System security approaches using multiple processing units
First Claim
1. A method for monitoring a plurality of data units received by a computing device having a first processing unit and a second processing unit, comprising:
- performing a set of tasks by said first processing unit prior to identifying a set of suspected data units out of said plurality of said data units by said second processing unit, wherein said set of said tasks includes;
identifying a plurality of patterns from the content of said plurality of said data units;
converting said plurality of patterns into a regular expression splitting said regular expression into a first sub-expression and a second sub-expression;
formulating a first finite automaton from said first sub-expression with a first initial state and a first final state;
formulating a second finite automaton from said second sub-expression with a second initial state and a second final state;
constructing a dependency relationship between said first finite automaton and said second finite automaton;
inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton;
formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and
identifying said set of said suspected data units by said second processing unit by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for ensuring system security is disclosed. The method and system utilize a first processing unit to split a regular expression that corresponds to a number of patterns into sub-expressions and maintain the dependency relationships among the finite automata that correspond to the sub-expressions. Then, the method and system utilize a second processing unit to move the data units through these finite automata in a sequence that is based on the dependency relationships to identify the suspected data units. The suspected data units are the ones containing content that collectively matches one or more of the aforementioned patterns. Identification of the suspected data units is based on the merged results of the finite automata.
-
Citations
24 Claims
-
1. A method for monitoring a plurality of data units received by a computing device having a first processing unit and a second processing unit, comprising:
-
performing a set of tasks by said first processing unit prior to identifying a set of suspected data units out of said plurality of said data units by said second processing unit, wherein said set of said tasks includes; identifying a plurality of patterns from the content of said plurality of said data units; converting said plurality of patterns into a regular expression splitting said regular expression into a first sub-expression and a second sub-expression; formulating a first finite automaton from said first sub-expression with a first initial state and a first final state; formulating a second finite automaton from said second sub-expression with a second initial state and a second final state; constructing a dependency relationship between said first finite automaton and said second finite automaton; inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton; formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and identifying said set of said suspected data units by said second processing unit by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for monitoring a plurality of data units, comprising:
-
a first processing means for performing a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by a second processing means, wherein said set of said tasks includes; identifying a plurality of patterns from the content of said plurality of said data units; splitting a regular expression that corresponds to said patterns into a first sub-expression and a second sub-expression; formulating a first finite automaton from said first sub-expression with a first initial state and a first final state; formulating a second finite automaton from said second sub-expression with a second initial state and a second final state; constructing a dependency relationship between said first finite automaton and said second finite automaton; inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton; formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and said second processing means for identifying said set of said suspected data units by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for monitoring a plurality of data units, comprising:
-
a distribution engine; a processing unit, coupled to said distribution engine; a content inspection engine, coupled to said distribution engine and said processing unit; a memory controller, coupled to said distribution engine, said processing unit, and said content inspection engine, wherein; said processing unit performs a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by said content inspection engine, wherein said set of said tasks includes; identifying a plurality of patterns from the content of said plurality of said data units; splitting a regular expression that corresponds to said patterns into a first sub-expression and a second sub-expression; formulating a first finite automaton from said first sub-expression with a first initial state and a first final state; formulating a second finite automaton from said second sub-expression with a second initial state and a second final state; constructing a dependency relationship between said first finite automaton and said second finite automaton; inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton; formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and said content inspection engine identifies said set of said suspected data units by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A system for monitoring a plurality of data units, comprising:
-
a general purpose processor; a content inspection co-processor directly or indirectly coupled to said general purpose processor, wherein said content inspection co-processor further includes; a distribution engine; a content inspection engine, coupled to said distribution engine; a memory controller, coupled to said distribution engine and said content inspection engine, wherein; said general purpose processor performs a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by said content inspection engine, wherein said set of said tasks includes; identifying a plurality of patterns from the content of said plurality of said data units; splitting a regular expression that corresponds to said patterns into a first sub-expression and a second sub-expression; formulating a first finite automaton from said first sub-expression with a first initial state and a first final state; formulating a second finite automaton from said second sub-expression with a second initial state and a second final state; constructing a dependency relationship between said first finite automaton and said second finite automaton; inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton; formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and said content inspection engine identifies said set of said suspected data units by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification