System security approaches using multiple processing units

US 7,596,809 B2
Filed: 03/11/2005
Issued: 09/29/2009
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring a plurality of data units received by a computing device having a first processing unit and a second processing unit, comprising:

performing a set of tasks by said first processing unit prior to identifying a set of suspected data units out of said plurality of said data units by said second processing unit, wherein said set of said tasks includes;

identifying a plurality of patterns from the content of said plurality of said data units;

converting said plurality of patterns into a regular expression splitting said regular expression into a first sub-expression and a second sub-expression;

formulating a first finite automaton from said first sub-expression with a first initial state and a first final state;

formulating a second finite automaton from said second sub-expression with a second initial state and a second final state;

constructing a dependency relationship between said first finite automaton and said second finite automaton;

inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton;

formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and

identifying said set of said suspected data units by said second processing unit by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for ensuring system security is disclosed. The method and system utilize a first processing unit to split a regular expression that corresponds to a number of patterns into sub-expressions and maintain the dependency relationships among the finite automata that correspond to the sub-expressions. Then, the method and system utilize a second processing unit to move the data units through these finite automata in a sequence that is based on the dependency relationships to identify the suspected data units. The suspected data units are the ones containing content that collectively matches one or more of the aforementioned patterns. Identification of the suspected data units is based on the merged results of the finite automata.

23 Citations

View as Search Results

24 Claims

1. A method for monitoring a plurality of data units received by a computing device having a first processing unit and a second processing unit, comprising:
- performing a set of tasks by said first processing unit prior to identifying a set of suspected data units out of said plurality of said data units by said second processing unit, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  converting said plurality of patterns into a regular expression splitting said regular expression into a first sub-expression and a second sub-expression;
  
  formulating a first finite automaton from said first sub-expression with a first initial state and a first final state;
  
  formulating a second finite automaton from said second sub-expression with a second initial state and a second final state;
  
  constructing a dependency relationship between said first finite automaton and said second finite automaton;
  
  inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton;
  
  formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and
  
  identifying said set of said suspected data units by said second processing unit by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, further comprising:
    - distributing said plurality of said data units to said first processing unit and said second processing unit according to the types of said data units and the data contained in said data units.
  - 3. The method as recited in claim 2, further comprising:
    - decompressing the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 4. The method as recited in claim 2, further comprising:
    - responding to an anomaly associated with said plurality of said data units according to an anomaly policy, whereinsaid anomaly policy tracks characteristics of said plurality ofsaid data units other than said plurality of said patterns.
  - 5. The method as recited in claim 4, wherein said anomaly policy is configurable.
  - 6. The method as recited in claim 4, further comprising rectifying said set of said suspected data units or said anomaly.

7. A system for monitoring a plurality of data units, comprising:
- a first processing means for performing a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by a second processing means, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a first sub-expression and a second sub-expression;
  
  formulating a first finite automaton from said first sub-expression with a first initial state and a first final state;
  
  formulating a second finite automaton from said second sub-expression with a second initial state and a second final state;
  
  constructing a dependency relationship between said first finite automaton and said second finite automaton;
  
  inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton;
  
  formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and
  
  said second processing means for identifying said set of said suspected data units by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system as recited in claim 7, further comprising:
    - means for distributing said plurality of said data units to said first processing means and said second processing means according to the types of said data units and the data contained in said data units.
  - 9. The system as recited in claim 8, wherein said first processing means further:
    - decompresses the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 10. The system as recited in claim 8, wherein said first processing means further:
    - responds to an anomaly associated with said plurality of said data units according to an anomaly policy, whereinsaid anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 11. The system as recited in claim 10, wherein said anomaly policy is configurable.
  - 12. The system as recited in claim 10, wherein said first processing unit further rectifies said set of said suspected data units or said anomaly.

13. A system for monitoring a plurality of data units, comprising:
- a distribution engine;
  
  a processing unit, coupled to said distribution engine;
  
  a content inspection engine, coupled to said distribution engine and said processing unit;
  
  a memory controller, coupled to said distribution engine, said processing unit, and said content inspection engine, wherein;
  
  said processing unit performs a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by said content inspection engine, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a first sub-expression and a second sub-expression;
  
  formulating a first finite automaton from said first sub-expression with a first initial state and a first final state;
  
  formulating a second finite automaton from said second sub-expression with a second initial state and a second final state;
  
  constructing a dependency relationship between said first finite automaton and said second finite automaton;
  
  inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton;
  
  formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and
  
  said content inspection engine identifies said set of said suspected data units by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system as recited in claim 13, wherein said distribution engine distributes said plurality of said data units to said processing unit, said content inspection engine, and said memory controller according to the types of said data units and the data contained in said data units.
  - 15. The system as recited in claim 14, wherein said processing unit further decompresses the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 16. The system as recited in claim 14, wherein said processing unit further responds to an anomaly associated with said plurality of said data units according to an anomaly policy, wherein:
    - said anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 17. The system as recited in claim 16, wherein said anomaly policy is configurable.
  - 18. The system as recited in claim 16, wherein said processing unit further rectifies said set of said suspected data units or said anomaly.

19. A system for monitoring a plurality of data units, comprising:
- a general purpose processor;
  
  a content inspection co-processor directly or indirectly coupled to said general purpose processor, wherein said content inspection co-processor further includes;
  
  a distribution engine;
  
  a content inspection engine, coupled to said distribution engine;
  
  a memory controller, coupled to said distribution engine and saidcontent inspection engine, wherein;
  
  said general purpose processor performs a set of tasks prior to identifying a set of suspected data units out of said plurality of said data units by said content inspection engine, wherein said set of said tasks includes;
  
  identifying a plurality of patterns from the content of said plurality of said data units;
  
  splitting a regular expression that corresponds to said patterns into a first sub-expression and a second sub-expression;
  
  formulating a first finite automaton from said first sub-expression with a first initial state and a first final state;
  
  formulating a second finite automaton from said second sub-expression with a second initial state and a second final state;
  
  constructing a dependency relationship between said first finite automaton and said second finite automaton;
  
  inserting a state in between said first finite automaton and said second finite automaton in response to identifying an overlapped portion between said first finite automaton and said second finite automaton;
  
  formulating a third finite automaton by merging said first finite automaton, said second finite automaton, and optionally said state while maintaining status of one or more of said first final state and said second final state; and
  
  said content inspection engine identifies said set of said suspected data units by moving said plurality of said data units through said third finite automaton, wherein the content of said set of said suspected data units collectively matches any of said plurality of patterns.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system as recited in claim 19, wherein said distribution engine distributes said plurality of said data units to said general purpose processor, said content inspection engine, and said memory controller according to the types of said data units and the data contained in said data units.
  - 21. The system as recited in claim 20, wherein said general purpose processor further decompresses the compressed data contained in said plurality of said data units according to the instructions contained in said data units prior to identifying said set of said suspected data units.
  - 22. The system as recited in claim 20, wherein said general purpose processor further responds to an anomaly associated with said plurality of said data units according to an anomaly policy, wherein:
    - said anomaly policy tracks characteristics of said plurality of said data units other than said plurality of said patterns.
  - 23. The system as recited in claim 22, wherein said anomaly policy is configurable.
  - 24. The system as recited in claim 22, wherein said general purpose processor further rectifies said set of said suspected data units or said anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lionic Corp.
Original Assignee
Lionic Corp.
Inventors
Zhao, Shi-Ming, Chien, Shih-Wei
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Lemma; Samson B

Application Number

US11/078,010
Publication Number

US 20050278783A1
Time in Patent Office

1,663 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/563   by source code analysis

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

System security approaches using multiple processing units

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System security approaches using multiple processing units

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links