Methods and systems for full pattern matching in hardware
First Claim
1. A method of examining a subject data word, the subject data word comprising a plurality of subject-data blocks, and identifying a full match between the subject data word and a signature data pattern, the signature data pattern comprising a plurality of signature-data blocks, wherein each of the subject-data blocks and each of the signature-data blocks has (i) a respective value and (ii) a respective position, the method carried out by an intrusion-prevention system (IPS) comprising at least one processor, at least one network interface, partial-match hardware having at least part of the signature data pattern stored therein, and full-match hardware having the signature data pattern stored therein, the method comprising:
- the IPS receiving the subject data word via the at least one network interface;
the IPS making a partial-match determination comprising a determination that a partial-match number of the subject-data blocks respectively match the same partial-match number of the signature-data blocks stored in the partial-match hardware with respect to both value and position, wherein the partial-match number is (i) greater than or equal to two and (ii) less than a total number of the subject-data blocks;
subsequent to making the partial-match determination, the IPS making a full-match determination comprising a determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the full-match hardware with respect to both value and position; and
the IPS storing a full-match indicator, the full-match indicator indicating that the full-match determination has been made.
5 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for hardware-based pattern matching. In an embodiment, an intrusion-prevention system (IPS) identifies a full match between a subject data word comprising subject-data blocks and a signature data pattern comprising signature-data blocks. The IPS receives the subject data word via a network interface, and thereafter makes a partial-match determination that two or more but less than all of the subject-data blocks respectively match the same number of the signature-data blocks stored in partial-match hardware with respect to both value and position. Thereafter, the IPS makes a full-match determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the IPS'"'"'s full-match hardware with respect to both value and position. The IPS then stores an indicator that the full-match determination has been made, and may carry out one or more additional intrusion-prevention responses as well.
9 Citations
60 Claims
-
1. A method of examining a subject data word, the subject data word comprising a plurality of subject-data blocks, and identifying a full match between the subject data word and a signature data pattern, the signature data pattern comprising a plurality of signature-data blocks, wherein each of the subject-data blocks and each of the signature-data blocks has (i) a respective value and (ii) a respective position, the method carried out by an intrusion-prevention system (IPS) comprising at least one processor, at least one network interface, partial-match hardware having at least part of the signature data pattern stored therein, and full-match hardware having the signature data pattern stored therein, the method comprising:
-
the IPS receiving the subject data word via the at least one network interface; the IPS making a partial-match determination comprising a determination that a partial-match number of the subject-data blocks respectively match the same partial-match number of the signature-data blocks stored in the partial-match hardware with respect to both value and position, wherein the partial-match number is (i) greater than or equal to two and (ii) less than a total number of the subject-data blocks; subsequent to making the partial-match determination, the IPS making a full-match determination comprising a determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the full-match hardware with respect to both value and position; and the IPS storing a full-match indicator, the full-match indicator indicating that the full-match determination has been made. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. An intrusion-prevention system (IPS) for examining a subject data word, the subject data word comprising a plurality of subject-data blocks, and for identifying a full match between the subject data word and a signature data pattern, the signature data pattern comprising a plurality of signature-data blocks, wherein each of the subject-data blocks and each of the signature-data blocks has (i) a respective value and (ii) a respective position, the IPS comprising:
-
at least one network interface; at least one processor; partial-match hardware having at least part of the signature data pattern stored therein; full-match hardware having the signature data pattern stored therein; and data storage containing instructions executable by the at least one processor for causing the IPS to carry out a set of functions, the set of functions comprising; receiving the subject data word via the at least one network interface; making a partial-match determination comprising a determination that a partial-match number of the subject-data blocks respectively match the same partial-match number of the signature-data blocks stored in the partial-match hardware with respect to both value and position, wherein the partial-match number is (i) greater than or equal to two and (ii) less than a total number of the subject-data blocks; subsequent to making the partial-match determination, making a full-match determination comprising a determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the full-match hardware with respect to both value and position; and storing a full-match indicator, the full-match indicator indicating that the full-match determination has been made. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A method of examining a subject data word, the subject data word comprising a plurality of subject-data blocks, and identifying a full match between the subject data word and a signature data pattern, the signature data pattern comprising a plurality of signature-data blocks, wherein each of the subject-data blocks and each of the signature-data blocks has (i) a respective value and (ii) a respective position, the method carried out by an intrusion prevention system (IPS) comprising at least one processor, at least one network interface, partial-match hardware having at least part of the signature data pattern stored therein, and full-match hardware having the signature data pattern stored therein, the method comprising:
-
the IPS receiving the subject data word via the at least one network interface; the IPS making a partial-match determination comprising; an identification of a partial-match address based at least in part on at least part of the subject data word, and a determination that at least one of the following is stored in the partial-match hardware in association with the partial-match address;
(i) a set overflow indicator and (ii) a partial-match number of the signature-data blocks that respectively match the same partial-match number of the subject-data blocks with respect to both value and position, wherein the partial-match number is (i) greater than or equal to two and (ii) less than a total number of the subject-data blocks;subsequent to making the partial-match determination, the IPS making a full-match determination comprising; an identification of a full-match address based at least in part on at least part of the subject data word, and a determination that the signature data pattern is stored in the full-match hardware in association with the full-match address; and the IPS storing a full-match indicator, the full-match indicator indicating that the full-match determination has been made. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. An intrusion-prevention system (IPS) for examining a subject data word, the subject data word comprising a plurality of subject-data blocks, and for identifying a full match between the subject data word and a signature data pattern, the signature data pattern comprising a plurality of signature-data blocks, wherein each of the subject-data blocks and each of the signature-data blocks has (i) a respective value and (ii) a respective position, the IPS comprising:
-
at least one network interface; at least one processor; partial-match hardware having at least part of the signature data pattern stored therein; full-match hardware having the signature data pattern stored therein; and data storage containing instructions executable by the at least one processor for causing the IPS to carry out a set of functions, the set of functions comprising; receiving the subject data word via the at least one network interface; making a partial-match determination comprising; an identification of a partial-match address based at least in part on at least part of the subject data word, and a determination that at least one of the following is stored in the partial-match hardware in association with the partial-match address;
(i) a set overflow indicator and (ii) a partial-match number of the signature-data blocks that respectively match the same partial-match number of the subject-data blocks with respect to both value and position, wherein the partial-match number is (i) greater than or equal to two and (ii) less than a total number of the subject-data blocks;subsequent to making the partial-match determination, making a full-match determination comprising; an identification of a full-match address based at least in part on at least part of the subject data word; and a determination that the signature data pattern is stored in the full-match hardware in association with the full-match address; and storing a full-match indicator, the full-match indicator indicating that the full-match determination has been made. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
-
Specification