Method and apparatus for identifying data patterns in a file
First Claim
Patent Images
1. A method, comprising:
- a network access device receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream;
if the received data packet is out of order, the network access device temporarily buffering the received data packet to wait for one or more other packets that are in order; and
a data analysis module performing a data pattern analysis on a payload of the received data packet and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied.
24 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for identifying data patterns of a file are described herein. In one embodiment, an exemplary process includes, but is not limited to, receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream, and performing a data pattern analysis on the received data packet to determine whether the received data packet contains a predetermined data pattern, without waiting for a remainder of the data stream to arrive. Other methods and apparatuses are also described.
68 Citations
40 Claims
-
1. A method, comprising:
-
a network access device receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream; if the received data packet is out of order, the network access device temporarily buffering the received data packet to wait for one or more other packets that are in order; and a data analysis module performing a data pattern analysis on a payload of the received data packet and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having executable code to cause a machine to perform a method of a network access device, the method comprising:
- receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream;
temporarily buffering the received data packet to wait for one or more other packets that are in order, if the received data packet is out of order; and performing a data pattern analysis on a payload of the received data packet and the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream;
-
22. A network access device, comprising:
-
an interface to receive a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream and, if the received data packet is out of order, to temporarily buffer the received data packet to wait for one or more other packets that are in order; and a data analysis module coupled to the interface to perform a data pattern analysis on a payload of the received data packet and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied.
-
-
23. A method performed by a network access device, comprising:
-
the network access device receiving a data packet of a data stream containing a file segment of a file originated from an external host over an external network and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream; if the received data packet is out of order, the network access device temporarily buffering the received data packet to wait for one or more other packets that are in order; in response to the data packet without waiting for a remainder of the data stream to arrive, the network access device determining an encoding method of the data packet and decoding the data packet to recover a decoded data packet using a decoding method associated with the determined encoding method, if the data packet is encoded; the network access device determining a compression method of the data packet and decompressing the data packet using a decompression method associated with the determined compression method to generate one or more decompressed data blocks, if the data packet is compressed; a data analysis module performing a data pattern analysis on one or more payloads of the one or more decompressed data blocks and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether any of the one or more payloads of the one or more decompressed data blocks contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied; the network access device preventing the data packet from reaching the protected host if the any of the one or more decompressed data blocks contains the element of the predetermined data pattern; and the network access device forwarding the data packet to the protected host if none of the one or more decompressed data blocks contains the element of the predetermined data pattern.
-
-
24. A method in a network access device, comprising:
-
the network access device receiving a data packet of a data stream containing a file segment of a file originated from a protected host of a local area network (LAN) destined to a recipient external to the LAN, the file being transmitted via multiple file segments contained in multiple data packets of the data stream; if the received data packet is out of order, the network access device temporarily buffering the received data packet to wait for one or more other packets that are in order; and a data analysis module performing a data pattern analysis on a payload of the received data packet and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether a portion of the file received so far contains an element of a predetermined data pattern, without reassembling the multiple data packets, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A non-transitory computer-readable storage medium having executable code to cause a machine to perform a method of a network access device, the method comprising:
-
receiving a data packet of a data stream containing a file segment of a file originated from a protected host of a local area network (LAN) destined to a recipient external to the LAN, the file being transmitted via multiple file segments contained in multiple data packets of the data stream, if the received data packet is out of order, temporarily buffering the received data packet to wait for one or more other packets that are in order; and performing a data pattern analysis on a payload of the received data packet and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether a portion of the file received so far contains an element of a predetermined data pattern, without reassembling the multiple data packets, wherein the predetermined data pattern includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A method, comprising:
-
a network access device receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream; a data analysis module performing a data pattern analysis on a payload of the received data packet to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied and the predetermined data pattern has been found if a final of the sequence of states is reached; the data analysis module determining whether a next element of the payload of the data packet matches a next element of the predetermined data pattern; the data analysis module transitioning from a current state to a next state corresponding to the next element of the predetermined data pattern, if the next element of the payload of the data packet matches the next element of the predetermined data pattern; the data analysis module determining whether a next element of the payload of the data packet matches a previous element of the predetermined data pattern; the data analysis module transitioning from current state to a previous state corresponding to the previous element of the predetermined data pattern, if the next element of the payload of the data packet matches the previous element of the predetermined data pattern; and the data analysis module transitioning from the current state to an initial state located at a head of the sequence of states if the next element of the payload of the data packet does not match the next and the previous elements of the predetermined data pattern. - View Dependent Claims (35, 36)
-
-
37. A non-transitory computer-readable storage medium having executable code to cause a machine to perform a method of a network access device, the method comprising:
-
receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream; and performing a data pattern analysis on a payload of the received data packet to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied and the predetermined data pattern has been found if a final of the sequence of states is reached; determining whether a next element of the payload of the data packet matches a next element of the predetermined data pattern; transitioning from a current state to a next state corresponding to the next element of the predetermined data pattern, if the next element of the payload of the data packet matches the next element of the predetermined data pattern;
determining whether a next element of the payload of the data packet matches a previous element of the predetermined data pattern;transitioning from current state to a previous state corresponding to the previous element of the predetermined data pattern, if the next element of the payload of the data packet matches the previous element of the predetermined data pattern; and transitioning from the current state to an initial state located at a head of the sequence of states if the next element of the payload of the data packet does not match the next and the previous elements of the predetermined data pattern. - View Dependent Claims (38, 39)
-
-
40. A network access device, comprising:
-
an interface to receive a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream; and a data analysis module coupled to the interface to perform a data pattern analysis on a payload of the received data packet and payloads of the one or more other in-order packets as a whole when the one or more other in-order packets arrive to determine whether the payload of the received data packet contains an element of a predetermined data pattern, without waiting for a remainder of the data stream to arrive, wherein the predetermined data pattern is a content data pattern and includes a plurality of elements and the predetermined data pattern is defined via a data structure having a sequence of states, wherein each of the states indicates that one of the plurality of elements of the predetermined data pattern corresponding to the respective state has been satisfied and the predetermined data pattern has been found if a final of the sequence of states is reached, determine whether a next element of the payload of the data packet matches a next element of the predetermined data pattern, transition from a current state to a next state corresponding to the next element of the predetermined data pattern, if the next element of the payload of the data packet matches the next element of the predetermined data pattern, determine whether a next element of the payload of the data packet matches a previous element of the predetermined data pattern, transition from current state to a previous state corresponding to the previous element of the predetermined data pattern, if the next element of the payload of the data packet matches the previous element of the predetermined data pattern, and transition from the current state to an initial state located at a head of the sequence of states if the next element of the payload of the data packet does not match the next and the previous elements of the predetermined data pattern.
-
Specification