Method and apparatus for processing of finite automata
First Claim
1. A security appliance operatively coupled to a network, the security appliance comprising:
- at least one memory configured to store at least one finite automaton including a plurality of nodes generated from at least one regular expression pattern;
at least one processor operatively coupled to the at least one memory and configured to walk the at least one finite automaton, with segments of an input stream received via the network, to match the at least one regular expression pattern in the input stream, the walk including;
walking at least two nodes of a given finite automaton, of the at least one finite automaton, in parallel, with a segment, at a given offset within a payload, of a packet in the input stream, to optimize performance of run time processing of the at least one processor for identifying an existence of the at least one regular expression pattern in the input stream;
determining a match result for the segment, at the given offset within the payload, at each node of the at least two nodes; and
determining at least one subsequent action for walking the given finite automaton, based on an aggregation of each match result determined.
7 Assignments
0 Petitions
Accused Products
Abstract
A method, and corresponding apparatus and system are provided for optimizing matching at least one regular expression pattern in an input stream by walking at least one finite automaton in a speculative manner. The speculative manner may include walking at least two nodes of a given finite automaton, of the at least one finite automaton, in parallel, with a segment, at a given offset within a payload of a packet in the input stream. The walking may include determining a match result for the segment, at the given offset within the payload, at each node of the at least two nodes. The walking may further include determining at least one subsequent action for walking the given finite automaton, based on an aggregation of each match result determined.
-
Citations
51 Claims
-
1. A security appliance operatively coupled to a network, the security appliance comprising:
-
at least one memory configured to store at least one finite automaton including a plurality of nodes generated from at least one regular expression pattern; at least one processor operatively coupled to the at least one memory and configured to walk the at least one finite automaton, with segments of an input stream received via the network, to match the at least one regular expression pattern in the input stream, the walk including; walking at least two nodes of a given finite automaton, of the at least one finite automaton, in parallel, with a segment, at a given offset within a payload, of a packet in the input stream, to optimize performance of run time processing of the at least one processor for identifying an existence of the at least one regular expression pattern in the input stream; determining a match result for the segment, at the given offset within the payload, at each node of the at least two nodes; and determining at least one subsequent action for walking the given finite automaton, based on an aggregation of each match result determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method comprising:
-
storing at least one finite automaton including a plurality of nodes generated from at least one regular expression pattern in at least one memory; and operatively coupling the at least one memory to at least one processor, the at least one processor configured to walk the at least one finite automaton, with segments of an input stream received via a hardware network interface operatively coupled to the network, to match for the at least one regular expression pattern in the input stream, the walk including; walking at least two nodes of a given finite automaton, of the at least one finite automaton, in parallel, with a segment, at a given offset within a payload, of a packet in the input stream, to optimize performance of run time processing of the at least one processor for identifying an existence of the at least one regular expression pattern in the input stream; determining a match result for the segment, at the given offset within the payload, at each node of the at least two nodes; and determining at least one subsequent action for walking the given finite automaton, based on an aggregation of each match result determined. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A non-transitory computer-readable medium having encoded thereon a sequence of instructions which, when executed by at least one processor, causes the at least one processor to:
walk at least one finite automaton, including a plurality of nodes generated from at least one regular expression pattern, with segments of an input stream, to match for the at least one regular expression pattern in the input stream, the walk including; walking at least two nodes of a given finite automaton, of the at least one finite automaton, in parallel, with a segment, at a given offset within a payload, of a packet in the input stream, to optimize performance of run time processing of the at least one processor for identifying an existence of the at least one regular expression pattern in the input stream; determining a match result for the segment, at the given offset within the payload, at each node of the at least two nodes; and determining at least one subsequent action for walking the given finite automaton, based on an aggregation of each match result determined.
Specification