US9270698B2 - Filter for network intrusion and virus detection - Google Patents
Filter for network intrusion and virus detectionDownload PDFInfo
- Publication number
- US9270698B2 US9270698B2US12/346,734US34673408AUS9270698B2US 9270698 B2US9270698 B2US 9270698B2US 34673408 AUS34673408 AUS 34673408AUS 9270698 B2US9270698 B2US 9270698B2
- Authority
- US
- United States
- Prior art keywords
- slice
- hit
- logic array
- hit signals
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9014—Indexing; Data structures therefor; Storage structures hash tables
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/02—Comparing digital values
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/02—Indexing scheme relating to groups G06F7/02 - G06F7/026
- G06F2207/025—String search, i.e. pattern matching, e.g. find identical word or best match in a string
Definitions
- This disclosurerelates generally to the field of network processing.
- the disclosurerelates to a novel filter architecture to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
- a Bloom filterconceived by Burton H. Bloom in 1970, is a probabilistic structure for determining whether an element is a member of a set. Hashing is performed on the element. Multiple different hash functions are used to generate multiple different hash indices into an array of bits. To add or insert an element into the set, these hash functions are used to index multiple bit locations in the array for the element and these bit locations are then set to one. To query the filter for an arbitrary element the hash functions are used to index multiple bit locations in the array for the element and these bit locations are then checked to see if they are all set to one. If they are not all set to one, the arbitrary element in question is not a member of the set.
- the Bloom filterWhenever a filter generates a positive outcome for an element, which is not actually a member of the set, the outcome is called a false positive.
- the Bloom filterwill not generate a false negative. It is a goal of any particular filter design, that the probability of false positives is “small.” For Bloom filters, after inserting n elements into a set represented by an array of m bits using k different hash functions, the probability of a false positive is (1 ⁇ (1 ⁇ 1/m) kn ) k .
- Designing a filter for a specific problemmay be tedious, and at high data rates it is difficult or impossible for state-of-the art processors to implement the design at rates even close to line-rate.
- To achieve rates close to one or more gigabits per secondspecialized field-programmable gate array solutions or custom circuits have been proposed.
- FIG. 1illustrates one embodiment of a filter apparatus to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
- FIG. 2illustrates a flow diagram for one embodiment of a process to initialize a filter apparatus for string matching in packet inspection.
- FIG. 3illustrates a flow diagram for one embodiment of a process to utilize a filter apparatus for string matching in packet inspection.
- FIG. 4illustrates one embodiment of a system employing a filter apparatus to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
- a filter apparatusmay be configured as a set of string matching slice circuits, each slice circuit of the set being configured to perform string matching steps in parallel with other slice circuits.
- Each slice circuitmay include an input window storing some number of bytes of data from an input data steam.
- the input window of datamay be padded if necessary, and may be multiplied by a distinct Galois-field polynomial modulo an irreducible Galois-field polynomial to generate a hash index.
- a storage location of a memory slice corresponding to the hash indexmay be accessed to generate a slice-hit signal of a plurality of slice-hit signals.
- the slice-hit signalmay be provided to an AND-OR logic array where the plurality of slice-hit signals is logically combined into a match result.
- Embodiments of such methods and apparatusrepresent reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
- FIG. 1illustrates one embodiment of a filter apparatus 101 to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
- Filter apparatus 101as shown includes an input data stream 120 , which may be in a system memory or may comprise an optional data stream buffer of filter apparatus 101 for storing packed data for inspection and/or a pattern database to initialize filter apparatus 101 .
- Filter apparatus 101also includes a set of H (e.g. 1-8) slice circuits 110 - 150 , each i th slice circuit of the set is configurable for providing an i th slice-hit signal to a configurable AND-OR logic array 140 as one of a set of H slice-hit signals.
- He.g. 1-8
- Slice circuits 110 - 150respectively include input windows 111 - 151 each configurable to store W i (e.g. 2-8) bytes of data from input data steam 120 , and Ghash units 112 - 152 coupled with input windows 111 - 151 and configurable to receive the W i bytes of data, to pad the W i bytes of data if necessary, and to multiply their respective W i bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
- W ie.g. 2-8) bytes of data from input data steam 120
- Ghash units 112 - 152coupled with input windows 111 - 151 and configurable to receive the W i bytes of data, to pad the W i bytes of data if necessary, and to multiply their respective W i bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
- filter apparatus 101may use the same irreducible Galois-field polynomial in each of the Ghash units 112 - 152 with H distinct polynomial multipliers selected at random (each having a good mixture of 1's and 0's) to generate H distinct hash indices, thus simplifying the task of generating distinct hash indices for each Ghash unit. It will also be appreciated that in embodiments of filter apparatus 101 where, unlike the Bloom filter, input windows 111 - 151 are independently configurable to store W i bytes of data from input data steam 120 , the filter apparatus 101 may be used to solve multiple problems of different sizes (e.g. a 2-byte match, a 3-byte match, a 6-byte match, and an 8-byte match, etc.) at the same time in parallel.
- problems of different sizese.g. a 2-byte match, a 3-byte match, a 6-byte match, and an 8-byte match, etc.
- Slice circuits 110 - 150also include memories 113 - 153 coupled with the Ghash units 112 - 152 and configurable to access respective storage locations responsive to their respective indices (e.g. at the addresses specified by some field of bits from respective indices) to each generate an i th slice-hit signal and to provide the an i th slice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals 115 - 155 .
- Some embodiments of memories 113 - 153are configurable from a larger memory 130 to serve as individual memories 113 - 153 for slice circuits 110 - 150 respectively.
- Some alternative embodiments of memories 113 - 153may be N-entry (e.g.
- RAMsread/write random-access memories
- Slice circuits 110 - 150may also include multiplexers 114 - 154 , respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the i th slice-hit signal and to provide the i th slice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals 115 - 155 .
- AND-OR logic array 140is configurable to receive a set of H slice-hit signals 115 - 155 and to combine the set of H slice-hit signals 115 - 155 into a match result 145 , a copy of which may be stored as a match result 185 .
- Some embodiments of AND-OR logic array 140may be configurable to perform a simple AND (e.g. as in a Bloom filter) or a simple OR (e.g. as in solving multiple problems of different sizes in parallel) of the set of H slice-hit signals 115 - 155 to get a match result 145 .
- Alternative embodiments of AND-OR logic array 140may be configurable to perform a complex AND-OR of the set of H slice-hit signals 115 - 155 (e.g.
- the complex AND-OR of the set of H slice-hit signals 115 - 155may be used, for example, in embodiments of filter apparatus 101 to provide multiple Bloom filters in parallel.
- FIG. 2illustrates a flow diagram for one embodiment of a process 201 to initialize a filter apparatus for string matching in packet inspection.
- Process 201 and other processes herein disclosedare performed by processing blocks that may comprise dedicated hardware or software or firmware operation codes executable by general purpose machines or by special purpose machines or by a combination of both.
- processing block 211a set of H slice circuits are configured.
- iis set to zero (0).
- processing block 213i is incremented.
- processing block 214i is checked to see if it has exceeded H. It will be appreciated that even though initialization of the H slice circuits is shown as an iterative process 201 , in at least some preferred embodiment of process 201 , the set of H slice circuits are configured to concurrently perform initialization according to processing blocks 215 - 220 of process 201 for use in string matching during network packet inspections. Therefore, for each of the H slice circuits processing blocks 215 - 220 are executed as follows, before proceeding to processing block 222 .
- W i bytes of datais stored from an input data steam in an i th input window.
- the W i bytes of dataare padded if necessary.
- the W i bytes of dataare multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an i th hash index.
- a storage location of a memory corresponding to the i th hash indexis accessed, and in processing block 220 an i th slice-hit signal is stored (i.e. set) in the storage location of the memory corresponding to the i th hash index.
- processingproceeding to processing block 222 where a pointer in the input data stream is moved (e.g. to a new string in the database). Then from processing block 224 , if the data stream is empty processing terminates. Otherwise processing repeats in processing block 212 .
- the process 201may be iterated for hundreds to hundreds of thousands of times in order to initialize a filter apparatus for string matching patterns in packet inspection.
- substantial performance improvementsmay be realized.
- the process 201 of initializing a filter apparatus(by setting slice-hit signals) may be performed in a manner substantially similar to a process of utilizing a filter apparatus for string matching (by reading the slice-hit signals) in packet inspection.
- a pointer into the input data streammay moved for each i th slice, in such a way as to provide each i th slice with a new compete pattern, whereas in utilizing a filter apparatus for string matching a pointer into the input data stream may be simply incremented.
- FIG. 3illustrates a flow diagram for one embodiment of a process 301 to utilize a filter apparatus for string matching in packet inspection.
- a set of H slice circuitsare configured.
- iis set to zero (0).
- iis incremented.
- iis checked to see if it has exceeded H.
- the set of H slice circuitsare configured to concurrently perform string matching according to processing blocks 315 - 321 of process 301 for use during network packet inspections. Therefore, for each of the H slice circuits processing blocks 315 - 321 are executed as follows, before proceeding to processing block 323 .
- W i bytes of datais stored from an input data steam in an i th input window.
- the W i bytes of dataare padded if necessary.
- the W i bytes of dataare multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an i th hash index.
- a storage location of a memory corresponding to the i th hash indexis accessed to generate an i th slice-hit signal of a set of H slice-hit signals.
- the i th slice-hit signalis provided to an AND-OR logic array as one of the set of H slice-hit signals.
- processingproceeding to processing block 323 where the AND-OR logic array is configured to receive the set of H slice-hit signals and to combine the set of H slice-hit signals into a match result. Then from processing block 323 processing terminates.
- process 301may be configured in accordance with embodiments of filter apparatus 101 to substantially accelerate string matching in packet inspection.
- FIG. 4illustrates one embodiment of a system 401 employing a filter 480 to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
- System 401includes an input data stream 420 , which may be in system memory 470 as shown, or may comprise an optional data stream buffer of filter 480 for storing packed data for inspection and/or a pattern database to initialize filter 480 .
- Filter 480includes a set of H slice circuits 410 - 450 , each i th slice circuit of the set is configurable for providing an i th slice-hit signal to a configurable AND-OR logic array 440 as one of a set of H slice-hit signals.
- Slice circuits 410 - 450respectively include input windows 411 - 451 each configurable to store W i bytes of data from input data steam 420 , and Ghash units 412 - 452 coupled with input windows 411 - 451 and configurable to receive the W i bytes of data, to pad the W i bytes of data if necessary, and to multiply their respective WI bytes of data by a polynomial modulo an irreducible Galois-field polynomial to generate an index.
- Slice circuits 410 - 450also include memories 413 - 453 coupled with the Ghash units 412 - 452 and configurable to access respective storage locations responsive to their respective indices to each generate an i th slice-hit signal and to provide the an i th slice-hit signal to AND-OR logic array 440 as one of the set of H slice-hit signals 415 - 455 .
- Memories 413 - 453may be N-entry read/write RAMs of any fixed width and configurable to be combined into larger memories (e.g. memory 430 ) as necessary. Alternatively some embodiments of memories 413 - 453 may be configurable from a larger memory 430 .
- Slice circuits 410 - 450may also include multiplexers 414 - 454 , respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the i th slice-hit signal and to provide the i th slice-hit signal to AND-OR logic array 440 as one of the set of H slice-hit signals 415 - 455 .
- AND-OR logic array 440may receive the set of H slice-hit signals 415 - 455 and combine the set of H slice-hit signals 415 - 455 into a match result 445 .
- System 401also includes system processor 460 to executed a program 471 in system memory 470 to accelerate string matching in packet inspection for network applications using filter 480 , and to move or increment a pointer 461 into input data stream 420 until a match result 445 is positive (in the case of string matching for packet inspections) or until an end-of-file is reached in the input data steam 420 .
- processor 460may check a copy of match result 445 stored in system memory 470 as a match result 485 when string matching for packet inspections to determine if match result 445 was positive.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Mining & Analysis (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Computational Linguistics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
This disclosure relates generally to the field of network processing. In particular, the disclosure relates to a novel filter architecture to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
In modem networks, applications such as intrusion detection/prevention and virus detection are important for protecting the networks and/or network users from attacks. In such applications network packets are often inspected to identify problematic packets by finding matches to a known set of data patterns. Matching every byte of an incoming data stream against a large database of patterns (e.g. up to hundreds of thousands) is very compute-intensive. Programs have used techniques such as finite-state machines and filters to find matches to known sets.
A Bloom filter, conceived by Burton H. Bloom in 1970, is a probabilistic structure for determining whether an element is a member of a set. Hashing is performed on the element. Multiple different hash functions are used to generate multiple different hash indices into an array of bits. To add or insert an element into the set, these hash functions are used to index multiple bit locations in the array for the element and these bit locations are then set to one. To query the filter for an arbitrary element the hash functions are used to index multiple bit locations in the array for the element and these bit locations are then checked to see if they are all set to one. If they are not all set to one, the arbitrary element in question is not a member of the set.
Whenever a filter generates a positive outcome for an element, which is not actually a member of the set, the outcome is called a false positive. The Bloom filter will not generate a false negative. It is a goal of any particular filter design, that the probability of false positives is “small.” For Bloom filters, after inserting n elements into a set represented by an array of m bits using k different hash functions, the probability of a false positive is (1−(1−1/m)kn)k.
Designing a filter for a specific problem may be tedious, and at high data rates it is difficult or impossible for state-of-the art processors to implement the design at rates even close to line-rate. To achieve rates close to one or more gigabits per second, specialized field-programmable gate array solutions or custom circuits have been proposed.
To date, more generalized reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection have not been fully explored.
The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings.
Methods and apparatus to perform string matching for network packet inspection are disclosed below. In some embodiments, a filter apparatus may be configured as a set of string matching slice circuits, each slice circuit of the set being configured to perform string matching steps in parallel with other slice circuits. Each slice circuit may include an input window storing some number of bytes of data from an input data steam. The input window of data may be padded if necessary, and may be multiplied by a distinct Galois-field polynomial modulo an irreducible Galois-field polynomial to generate a hash index. A storage location of a memory slice corresponding to the hash index may be accessed to generate a slice-hit signal of a plurality of slice-hit signals. The slice-hit signal may be provided to an AND-OR logic array where the plurality of slice-hit signals is logically combined into a match result.
Embodiments of such methods and apparatus represent reconfigurable architectures to accelerate string matching in packet inspection for network applications such as intrusion detection/prevention and virus detection.
In the following description, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In other instances, well-known circuits, structures and techniques have not been shown in detail in order not to obscure the understanding of this description. These and other embodiments of the present invention may be realized in accordance with the following teachings and it should be evident that various modifications and changes may be made in the following teachings without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense and the invention measured only in terms of the claims and their equivalents.
It will be appreciated that some embodiments offilter apparatus 101 may use the same irreducible Galois-field polynomial in each of the Ghash units112-152 with H distinct polynomial multipliers selected at random (each having a good mixture of 1's and 0's) to generate H distinct hash indices, thus simplifying the task of generating distinct hash indices for each Ghash unit. It will also be appreciated that in embodiments offilter apparatus 101 where, unlike the Bloom filter, input windows111-151 are independently configurable to store Wibytes of data frominput data steam 120, thefilter apparatus 101 may be used to solve multiple problems of different sizes (e.g. a 2-byte match, a 3-byte match, a 6-byte match, and an 8-byte match, etc.) at the same time in parallel.
Slice circuits110-150, respectively, also include memories113-153 coupled with the Ghash units112-152 and configurable to access respective storage locations responsive to their respective indices (e.g. at the addresses specified by some field of bits from respective indices) to each generate an ithslice-hit signal and to provide the an ithslice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals115-155. Some embodiments of memories113-153 are configurable from alarger memory 130 to serve as individual memories113-153 for slice circuits110-150 respectively. Some alternative embodiments of memories113-153 may be N-entry (e.g. 1K entries) read/write random-access memories (RAMs) of fixed width (e.g. 64-bits wide) and are configurable to be combined into larger memories (e.g. memory130) as necessary (e.g. when a very large set of patterns is required). Slice circuits110-150 may also include multiplexers114-154, respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the ithslice-hit signal and to provide the ithslice-hit signal to AND-OR logic array 140 as one of the set of H slice-hit signals115-155.
AND-OR logic array 140 is configurable to receive a set of H slice-hit signals115-155 and to combine the set of H slice-hit signals115-155 into amatch result 145, a copy of which may be stored as a match result185. Some embodiments of AND-OR logic array 140 may be configurable to perform a simple AND (e.g. as in a Bloom filter) or a simple OR (e.g. as in solving multiple problems of different sizes in parallel) of the set of H slice-hit signals115-155 to get amatch result 145. Alternative embodiments of AND-ORlogic array 140 may be configurable to perform a complex AND-OR of the set of H slice-hit signals115-155 (e.g. tempk=(AND slice-hit signalifor all i in a set Sk) and then the final match result=(OR tempkfor all k) ) to get amatch result 145. The complex AND-OR of the set of H slice-hit signals115-155 may be used, for example, in embodiments offilter apparatus 101 to provide multiple Bloom filters in parallel.
It will be appreciated that when a final match result is positive, a verification process may be used to check against false positives. Such verification process may be relatively slower than usingfilter apparatus 101 and so the configuration offilter apparatus 101 should be carefully made to avoid frequent false positives.
In processing block211 a set of H slice circuits are configured. Inprocessing block 212, i is set to zero (0). Inprocessing block 213, i is incremented. Inprocessing block 214, i is checked to see if it has exceeded H. It will be appreciated that even though initialization of the H slice circuits is shown as aniterative process 201, in at least some preferred embodiment ofprocess 201, the set of H slice circuits are configured to concurrently perform initialization according to processing blocks215-220 ofprocess 201 for use in string matching during network packet inspections. Therefore, for each of the H slice circuits processing blocks215-220 are executed as follows, before proceeding to processingblock 222.
In processing block215 Wibytes of data is stored from an input data steam in an ithinput window. Inprocessing block 216 the Wibytes of data are padded if necessary. Then in processingblock 217 the Wibytes of data are multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an ithhash index. In processing block218 a storage location of a memory corresponding to the ithhash index is accessed, and in processing block220 an ithslice-hit signal is stored (i.e. set) in the storage location of the memory corresponding to the ithhash index. When all of the H slice circuits have completed processing blocks215-220 ofprocess 201, processing proceeding to processing block222 where a pointer in the input data stream is moved (e.g. to a new string in the database). Then from processingblock 224, if the data stream is empty processing terminates. Otherwise processing repeats inprocessing block 212.
It will be appreciated that theprocess 201 may be iterated for hundreds to hundreds of thousands of times in order to initialize a filter apparatus for string matching patterns in packet inspection. Thus when the set of H slice circuits are configured to concurrently perform initialization substantial performance improvements may be realized. It will also be appreciated that theprocess 201 of initializing a filter apparatus (by setting slice-hit signals) may be performed in a manner substantially similar to a process of utilizing a filter apparatus for string matching (by reading the slice-hit signals) in packet inspection. In some embodiments of processing block222 a pointer into the input data stream may moved for each ithslice, in such a way as to provide each ithslice with a new compete pattern, whereas in utilizing a filter apparatus for string matching a pointer into the input data stream may be simply incremented.
In processing block315 Wibytes of data is stored from an input data steam in an ithinput window. Inprocessing block 316 the Wibytes of data are padded if necessary. Then in processingblock 317 the Wibytes of data are multiplied by a Galois-field polynomial modulo an irreducible Galois-field polynomial to generate an ithhash index. In processing block319 a storage location of a memory corresponding to the ithhash index is accessed to generate an ithslice-hit signal of a set of H slice-hit signals. Inprocessing block 321 the ithslice-hit signal is provided to an AND-OR logic array as one of the set of H slice-hit signals. When all of the H slice circuits have completed processing blocks315-321 ofprocess 301, processing proceeding to processing block323 where the AND-OR logic array is configured to receive the set of H slice-hit signals and to combine the set of H slice-hit signals into a match result. Then from processingblock 323 processing terminates.
It will be appreciated that iterations ofprocess 301 may be configured in accordance with embodiments offilter apparatus 101 to substantially accelerate string matching in packet inspection.
Slice circuits410-450, respectively, also include memories413-453 coupled with the Ghash units412-452 and configurable to access respective storage locations responsive to their respective indices to each generate an ithslice-hit signal and to provide the an ithslice-hit signal to AND-ORlogic array 440 as one of the set of H slice-hit signals415-455. Memories413-453 may be N-entry read/write RAMs of any fixed width and configurable to be combined into larger memories (e.g. memory430) as necessary. Alternatively some embodiments of memories413-453 may be configurable from alarger memory 430. Slice circuits410-450 may also include multiplexers414-454, respectively, configurable to access respective bit storage locations responsive to portions of their respective indices to generate the ithslice-hit signal and to provide the ithslice-hit signal to AND-ORlogic array 440 as one of the set of H slice-hit signals415-455. AND-ORlogic array 440 may receive the set of H slice-hit signals415-455 and combine the set of H slice-hit signals415-455 into amatch result 445.
The above description is intended to illustrate preferred embodiments of the present invention. From the discussion above it should also be apparent that especially in such an area of technology, where growth is fast and further advancements are not easily foreseen, the invention can may be modified in arrangement and detail by those skilled in the art without departing from the principles of the present invention within the scope of the accompanying claims and their equivalents.
Claims (24)
1. A method to perform string matching for network packet inspection, the method comprising:
configuring a set of H slice circuits, each ithslice circuit of the set of H slice circuits being configured to perform the steps of:
independently storing an ithinput window of Wibytes of data from an input data stream;
padding the Wibytes of data if necessary, and multiplying the Wibytes of data by a Galois-field polynomial modulo an irreducible Galois-field polynomial combined with a randomly generated polynomial multiplier to generate an ithhash index;
accessing a storage location of a memory corresponding to the ithhash index to generate an ithslice-hit signal of a set of H slice-hit signals; and
providing the ithslice-hit signal to an AND-OR logic array as one of the set of H slice-hit signals; and
configuring the AND-OR logic array to receive the set of H slice-hit signals and to combine the set of H slice-hit signals into a match result.
2. The method ofclaim 1 wherein configuring each ithslice circuit of the set of H slice circuits to perform the step of providing the ithslice-hit signal to the AND-OR logic array comprises:
storing the ithslice-hit signal in the storage location of the memory corresponding to the ithhash index.
3. The method ofclaim 2 wherein each ithinput window of Wibytes of data from the input data steam comprises a complete data pattern.
4. The method ofclaim 2 wherein providing the ithslice-hit signal to the AND-OR logic array comprises:
reading out the ithslice-hit signal, from the storage location of the memory corresponding to the ithhash index, to the AND-OR logic array as the ithone of the set of H slice-hit signals.
5. The method ofclaim 2 wherein providing the ithslice-hit signal to the AND-OR logic array comprises:
multiplexing the ithslice-hit signal from the storage location of the memory corresponding to the ithhash index, to the AND-OR logic array as the ithone of the set of H slice-hit signals.
6. The method ofclaim 1 , wherein the AND-OR logic array is configured to receive the set of H slice-hit signals and to logically AND the set of H slice-hit signals into a match result.
7. The method ofclaim 1 , wherein the AND-OR logic array is configured to receive the set of H slice-hit signals and to logically OR the set of H slice-hit signals into a match result.
8. The method ofclaim 1 , wherein the AND-OR logic array is configured to receive the set of H slice-hit signals and to logically AND subsets of the set of H slice-hit signals into temporary results, and to logically OR the temporary results into a match result.
9. An apparatus comprising:
an AND-OR logic array configurable to receive a set of H slice-hit signals and to combine the set of H slice-hit signals into a match result; and
a set of H slice circuits, each ithslice circuit of the set comprising:
an input window configurable to independently store Wibytes of data from an input data steam;
a Ghash unit coupled with the input window and configurable to receive the Wibytes of data, pad the Wibytes of data if necessary, and multiply the Wibytes of data by a Galois-field polynomial modulo an irreducible Galois-field polynomial combined with a randomly generated polynomial multiplier to generate an index; and
a memory coupled with the Ghash unit and configurable to access a storage location responsive to the index to generate a slice-hit signal and to provide the slice-hit signal to said AND-OR logic array as one of the set of H slice-hit signals.
10. The apparatus ofclaim 9 wherein providing the slice-hit signal to the AND-OR logic array comprises:
reading out the slice-hit signal, from the storage location of the memory corresponding to the index of the ithslice circuit, to the AND-OR logic array as the ithone of the set of H slice-hit signals.
11. The apparatus ofclaim 9 wherein providing the slice-hit signal to the AND-OR logic array comprises:
multiplexing the slice-hit signal, from the storage location of the memory corresponding to the index of the ithslice circuit, to the AND-OR logic array as the ithone of the set of H slice-hit signals.
12. The apparatus ofclaim 9 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND the set of H slice-hit signals into a match result.
13. The apparatus ofclaim 9 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically OR the set of H slice-hit signals into a match result.
14. The apparatus ofclaim 9 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND subsets of the set of H slice-hit signals into temporary results, and to logically OR the temporary results into a match result.
15. The apparatus ofclaim 9 wherein the same irreducible Galois-field polynomial is used in each ithslice circuit of the set of H slice circuits.
16. The apparatus ofclaim 15 wherein each the Wibytes of data are multiplied by a different distinct Galois-field polynomial in each ithslice circuit of the set of H slice circuits.
17. A packet processing system to perform string matching for network packet inspection, the system comprising:
a system processor;
an AND-OR logic array configurable to receive a set of H slice-hit signals and to combine the set of H slice-hit signals into a match result; and
a set of H slice circuits, each ithslice circuit of the set comprising:
an input window configurable to independently store Wibytes of data from an input data steam;
a Ghash unit coupled with the input window and configurable to receive the Wibytes of data, pad the Wibytes of data if necessary, and multiply the Wibytes of data by a Galois-field polynomial modulo an irreducible Galois-field polynomial combined with a randomly generated polynomial multiplier to generate an index; and
a memory coupled with the Ghash unit and configurable to access a storage location responsive to the index to generate a slice-hit signal and to provide the slice-hit signal to said AND-OR logic array as one of the set of H slice-hit signals; and
a machine readable medium to store executable instructions, such that when said executable instructions are executed by the system processor, the system processor is caused to:
set a pointer to a first character of the input data steam to establish a starting point for the input window of each ithslice circuit, and
increment the pointer until the match result is positive or until an end-of-file is reached in the input data steam.
18. The system ofclaim 17 wherein the same irreducible Galois-field polynomial is used in each ithslice circuit of the set of H slice circuits.
19. The system ofclaim 18 wherein each the Wibytes of data are multiplied by a different distinct Galois-field polynomial in each ithslice circuit of the set of H slice circuits.
20. The system ofclaim 17 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND the set of H slice-hit signals into a match result.
21. The system ofclaim 17 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically OR the set of H slice-hit signals into a match result.
22. The system ofclaim 17 wherein the AND-OR logic array is configurable to receive the set of H slice-hit signals and to logically AND subsets of the set of H slice-hit signals into temporary results, and to logically OR the temporary results into a match result.
23. The system ofclaim 18 wherein providing the slice-hit signal to the AND-OR logic array comprises:
reading out the slice-hit signal, from the storage location of the memory corresponding to the index of the ithslice circuit, to the AND-OR logic array as the ithone of the set of H slice-hit signals.
24. The system ofclaim 17 wherein providing the slice-hit signal to the AND-OR logic array comprises:
multiplexing the slice-hit signal, from the storage location of the memory corresponding to the index of the ithslice circuit, to the AND-OR logic array as the ithone of the set of H slice-hit signals.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US12/346,734US9270698B2 (en) | 2008-12-30 | 2008-12-30 | Filter for network intrusion and virus detection |
| EP09836863AEP2382739A4 (en) | 2008-12-30 | 2009-12-16 | Filter for network intrusion and virus detection |
| CN200980153566.5ACN102273137B (en) | 2008-12-30 | 2009-12-16 | Filter for network intrusion and virus detection |
| PCT/US2009/068168WO2010077904A2 (en) | 2008-12-30 | 2009-12-16 | Filter for network intrusion and virus detection |
| US15/049,519US10218739B2 (en) | 2008-12-30 | 2016-02-22 | Filter for network intrusion and virus detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US12/346,734US9270698B2 (en) | 2008-12-30 | 2008-12-30 | Filter for network intrusion and virus detection |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US15/049,519ContinuationUS10218739B2 (en) | 2008-12-30 | 2016-02-22 | Filter for network intrusion and virus detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| US20100169401A1 US20100169401A1 (en) | 2010-07-01 |
| US9270698B2true US9270698B2 (en) | 2016-02-23 |
Family
ID=42286195
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US12/346,734Expired - Fee RelatedUS9270698B2 (en) | 2008-12-30 | 2008-12-30 | Filter for network intrusion and virus detection |
| US15/049,519Active2029-05-25US10218739B2 (en) | 2008-12-30 | 2016-02-22 | Filter for network intrusion and virus detection |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US15/049,519Active2029-05-25US10218739B2 (en) | 2008-12-30 | 2016-02-22 | Filter for network intrusion and virus detection |
Country Status (4)
| Country | Link |
|---|---|
| US (2) | US9270698B2 (en) |
| EP (1) | EP2382739A4 (en) |
| CN (1) | CN102273137B (en) |
| WO (1) | WO2010077904A2 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130239213A1 (en)* | 2011-03-08 | 2013-09-12 | Hewlett-Packard Development Company, L.P. | Methods and systems for full pattern matching in hardware |
| WO2017196428A3 (en)* | 2016-03-30 | 2018-01-11 | Intel Corporation | Pattern matching circuit |
| CN109698835A (en)* | 2019-01-19 | 2019-04-30 | 郑州轻工业学院 | A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS |
| US20220240091A1 (en)* | 2019-04-29 | 2022-07-28 | Sonicwall Inc. | Elastic Security Services and Load Balancing in a Wireless Mesh Network |
| US20220368698A1 (en)* | 2014-04-28 | 2022-11-17 | Sophos Limited | Using reputation to avoid false malware detections |
| US11800598B2 (en) | 2019-04-29 | 2023-10-24 | Sonicwall Inc. | Method for providing an elastic content filtering security service in a mesh network |
| US11863987B2 (en) | 2019-04-29 | 2024-01-02 | Sonicwall Inc. | Method for providing an elastic content filtering security service in a mesh network |
| US11882136B2 (en) | 2014-12-18 | 2024-01-23 | Sophos Limited | Process-specific network access control based on traffic monitoring |
| US11997117B2 (en) | 2014-04-28 | 2024-05-28 | Sophos Limited | Intrusion detection using a heartbeat |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080313708A1 (en)* | 2007-06-12 | 2008-12-18 | Alcatel Lucent | Data content matching |
| US9270698B2 (en) | 2008-12-30 | 2016-02-23 | Intel Corporation | Filter for network intrusion and virus detection |
| US20110145205A1 (en)* | 2009-12-14 | 2011-06-16 | Sanjeev Jain | Packet Boundary Spanning Pattern Matching Based At Least In Part Upon History Information |
| US9513843B2 (en)* | 2010-04-13 | 2016-12-06 | Dot Hill Systems Corporation | Method and apparatus for choosing storage components within a tier |
| WO2012010930A2 (en)* | 2010-07-21 | 2012-01-26 | Freescale Semiconductor, Inc. | Integrated circuit device, data storage array system and method therefor |
| US20130094515A1 (en)* | 2011-08-31 | 2013-04-18 | Nils Gura | Systems, apparatus, and methods for removing duplicate data packets from a traffic flow of captured data packets transmitted via a communication network |
| US9223618B2 (en) | 2011-09-20 | 2015-12-29 | Intel Corporation | Multi-threaded queuing system for pattern matching |
| US9471244B2 (en)* | 2012-01-09 | 2016-10-18 | International Business Machines Corporation | Data sharing using difference-on-write |
| US9460018B2 (en)* | 2012-05-09 | 2016-10-04 | Qualcomm Incorporated | Method and apparatus for tracking extra data permissions in an instruction cache |
| US9690703B1 (en)* | 2012-06-27 | 2017-06-27 | Netapp, Inc. | Systems and methods providing storage system write elasticity buffers |
| CN103514404A (en)* | 2012-06-29 | 2014-01-15 | 网秦无限(北京)科技有限公司 | Safety detection method and safety detection device |
| US9697111B2 (en)* | 2012-08-02 | 2017-07-04 | Samsung Electronics Co., Ltd. | Method of managing dynamic memory reallocation and device performing the method |
| WO2014077615A1 (en)* | 2012-11-19 | 2014-05-22 | Samsung Sds Co., Ltd. | Anti-malware system, method of processing packet in the same, and computing device |
| US9865350B2 (en)* | 2014-08-21 | 2018-01-09 | Meiji University | Content addressable memory, an index generator, and a registered information update method |
| US9678681B2 (en)* | 2015-06-17 | 2017-06-13 | International Business Machines Corporation | Secured multi-tenancy data in cloud-based storage environments |
| CN109729582B (en)* | 2018-12-27 | 2021-12-10 | 维沃移动通信有限公司 | Information interaction method and device and computer readable storage medium |
| CN113051569B (en)* | 2021-03-31 | 2024-05-28 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
| CN113076562A (en)* | 2021-05-08 | 2021-07-06 | 北京炼石网络技术有限公司 | Database encryption field fuzzy retrieval method based on GCM encryption mode |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020006195A1 (en) | 1998-06-23 | 2002-01-17 | Ramarathnam R. Venkatesan | Lightweight word-oriented technique for generating a pseudo-random sequence for use in a keystream of a stream cipher |
| US6430184B1 (en) | 1998-04-10 | 2002-08-06 | Top Layer Networks, Inc. | System and process for GHIH-speed pattern matching for application-level switching of data packets |
| US20050086520A1 (en) | 2003-08-14 | 2005-04-21 | Sarang Dharmapurikar | Method and apparatus for detecting predefined signatures in packet payload using bloom filters |
| US20050283714A1 (en) | 2004-06-19 | 2005-12-22 | Samsung Electronics Co., Ltd. | Method and apparatus for multiplication in Galois field, apparatus for inversion in Galois field and apparatus for AES byte substitution operation |
| US7085988B1 (en) | 2002-04-08 | 2006-08-01 | Maxtor Corporation | Hashing system utilizing error correction coding techniques |
| US20070014395A1 (en) | 2005-01-06 | 2007-01-18 | Nikhil Joshi | Invariance based concurrent error detection for the advanced encryption standard |
| US20080130894A1 (en) | 2006-11-30 | 2008-06-05 | Zheng Qj | Multi-data rate security architecture for network security |
| US20080148025A1 (en) | 2006-12-19 | 2008-06-19 | Vinodh Gopal | High performance raid-6 system architecture with pattern matching |
| US20090024826A1 (en)* | 2007-07-16 | 2009-01-22 | Ming Zhang | Galois-based incremental hash module |
| WO2010077904A2 (en) | 2008-12-30 | 2010-07-08 | Intel Corporation | Filter for network intrusion and virus detection |
- 2008
- 2008-12-30USUS12/346,734patent/US9270698B2/ennot_activeExpired - Fee Related
- 2009
- 2009-12-16CNCN200980153566.5Apatent/CN102273137B/ennot_activeExpired - Fee Related
- 2009-12-16WOPCT/US2009/068168patent/WO2010077904A2/enactiveApplication Filing
- 2009-12-16EPEP09836863Apatent/EP2382739A4/ennot_activeWithdrawn
- 2016
- 2016-02-22USUS15/049,519patent/US10218739B2/enactiveActive
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6430184B1 (en) | 1998-04-10 | 2002-08-06 | Top Layer Networks, Inc. | System and process for GHIH-speed pattern matching for application-level switching of data packets |
| US20020006195A1 (en) | 1998-06-23 | 2002-01-17 | Ramarathnam R. Venkatesan | Lightweight word-oriented technique for generating a pseudo-random sequence for use in a keystream of a stream cipher |
| US7085988B1 (en) | 2002-04-08 | 2006-08-01 | Maxtor Corporation | Hashing system utilizing error correction coding techniques |
| US20050086520A1 (en) | 2003-08-14 | 2005-04-21 | Sarang Dharmapurikar | Method and apparatus for detecting predefined signatures in packet payload using bloom filters |
| US7444515B2 (en)* | 2003-08-14 | 2008-10-28 | Washington University | Method and apparatus for detecting predefined signatures in packet payload using Bloom filters |
| US20050283714A1 (en) | 2004-06-19 | 2005-12-22 | Samsung Electronics Co., Ltd. | Method and apparatus for multiplication in Galois field, apparatus for inversion in Galois field and apparatus for AES byte substitution operation |
| US20070014395A1 (en) | 2005-01-06 | 2007-01-18 | Nikhil Joshi | Invariance based concurrent error detection for the advanced encryption standard |
| US20080130894A1 (en) | 2006-11-30 | 2008-06-05 | Zheng Qj | Multi-data rate security architecture for network security |
| US20080148025A1 (en) | 2006-12-19 | 2008-06-19 | Vinodh Gopal | High performance raid-6 system architecture with pattern matching |
| US20090024826A1 (en)* | 2007-07-16 | 2009-01-22 | Ming Zhang | Galois-based incremental hash module |
| WO2010077904A2 (en) | 2008-12-30 | 2010-07-08 | Intel Corporation | Filter for network intrusion and virus detection |
| WO2010077904A3 (en) | 2008-12-30 | 2010-09-23 | Intel Corporation | Filter for network intrusion and virus detection |
Non-Patent Citations (14)
| Title |
|---|
| Aho et al., "Efficient string matching: an aid to bibliographic search" Communications of the ACM, 18(6):333-340, 1975. |
| Boyer et al., "A fast string searching algorithm" Communications of the ACM, 20(10), 1977. |
| China Office Action from related China Application 200980153566.5 mailed May 21, 2013. |
| David A. McGrew, "The Galois/Counter Mode of Operation (GCM)", Updated submission to NIST, Modes of Operation Process, May 31, 2005, pp. 1-25. Available at: ,. |
| David A. McGrew, "The Galois/Counter Mode of Operation (GCM)", Updated submission to NIST, Modes of Operation Process, May 31, 2005, pp. 1-25. Available at: <http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf>,. |
| Dharmapurikar et al., "Deep packet inspection using parallel Bloom filters" Proceedings of the 11th Symposium on High-performance interconnects, Aug. 2003. |
| EP Search Report from Related EPO Application 09836863.2 mailed May 29, 2012 (8 pages). |
| International Preliminary Report on Patentability and Written Opinion received for PCT Patent Application No. PCT/US2009/068168, mailed on Jul. 14, 2011, 6 Pages. |
| International Search Report and Written Opinion for PCT Patent Application No. PCT/US2009/068168, mailed on Jul. 29, 2010, 9 Pages. |
| Office Action received for Chinese Patent Application No. 200980153566.5, mailed on Apr. 25, 2014, 3 pages of Office Action and 3 pages of English Translation. |
| Office Action Received for Chinese Patent Application No. 200980153566.5, mailed on Dec. 19, 2013, 8 pages of Office Action including 5 pages of English Translation. |
| Ramaswamy et al, "Approximate Fingerprinting to Accelerate Pattern Matching", Proceedings of the 2006 ACM SIGCOMM Internet Measurement Conference, IMC 2006, ACM New York, USA, 6 pages. |
| Sertc et al. "Aggregated Bloom Filters for Intrusion Detection and Prevention Hardware", Proceedings of the Global Telecommunications Conference. 2007.GLOBECOM '07 IEEE Piscataway , NJ, USA, 12 pages. |
| Supplementary Search Report received for European Patent Application No. 09836863.2, mailed on Jun. 15, 2012, 1 page only. |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9602522B2 (en)* | 2011-03-08 | 2017-03-21 | Trend Micro Incorporated | Methods and systems for full pattern matching in hardware |
| US20130239213A1 (en)* | 2011-03-08 | 2013-09-12 | Hewlett-Packard Development Company, L.P. | Methods and systems for full pattern matching in hardware |
| US20230403297A1 (en)* | 2014-04-28 | 2023-12-14 | Sophos Limited | Using reputation to avoid false malware detections |
| US12348538B2 (en) | 2014-04-28 | 2025-07-01 | Sophos Limited | Intrusion detection using a heartbeat |
| US12074904B2 (en)* | 2014-04-28 | 2024-08-27 | Sophos Limited | Using reputation to avoid false malware detections |
| US20220368698A1 (en)* | 2014-04-28 | 2022-11-17 | Sophos Limited | Using reputation to avoid false malware detections |
| US11722516B2 (en)* | 2014-04-28 | 2023-08-08 | Sophos Limited | Using reputation to avoid false malware detections |
| US11997117B2 (en) | 2014-04-28 | 2024-05-28 | Sophos Limited | Intrusion detection using a heartbeat |
| US11882136B2 (en) | 2014-12-18 | 2024-01-23 | Sophos Limited | Process-specific network access control based on traffic monitoring |
| WO2017196428A3 (en)* | 2016-03-30 | 2018-01-11 | Intel Corporation | Pattern matching circuit |
| CN109698835B (en)* | 2019-01-19 | 2021-03-26 | 郑州轻工业学院 | Encrypted Trojan horse detection method facing HTTPS hidden tunnel |
| CN109698835A (en)* | 2019-01-19 | 2019-04-30 | 郑州轻工业学院 | A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS |
| US11863987B2 (en) | 2019-04-29 | 2024-01-02 | Sonicwall Inc. | Method for providing an elastic content filtering security service in a mesh network |
| US11800598B2 (en) | 2019-04-29 | 2023-10-24 | Sonicwall Inc. | Method for providing an elastic content filtering security service in a mesh network |
| US11729621B2 (en)* | 2019-04-29 | 2023-08-15 | Sonicwall Inc. | Elastic security services and load balancing in a wireless mesh network |
| US12069480B2 (en) | 2019-04-29 | 2024-08-20 | Sonicwall Inc. | Elastic security services load balancing in a wireless mesh network |
| US20220240091A1 (en)* | 2019-04-29 | 2022-07-28 | Sonicwall Inc. | Elastic Security Services and Load Balancing in a Wireless Mesh Network |
| US12170900B2 (en) | 2019-04-29 | 2024-12-17 | Sonicwall Inc. | Method for providing an elastic content filtering security service in a mesh network |
| US12238825B2 (en) | 2019-04-29 | 2025-02-25 | Sonicwall Inc. | Method for providing an elastic content filtering security service in a mesh network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102273137B (en) | 2015-02-25 |
| WO2010077904A2 (en) | 2010-07-08 |
| WO2010077904A3 (en) | 2010-09-23 |
| US10218739B2 (en) | 2019-02-26 |
| US20100169401A1 (en) | 2010-07-01 |
| US20160255100A1 (en) | 2016-09-01 |
| EP2382739A4 (en) | 2012-06-27 |
| EP2382739A2 (en) | 2011-11-02 |
| CN102273137A (en) | 2011-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10218739B2 (en) | Filter for network intrusion and virus detection | |
| EP3678346B1 (en) | Blockchain smart contract verification method and apparatus, and storage medium | |
| Xiao et al. | One bit flips, one cloud flops:{Cross-VM} row hammer attacks and privilege escalation | |
| US10503716B2 (en) | Systems and methods for generating bit matrices for hash functions using fast filtering | |
| Liu et al. | A fast string-matching algorithm for network processor-based intrusion detection system | |
| US9392005B2 (en) | System and method for matching pattern | |
| CN110018811B (en) | Cache data processing method and Cache | |
| US9244857B2 (en) | Systems and methods for implementing low-latency lookup circuits using multiple hash functions | |
| KR100960120B1 (en) | Optimization of Signature String Storage Memory and Its Memory Structure and Signature String Pattern Matching Method | |
| WO2012051802A1 (en) | Website scanning device and method | |
| CN105138478B (en) | A kind of memory integrity protection method of non-equilibrium Hash tree | |
| CN101853190A (en) | A Data Integrity Verification Method Applicable to Embedded Processor | |
| EP3961461B1 (en) | Method and apparatus for obtaining number for transaction-accessed variable in blockchain in parallel | |
| US11886581B1 (en) | Rapid verification of executing processes | |
| CN103198260A (en) | Automation positioning method for binary system program vulnerabilities | |
| Chhabra et al. | Engineering order‐preserving pattern matching with SIMD parallelism | |
| US7774587B2 (en) | Dynamic redundancy checker against fault injection | |
| Cui et al. | Towards privacy-preserving malware detection systems for android | |
| CN114826793B (en) | A kind of detection method, device and medium of ROP chain | |
| Ho et al. | PERG: A scalable FPGA-based pattern-matching engine with consolidated bloomier filters | |
| CN112583827A (en) | Data leakage detection method and device | |
| US20120023388A1 (en) | Parity Look-Ahead Scheme for Tag Cache Memory | |
| Wang et al. | Hardware accelerator to detect multi-segment virus patterns | |
| CN112182580A (en) | A processor chip-based memory leak detection method and electronic device | |
| Tseng et al. | A parallel automaton string matching with pre-hashing and root-indexing techniques for content filtering coprocessor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment | Owner name:INTEL CORPORATION,CALIFORNIA Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOPAL, VINODH;CLARK, CHRISTOPHER F.;WOLRICH, GILBERT;AND OTHERS;SIGNING DATES FROM 20090113 TO 20090313;REEL/FRAME:022800/0236 Owner name:INTEL CORPORATION, CALIFORNIA Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOPAL, VINODH;CLARK, CHRISTOPHER F.;WOLRICH, GILBERT;AND OTHERS;SIGNING DATES FROM 20090113 TO 20090313;REEL/FRAME:022800/0236 | |
| FEPP | Fee payment procedure | Free format text:PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| STCF | Information on status: patent grant | Free format text:PATENTED CASE | |
| FEPP | Fee payment procedure | Free format text:MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| LAPS | Lapse for failure to pay maintenance fees | Free format text:PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| STCH | Information on status: patent discontinuation | Free format text:PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 | |
| FP | Lapsed due to failure to pay maintenance fee | Effective date:20200223 | |
| AS | Assignment | Owner name:TAHOE RESEARCH, LTD., IRELAND Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTEL CORPORATION;REEL/FRAME:061175/0176 Effective date:20220718 |