System security approaches using sub-expression automata
First Claim
1. A method of inspecting a plurality of data units received by a computing device, comprising:
- configuring a processing unit of said computing device toconvert a plurality of patterns into a regular expression;
split said regular expression into a first sub-expression and a second sub-expression;
formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state;
formulate a second DFA from said second sub-expression with a second initial state and a second final state;
construct a dependency relationship between said first DFA and said second DFA;
identify a first suspected data unit and a second suspected data unit out of said plurality of said data units, wherein a first content of said first suspected data unit and a second content of said second suspected data unit collectively match any of said plurality of said patterns represented by said first DFA and said second DFA that are arranged in a sequence based on said dependency relationship; and
perform an action based on a result of said identifying a first suspected data unit and a second suspected data unit.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for ensuring system security is disclosed. The method and system split a regular expression that corresponds to a number of patterns into sub-expressions. The dependency relationships among the finite automata that correspond to the sub-expressions are maintained. Then, as data units are put through these finite automata in a sequence that is based on the dependency relationships, suspected data units are identified. The suspected data units are the ones containing content that collectively matches one or more of the aforementioned patterns. Identification of the suspected data units is based on the merged results of the finite automata. Depending on the result of identifying the suspected data units, different actions are performed.
32 Citations
46 Claims
-
1. A method of inspecting a plurality of data units received by a computing device, comprising:
-
configuring a processing unit of said computing device to convert a plurality of patterns into a regular expression; split said regular expression into a first sub-expression and a second sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state and a second final state; construct a dependency relationship between said first DFA and said second DFA; identify a first suspected data unit and a second suspected data unit out of said plurality of said data units, wherein a first content of said first suspected data unit and a second content of said second suspected data unit collectively match any of said plurality of said patterns represented by said first DFA and said second DFA that are arranged in a sequence based on said dependency relationship; and perform an action based on a result of said identifying a first suspected data unit and a second suspected data unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable medium containing one or more sequences of instructions configured to ensure system security, which instructions, when executed by one or more processors, cause the one or more processors to:
-
split a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second plurality of sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state and a second final state; construct a dependency relationship between said first DFA and said second DFA; insert a state in between said first DFA and said second DFA upon identifying an overlapped portion between said first DFA and said second DFA; formulate a third DFA by merging said first DFA, said second DFA, and optionally said state; identify a set of suspected data units out of said plurality of said data units, wherein the content of said set of said suspected data units collectively matches any of said plurality of said patterns represented by said third DFA; and perform an action based on a result of said identifying of a set of suspected data units. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of ensuring system security of a computing device, comprising:
-
configuring a processing unit of said computing device to split a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state-and a second final state; construct a dependency relationship between said first DFA and said second DFA; insert a state in between said first DFA and said second DFA upon identifying an overlapped portion between said first DFA and said second DFA; formulate a third DFA by merging said first DFA, said second DFA, and optionally said state; identify a set of suspected data units out of said plurality of said data units, wherein the content of said set of said suspected data units collectively matches any of said plurality of said patterns represented by said third DFA; and perform an action based on a result of said identifying of a set of suspected data units. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A system configured to ensure system security, comprising:
-
a processing means for splitting a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulating a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulating a second DFA from said second sub-expression with a second initial state and a second final state; constructing a dependency relationship between said first DFA and said second DFA; inserting a state in between said first DFA and said second DFA upon identifying an overlapped portion between said first DFA and said second DFA; formulating a third DFA by merging said first DFA, said second DFA, and optionally said state; identifying a set of suspected data units out of said plurality of said data units, wherein the content of said set of said suspected data units collectively matches any of said plurality of said patterns represented by said third DFA; and performing an action based on a result of said identifying of a set of suspected data units. - View Dependent Claims (24, 25, 26)
-
-
27. A system configured to detect and prevent intrusion, comprising:
-
a processing means for splitting a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulating a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulating a second DFA from said second sub-expression with a second initial state and a second final state; constructing a dependency relationship between said first DFA and said second DFA; identifying a first suspected data unit and a second suspected data unit out of said plurality of said data units, wherein a first content of said first suspected data unit and a second content of said second suspected data unit collectively match any of said plurality of said patterns represented by said first DFA and said second DFA that are arranged in a sequence based on said dependency relationship; and performing an action based on a result of said identifying a first suspected data unit and a second suspected data unit. - View Dependent Claims (28, 29, 30)
-
-
31. A system configured to ensure system security, comprising:
-
a processor, a bus, coupled to said processor, a communication interface, coupled to said bus, wherein said communication interface receives a plurality of data units, a main memory, coupled to the bus, wherein said memory includes instructions when executed by said processor, causes said processor to; split a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state and a second final state; construct a dependency relationship between said first DFA and said second DFA; insert a state in between said first DFA and said second DFA upon identifying an overlapped portion between said first DFA and said second DFA; formulate a third DFA by merging said first DFA, said second DFA, and optionally said state; identify a set of suspected data units out of said plurality of said data units, wherein the content of said set of said suspected data units collectively matches any of said plurality of said patterns represented by said third DFA; and perform an action based on a result of said identifying of a set of suspected data units. - View Dependent Claims (32, 33, 34)
-
-
35. A system configured to detect and prevent intrusion, comprising:
-
a processor, a bus, coupled to said processor, a communication interface, coupled to said bus, wherein said communication interface receives a plurality of data units, a main memory, coupled to the bus, wherein said memory includes instructions that when executed by said processor, cause said processor to; split a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state and a second final state; construct a dependency relationship between said first DFA and said second DFA; identify a first suspected data unit and a second suspected data unit out of said plurality of said data units, wherein a first content of said first suspected data unit and a second content of said second suspected data unit collectively match any of said plurality of said patterns represented by said first DFA and said second DFA that are arranged in a sequence based on said dependency relationship; and perform an action based on a result of said identifying a first suspected data unit and a second suspected data unit. - View Dependent Claims (36, 37, 38)
-
-
39. A system, comprising:
-
a processor, and a co-processor unit, electrically coupled to said processor, wherein said co-processor unit is configured to; split a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state and a second final state; construct a dependency relationship between said first DFA and said second DFA; insert a state in between said first DFA and said second DFA upon identifying an overlapped portion between said first DFA and said second DFA; formulate a third DFA by merging said first DFA, said second DFA, and optionally said state; identify a set of suspected data units out of said plurality of said data units, wherein the content of said set of said suspected data units collectively matches any of said plurality of said patterns represented by said DFA; and perform an action based on a result of said identifying of a set of suspected data units. - View Dependent Claims (40, 41, 42)
-
-
43. A system, comprising:
-
a processor, and a co-processor unit, electrically coupled to said processor, wherein said co-processor unit is configured to; split a regular expression that corresponds to a plurality of patterns into a first sub-expression and a second sub-expression; formulate a first deterministic finite automaton (DFA) from said first sub-expression with a first initial state and a first final state; formulate a second DFA from said second sub-expression with a second initial state and a second final state; construct a dependency relationship between said first DFA and said second DFA; identify a first suspected data unit and a second suspected data unit out of said plurality of said data units, wherein a first content of said first suspected data unit and a second content of said second suspected data unit collectively match any of said plurality of said patterns represented by said first DFA and said second DFA that are arranged in a sequence based on said dependency relationship; and perform an action based on a result of said identifying a first suspected data unit and a second suspected data unit. - View Dependent Claims (44, 45, 46)
-
Specification