sequence of input data to each of the M PUs in parallel; an output bus coupled to the I/O interface for sending output data to the I/O interface; control circuitry coupled to the I/O interface and coupling control data on a control data bus and identification (ID) on an ID bus to each of the M processing units; and ID selection circuitry for selecting a match ID from ID data identifying the M PUs in response to a pattern match signal and match mode data, wherein the match ID and match data corresponding to the match ID are saved in a temporary register as the output data. - View Dependent Claims (2)
-
Specification