Detection of signatures in disordered message segments
First Claim
1. A method of detecting digital signatures in messages transmitted over a packet based network, said messages being composed of message segments having a predefined order, said method comprising:
- processing a first received message segment using a deterministic finite state automaton (DFA) operating on a network unit, said DFA defining each of a plurality of digital signatures associated with unwanted intrusion as a respective succession of states;
storing a first state of the DFA after processing the first received message segment and forwarding the first received message segment;
receiving a third message segment out of the predefined order;
processing the third message segment using the DFA starting at a null state;
receiving a second message segment following processing of the third message segment, wherein the second message segment is a next message segment in the predefined order following the first received message, wherein the third message segment is a next message segment in the predefined order following the second received message; and
processing the second message segment using the DFA starting at the stored first state.
8 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting signatures in message segments comprises employing a state machine for the detection of character strings in the message segments. The state machine executes for each input character a transition determined by a current state of the machine and a current input character. The message segments conform to TCP or other ordering transport protocol. The order of arrival of the message segments is monitored. In the event that an intermediate message segment is missing between a processed segment and an immediately subsequent message segment, the current state of said state machine at the end of the said processed segment is stored. The machine is restarted from its null or datum state for the examination of the immediately subsequent message segment, which is then temporarily stored. When the missing segment eventually arrives, it and the stored segment are successively examined for signatures by means of the state machine, beginning at the stored state. The invention allows for examination of overlapping signatures without requiring re-assembly of the segments or substantial buffering.
24 Citations
17 Claims
-
1. A method of detecting digital signatures in messages transmitted over a packet based network, said messages being composed of message segments having a predefined order, said method comprising:
-
processing a first received message segment using a deterministic finite state automaton (DFA) operating on a network unit, said DFA defining each of a plurality of digital signatures associated with unwanted intrusion as a respective succession of states; storing a first state of the DFA after processing the first received message segment and forwarding the first received message segment; receiving a third message segment out of the predefined order; processing the third message segment using the DFA starting at a null state; receiving a second message segment following processing of the third message segment, wherein the second message segment is a next message segment in the predefined order following the first received message, wherein the third message segment is a next message segment in the predefined order following the second received message; and processing the second message segment using the DFA starting at the stored first state. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network unit for detecting digital signatures in messages transmitted over a packet based network, said messages being composed of message segments having predefined order, said network unit comprising:
-
a deterministic finite state automaton (DFA) operating on the network unit, said DFA defining each of a plurality of digital signatures associated with unwanted intrusion as a respective succession of states; and a controller configured to process a first received message segment using the DFA, to store a first state of the DFA after the first received message segment has been processed, wherein the controller is further configured to receive a third message segment out of the predefined order, to process the third message segment using the DFA at a null state, to receive a second message segment following processing of the third message segment, wherein the second message segment is a next message segment in the predefined order following the first received message, wherein the third message segment is a next message segment in the predefined order following the second received message, and to process the second message segment using the DFA starting at the stored first state. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification