US2012210430A1PendingUtilityA1

Intrusion detection using a network processor and a parallel pattern detection engine

43
Assignee: BOULANGER MARC APriority: Jan 14, 2004Filed: Apr 25, 2012Published: Aug 16, 2012
Est. expiryJan 14, 2024(expired)· nominal 20-yr term from priority
H04L 63/1416H04L 63/1441
43
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Claims

exact text as granted — not AI-modified
1 . A method for rapid intrusion detection for network communication, the method comprising:
 receiving packets of network data in a network processor coupled to a network fabric;   forwarding routed network data to the network fabric;   analyzing the packets of network data for validity thereby generating valid packets of network data as selected data; and   coupling the selected data from the network data to a parallel pattern detection engine (PPDE), for comparing the selected data in parallel to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data.   
     
     
         2 . The method of  claim 1  further comprising:
 storing N intrusion signatures in M PUs sequences of pattern data with corresponding identification (ID) data used to identify which of the N intrusion signatures is detected; and 
 storing action code indicating action to take in response to detecting a particular one of the N intrusion signatures. 
 
     
     
         3 . The method of  claim 2  further comprising:
 comparing the selected data to N intrusion signatures and generating, at network data speed, a pattern compare signal and a particular ID data when a particular one of the N intrusion signatures is detected; and 
 executing the action code corresponding to the particular one of the N intrusion signatures detected. 
 
     
     
         4 . A system for rapid intrusion detection for a network communication comprising:
 a network processor;   circuitry in the network processor for receiving network data from a network fabric;   circuitry in the network processor for forwarding routed network data to the network fabric;   circuitry for analyzing the packets of network data for validity thereby generating valid packets of network data as selected data; and   circuitry for coupling the network processor to a parallel pattern detection engine (PPDE) for comparing in parallel the selected data from the network data to M sequences of pattern data stored in the PPDE and generating a match output signal when at least one of the M sequences of pattern data compares to a portion of the selected data.   
     
     
         5 . The system of  claim 4  further comprising:
 circuitry for storing N intrusion signatures in M PUs sequence of pattern data with corresponding identification (ID) data used to identify which of the N intrusion signatures is detected. 
 
     
     
         6 . The system of  claim 4  further comprising:
 circuitry for storing action code indicating action to take in response to detecting a particular one of the N intrusion signatures. 
 
     
     
         7 . The system of  claim 4  further comprising:
 circuitry for receiving packets of network data from the network fabric in the network process; 
 circuitry for forwarding network data from the valid packets of network data to the PPDE, 
 circuitry for comparing the selected data to N intrusion signatures and generating, at network data speed, a pattern compare signal and a particular ID data when a particular one of the N intrusion signatures is detected; and 
 circuitry for executing an action code corresponding to the particular one of the N intrusion signatures detected. 
 
     
     
         8 . An intrusion detection system comprising:
 a network processor having an input connection to a network fabric and an output connection to the network fabric; and   a parallel pattern detection engine (PPDE) coupled to the network processor, the PPDE for comparing selected data from network data, in parallel, to M sequences of intrusion signature data corresponding to M intrusion signatures stored in the PPDE and generating a match output signal when one of the M intrusion signatures is detected within the network data, wherein the network data is analyzed for validity thereby generating valid packets of network data as the selected data, wherein the network processor receives network input data, processes the network input data for forwarding as valid network output data, and couples the valid network output data to the PPDE for real-time detection of intrusion patterns within the valid network output data.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.