Method and an apparatus to perform multiple packet payloads analysis
First Claim
Patent Images
1. A method comprising:
- receiving, by a network interface of a data security system, a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern;
determining, by a processor of the data security system, whether each of the plurality of data packets is out of order; and
making and storing a local copy of the corresponding data packet in a storage device of the data security system if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received;
the processor performing pattern matching on the corresponding data packet against at least a portion of an attack pattern comprising a plurality of predetermined patterns if all preceding packets of the corresponding data packet, if any, have been received;
the processor pointing a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the plurality of predetermined patterns, the DFA representing one of the plurality of predetermined patterns that is currently being matched, and the plurality of DFAs being arranged in a tree structure; and
the processor pointing a second pointer at a node of the tree structure, the node corresponding to the one of the plurality of predetermined patterns that is currently being matched, and the node comprising the DFA.
22 Assignments
0 Petitions
Accused Products
Abstract
A method and an apparatus to perform multiple packet payload analysis have been disclosed. In one embodiment, the method includes receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern, determining whether each of the plurality of data packets is out of order, and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order. Other embodiments have been claimed and described.
-
Citations
43 Claims
-
1. A method comprising:
-
receiving, by a network interface of a data security system, a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern; determining, by a processor of the data security system, whether each of the plurality of data packets is out of order; and making and storing a local copy of the corresponding data packet in a storage device of the data security system if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received; the processor performing pattern matching on the corresponding data packet against at least a portion of an attack pattern comprising a plurality of predetermined patterns if all preceding packets of the corresponding data packet, if any, have been received; the processor pointing a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the plurality of predetermined patterns, the DFA representing one of the plurality of predetermined patterns that is currently being matched, and the plurality of DFAs being arranged in a tree structure; and the processor pointing a second pointer at a node of the tree structure, the node corresponding to the one of the plurality of predetermined patterns that is currently being matched, and the node comprising the DFA. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable storage medium that provides instructions that, if executed by a processor, will cause the processor to perform operations comprising:
-
receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern; determining whether each of the plurality of data packets is out of order; and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received; performing pattern matching on the corresponding data packet against at least a portion of an attack pattern comprising a plurality of predetermined patterns if all preceding packets of the corresponding data packet, if any, have been received; pointing a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the plurality of predetermined patterns, the DFA representing one of the plurality of predetermined patterns that is currently being matched, and the plurality of DFAs being arranged in a tree structure; and pointing a second pointer at a node of the tree structure, the node corresponding to the one of the plurality of predetermined patterns that is currently being matched, and the node comprising the DFA. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus comprising:
-
an interface to receive data packets; a first storage device to store a tree structure representing an attack pattern comprising one or more predetermined patterns, the tree structure comprising one or more nodes, each of the one or more nodes representing each of the one or more predetermined patterns; and a processor to perform pattern matching on the data packets on a packet-by-packet basis without reassembling the data packets in order to scan for the attack pattern, to point a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the one or more predetermined patterns, the DFA representing a predetermined pattern of the attack pattern that is currently being matched, and to point a second pointer at a node of the tree structure corresponding to the predetermined pattern that is currently being matched, the node comprising the DFA. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
-
31. A system comprising:
-
at least one client application; a network; and an intrusion detection/prevention system (IPS) communicably coupled between the at least one client application and the network, the IPS comprising; an interface to receive data packets; a first storage device to store a tree structure representing an attack pattern comprising one or more predetermined patterns, the tree structure comprising one or more nodes, each of the one or more nodes representing each of the one or more predetermined patterns; and a processor to perform pattern matching on the data packets on a packet-by-packet basis without reassembling the data packets in order to scan for the attack pattern, to point a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the one or more predetermined patterns, the DFA representing a predetermined pattern of the attack pattern that is currently being matched, and to point a second pointer at a node of the tree structure corresponding to the predetermined pattern that is currently being matched, the node comprising the DFA. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method comprising:
-
responsive to receiving each packet of a sequence of packets that may be received out of sequence order, a data security system performing the following; if there are one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then a processor in the data security system buffering the current packet in a storage device in the data security system and sending the current packet on; and if there are not one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then the processor performing the following, the processor performing pattern matching using a plurality of Deterministic Finite Automata (DFAs) representing an attack pattern on any of the packets that precede the current packet in the sequence of packets that have been buffered and not yet processed for pattern matching and on the current packet, the attack pattern comprising a plurality of predetermined patterns, each of the plurality of predetermined patterns corresponding to a distinct one of the plurality of DFAs; the processor pointing a first pointer at a DFA representing a predetermined pattern that is currently being matched; the processor pointing a second pointer at a node of a tree structure representing the attack pattern, the node of the tree structure corresponding to the predetermined pattern that is currently being matched, and the node comprising the DFA; if there is an attack pattern match, the processor blocking the current packet; and if there is not an attack pattern match, the processor sending on the current packet.
-
-
43. A computer-readable storage medium that provides instructions that, if executed by a processor, will cause the processor to perform operations comprising:
-
responsive to receiving each packet of a sequence of packets that may be received out of sequence order, performing the following; if there are one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then buffering the current packet and sending the current packet on; and if there are not one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then performing the following, performing pattern matching using a plurality of Deterministic Finite Automata (DFAs) representing an attack pattern on any of the packets that precede the current packet in the sequence of packets that have been buffered and not yet processed for pattern matching and on the current packet, the attack pattern comprising a plurality of predetermined patterns, each of the plurality of predetermined patterns corresponding to a distinct one of the plurality of DFAs; pointing a first pointer at a DFA representing a predetermined pattern that is currently being matched; pointing a second pointer at a node of a tree structure representing the attack pattern, the node of the tree structure corresponding to the predetermined pattern that is currently being matched, and the node comprising the DFA; if there is an attack pattern match, blocking the current packet; and if there is not an attack pattern match, sending on the current packet.
-
Specification