WO2005017702A2

WO2005017702A2 - Integrated circuit apparatus and method for high throughput signature based network applications

Info

Publication number: WO2005017702A2
Application number: PCT/US2004/026335
Authority: WO
Inventors: Robert Matthew Barrie; Stephen Gould; Darren Williams; Nicholas De Jong
Original assignee: Sensory Networks, Inc.
Priority date: 2003-08-13
Filing date: 2004-08-12
Publication date: 2005-02-24
Also published as: US20070230445A1; KR20060080176A; EP1656631A2; CN1836245A; WO2005017702A3; US20070195814A1; US20050114700A1

Abstract

An architecture for an integrated circuit apparatus (Figure 3, 300) and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams (Figure 3, 302), pattern matching on header tad payload content of such streams, and action execution based upon rule-based policy for multiple network applications (Figure 3, 308), simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

Description

INTEGRATED CIRCUIT APPARATUS AND METHOD FOR HIGH THROUGHPUT SIGNATURE BASED NETWORK APPLICATIONS

BACKGROUND OF THE INVENTION [0001] The invention relates to computer networking security applications. More particularly, the invention includes an integrated circuit implementation of an apparatus for signature based network applications acting upon network packets and stream data at wire- speed. According to a specific embodiment, the invention includes an apparatus and method for high throughput flow classification of packets into network streams, packet reassembly of such streams (where desired), filtering and pre-processing of such streams (including protocol decoding where desired), pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. Merely by way of example, the invention has been applied to networking devices, which are been distributed throughout local, wide area, and world wide area networks.

[0002] As the world progresses, internetworking of computers has become important for infrastructure for enterprises, communication systems, countries and the world. The data flowing between computers is increasingly more important in terms of both the content carried and the timeliness of delivery. Through the technological advances in computing and networking, large databases are now available and in use by parties on opposite sides of the globe.

[0003] Data are carried between computers across networks, such as the Internet, in small quantities usually lαiown as packets. Where an amount of data is too big to fit into a single packet (the size of which is typically defined by the characteristics of the network over which the packet will flow), a series of packets is used to carry the data from one end of the communication channel to the other. This series, or stream as it is commonly referred to, is then reassembled from the individual packets into the original data at the receiving end.

[0004] Packets are routed between computers using specially developed algorithms that allow computers and network equipment to decide along which path the packet should be sent to arrive at its final destination. These algorithms examine the packet header (typically a fixed sized portion of the packet containing information such as the source and destination address of the packet added to the payload to be transported) to make routing decisions. The algorithms need to examine the packet and make the decision very quickly to allow large numbers of packets to be sent with very small delay. As well as examining the header, the contents of the packet may be examined for information to aid in making decisions about the path and priority given to a packet; this examination of the data however adds an overhead that can limit the throughput and delay imposed by the device examining the data - typically the more data to be searched the longer the delay incurred by searching it.

[0005] Increasingly, as packets are sent from their source to their destination they are examined not just to help in routing decisions but for other purposes as well. A piece of email, which is sent across a network as a series of packets may be examined to see if it is an unwanted email message (commonly referred to as 'spam'); this examination often desires looking at the contents of the message, which is the payload portion of the packets involved in carrying the email. Similarly the email may be scanned to see if it contains a computer virus. Packets may also be examined to look for copyright infringements, illegal activity such as computer 'hacking' or corporate espionage, or simply to analyze usage to offer a better quality of service. By examining packets in a network new applications are now being offered, and it can reasonably be expected that new network applications based on the examining of packets will continue to be developed.

[0006] Specialized network equipment is able to examine packet headers (with their small total size, set protocol and fixed layout) very quickly. However, to examine a packet's data payload, which is not always well structured, is complex and can be hard to do in the small window of time available to process each packet. This problem is compounded when one must often analyze this payload in context of data structures and protocols, and even further in the face of malicious obfuscation by a sophisticated attacker. Typically appliances such as email gateways, intrusion detection systems and general content protection appliances search the network data in software which, while often flexible and highly optimized, still comes nowhere near approaching the desired speeds, in terms of total throughput or delay. Appliances may also use specialized routing hardware which is strictly limited to examining headers. Furthermore, these software and hardware appliances typically impose quite severe restrictions on what data can be searched for, and the number of different patterns that can be matched simultaneously. [0007] Network equipment also works under several constraints; the total time that a packet takes to get from an ingress interface to an egress interface needs to be kept to a minimum. The time it takes for a packet to travel through a communication device or channel is called latency. The latency introduced by a device must not only be kept to a minimum, but must also be kept relatively constant; change in latency, is known as jitter. Jitter, in particular, adversely affects multimedia streams. With current software-based network applications, jitter is difficult to control as the software is usually sharing a single CPU with many other processes, compounded by most general purpose operating systems not providing support for real-time processing. As a result, software application interactions can result in a dramatic detrimental effect on network performance. As networks run at faster and faster speeds, this effect is compounded.

[0008] The way many network protocols organize the carrying of packets across communication networks means that the packets involved in carrying a given stream may not always arrive in the correct order and, further, packets may end up being fragmented due to a variety of reasons. To handle these cases the end receiver of a stream needs to reconstruct fragmented packets using networking algorithms and reassemble the stream from the packets, irrespective of the order in which they arrive. This does however impose additional demands on appliances or applications that wish to examine the data belonging to a stream in its full context, rather than just taking it out of context as a single packet. Routing and other decisions are typically done wholly on the information provided within the single packet, but if a particular pattern is being searched for in a stream, it is desirable to find it even if it spans across the boundaries between two or more packets. Thus, to do proper searching of streams it is essential to provide some mechanism for dealing with fragmented and out of order packets.

[0009] Searching in networking and other computer disciplines can be done in a variety of ways. Typically a set of "rules" or "patterns" is used to describe the contents to be searched for, and then algorithms are used that apply these "rules" or "patterns" across the data to be searched. These are often described using a construct known as a regular language. Regular languages are most often expressed as regular expressions. Regular languages and expressions are well known prior art, but come in a variety of different types, some of which are standardized, some are not. Once an expression to be searched for has been defined as a regular expression it is typically acted upon by an algorithm to produce what is lαiown as a finite automaton. This finite automaton can be "executed" to search for patterns; this execution involves the calculation of a transition function, which defines transitions from one state of the finite automaton to another state of the finite automaton, each transition being triggered by a single piece of input, called a symbol, from the data being searched.

[0010] High speed searching of data streams given a set of constraints, including the reassembly of the streams, a large pattern database comprising thousands of patterns, at high throughput with low delay, is complex and difficult to achieve. Current methods generally require software running on general purpose CPUs and have great difficulty meeting all the constraints; some manage by sacrificing several of the goals, such as drastically limiting the size of the pattern database, and the form those patterns can take. Some current methods use specialized hardware solutions, with application specific integrated circuits to attempt to meet the competing needs. This does not provide a comprehensive general solution, and often fails to address the hard problems such as allowing large pattern databases. These and possibly other limitations of these conventional techniques can be found throughout the present specification and more particularly below.

[0011] What is needed is a way of searching computer network traffic for patterns at higher (e.g., current network speeds), without placing undue restrictions on the size, complexity or number of patterns. This can be achieved using specialized technology, and is the subject of this invention.

SUMMARY OF INVENTION [0012] According to the present invention, techniques for computer networking security applications are provided. More particularly, the invention includes an integrated circuit implementation of an apparatus for signature based network applications acting upon network packets and stream data at wire-speed. According to a specific embodiment, the invention includes an apparatus and method for high throughput (e.g., 10,000,000 bits per second and greater) flow classification of packets into network streams, packet reassembly of such streams (where desired), filtering and pre-processing of such streams (including protocol decoding where desired), pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. Merely by way of example, the invention has been applied to networking devices, which are been distributed throughout local, wide area, and world wide area networks. [0013] In a specific embodiment, the invention provides an integrated circuit apparatus for high throughput pattern matching in network applications. The apparatus comprises a rigid support member (e.g., printed circuit board, substrate, silicon substrate, integrated circuit module) comprising a connector region, which has a network connection region and a host connection region. The rigid support member has a selected width and a selected length. The selected width and selected length are adapted to couple via the connector region into a network system. Preferably, the connector region is directly connected into a common interface bus. One or more hardware modules (e.g., integrated circuits, integrated circuit modules) is disposed (e.g., solder bumps) onto and coupled to the rigid support member. Preferably, the one or more hardware modules includes a network interface module coupled to the rigid support member.

[0014] Preferably, the network interface module includes one or more network interface ports. The one or more network interface ports is coupled via the connector region to a packet based network. The one or more network interface ports contains one or more ingress network ports. A network interface bus is coupled to the rigid support member. The network interface bus is adapted to interface the network interface module to the network module. A network module is coupled to the rigid support member. The network module is coupled to the network interface bus. A network event module is coupled to the rigid support member. The network event module is coupled to the network module. A memory module is coupled to the rigid support member and the memory module is coupled to the network event module and the network module. The memory module includes a pattern memory. The pattern memory is associated with a plurality of pre-stored patterns. A host interface module is coupled to the rigid support member and is coupled to the network event module, or the network module, or both. A host interface bus is coupled to the rigid support member. The host interface bus is coupled to the host interface module and is capable of connecting to the host system via the connector region. In a specific embodiment, the invention can use one or more pre-stored patterns. The pre-stored patterns can include regular expressions, n-gram expressions (e.g., tuple of symbols), among others.

[0015] Preferably, the memory module additionally comprises a feature memory; which is associated with a plurality of pre-stored features. A rule memory is also associated with a plurality of pre-stored rules. The network module includes a feature extraction device, which is coupled to the network module and the memory module. The feature extraction device is also capable of identifying a feature association according to a feature extraction algorithm. According to a specific embodiment, the feature extraction algorithm identifies a feature association based upon examination of one or more packets according to some predetermined functionality. The feature association identifies one or more of a plurality of pre- stored features. The pre-stored features are stored in a feature memory. A policy device is coupled to the feature extraction device and the memory module. The policy device identifies a rale association based upon the feature association identified by the feature extraction device according to a policy algorithm. The policy algorithm identifies the rule association by examining the feature association according to some pre-determined functionality. The rule association identifies one or more of a plurality of pre-stored rules, which are stored in a rule memory.

[0016] According to a specific embodiment, the feature extraction algorithm can be an approximate pattern matching process for at least one or more of the predetermined patterns. Preferably, the approximate pattern matching process is performed on streams of data from text files of data, text streams of data, binary files of data, binary streams of data, audio streams of data, audio files of data, video streams of data, video files of data, multimedia streams of data, and multimedia files of data, any combination of these, and the like. In alternative embodiment, the measure of approximation in the approximate pattern matching process is an edit distance, which can be the number of insertions, deletions or substitutions desired to exactly match the pattern. The measure of approximation in the approximate pattern matching process can also be related to human perception, among other factors.

[0017] In an alternative specific embodiment, the invention provides a method for performing high throughput pattern matching. The high throughput pattern matching operation is performed using one or more of a plurality of patterns; which are defined by a Regular Language as understood in the art. The patterns are defined by a Regular Language. The Regular Language is implemented as a Finite Automaton. The Finite Automaton includes a transition table representation of the Regular Language. The transition table describes a transition function for the Finite Automaton. The transition table is adapted to be stored in a compressed form. The compressed form is adapted such that the transition function of the Finite Automaton is able to be computed from the compressed form in a maximum time that is constant with respect to the size of the compressed form. Preferably, the pattern matching is provided at wire speed in an efficient and cost effective manner. [0018] In yet an alternative specific embodiment, the invention provides an apparatus for performing high throughput pattern matching. The high throughput pattern matching operation is performed using one or more of a plurality of patterns. The patterns are represented as a single pattern database. The single pattern database comprises the patterns from one or more of a plurality of applications. The pattern matching operation is able to uniquely identify the application from the matching pattern. The Finite Automaton includes a transition table representation of the Regular Language. The transition table describes a transition function for the Finite Automaton.

[0019] In still a further alternative embodiment, the invention provides a method for converting a network system into an accelerated signature based network system. The method includes providing a network system. The network system comprises a host memory coupled to the host processor, a host interface bus coupled to the host processor, and a host connector coupled to the host interface bus. The method also includes providing an Integrated Circuit Apparatus for high throughput pattern matching for network applications. The apparatus a rigid support member comprises a connector region, which includes a network connection region and a host connection region. The rigid support member has a selected width and a selected length. The selected width and selected length are adapted to couple via the connector region into a network system.

[0020] Preferably, one or more hardware modules is disposed onto and coupled to the rigid support member. The one or more hardware modules includes a Network Interface Module coupled to the rigid support member. The Network Interface Module includes one or more network interface ports. The one or more network interface ports is coupled via the connector region to a Packet Based Network. The one or more network interface ports contains one or more ingress network ports. A Network Interface Bus is coupled to the rigid support member. The Network Interface Bus is adapted to interface the Network Interface Module to the Network Module. A Network Module is coupled to the rigid support member. The Network Module is coupled to the Network Interface Bus. A Network Event Module is coupled to the rigid support member. The Network Event Module is coupled to the Network Module. A Memory Module is coupled to the rigid support member. The Memory Module is coupled to the Network Event Module and the Network Module. The Memory Module includes a Pattern Memory. The Pattern Memory is associated with a plurality of pre-stored patterns. A Host Interface Module is coupled to the rigid support member. The Host Interface Module is coupled to the Network Event Module and/or the Network Module. A Host Interface Bus is coupled to the rigid support member. The Host Interface Bus is coupled to the Host Interface Module. The Host Interface Bus is capable of connecting to the host system via the connector region. The method includes connecting the host interface connector region of the Integrated Circuit Apparatus with the host connector on the network system to mechanically and electrically couple the host interface bus of the network system to the host interface bus of the Integrated Circuit Apparatus.

[0021] Additionally, the method includes transferring selected driver software to the network system. The driver software is configured to facilitate communication between the Integrated Circuit Apparatus and the network system via the host interface bus. The method includes initializing the Integrated Circuit Apparatus via the driver software.

[0022] In an alternative specific embodiment, the invention provides a method for signature based pattern recognition using an Integrated Circuit Apparatus. The method includes providing an Integrated Circuit Apparatus for high throughput pattern matching for network applications. The apparatus includes a rigid support member comprising a connector region. The connector region includes a network connection region and a host connection region.

The rigid support member has a selected width and a selected length. The selected width and selected length are adapted to couple via the connector region into a network system.

[0023] Preferably, one or more hardware modules is disposed onto and coupled to the rigid support member. The one or more hardware modules including A Network Interface Module coupled to the rigid support member. The Network Interface Module includes one or more network interface ports. The one or more network interface ports is coupled via the connector region to a Packet Based Network. The one or more network interface ports contains one or more ingress network ports. A Network Interface Bus is coupled to the rigid support member. The Network Interface Bus is adapted to interface the Network Interface Module to the Network Module. A Network Module is coupled to the rigid support member. The Network Module is coupled to the Network Interface Bus. A Network Event Module is coupled to the rigid support member. The Network Event Module is coupled to the Network Module. A Memory Module is coupled to the rigid support member. The Memory Module is coupled to the Network Event Module and the Network Module. The Memory Module includes a Pattern Memory. The Pattern Memory is associated with a plurality of pre-stored patterns. A Host Interface Module is coupled to the rigid support member. The Host Interface Module is coupled to the Network Event Module and/or the Network Module. A Host Interface Bus is coupled to the rigid support member. The Host Interface Bus is coupled to the Host Interface Module. The Host Interface Bus is capable of connecting to the host system via the connector region.

[0024] Additionally, the method includes transferring information from a Packet Based Network to a network interface port and transferring the information from the network interface port through a network interface bus. The method includes receiving the information from the network interface bus at a processing unit and identifying an association between one or more packets and a flow from the information using the processing unit. The one or more packets are reordered into one or more respective flows. The method also includes determining if the one or more packets for the one or more respective flows is associated with a signature based pattern stored in memory through a memory bus coupled to the processing unit, where upon the determining occurs using the memory having a random access time of less than 8 nanoseconds. A signal is initiated to a policy engine based upon the determining step.

[0025] Numerous benefits and/or advantages can be performed using the present invention over conventional techniques. According to a preferred embodiment, the invention can also perform pattern matching with high throughput. For embodiments of the invention where Finite Automata are used to implement the pattern matching as part of the Feature Extraction Device, the transition function used by the Finite Automaton should have a constant time complexity that guarantees transitions can be achieved within a fixed bound, the fixed bound being defined by the throughput to be achieved. This is achieved, in part, by using memories with low random access times, such as modern static RAMs.

[0026] In an alternative specific embodiment, the invention also conserves memory usage by the pattern database, without unduly restricting the number of patterns in the pattern database. This can be achieved using compression technologies such as those described in United States provisional patent 60/473,373 filed May 23, 2003, commonly assigned, and titled "Apparatus and Method for Large Hardware Finite State Machine with Embedded Equivalence," and United States provisional patent No. 60/454,398 filed on March 12, 2003, commonly assigned, and titled "Apparatus and Method for Memory Efficient Programmable Pattern Matching Finite State Machine Hardware." Alternatively, other similar technologies, obvious to those trained in the art, to reduce the size of the memory footprint for the transition tables can also be used. A key to these technologies is their low and constant latency overhead, which not only results in compact memory usage, but also high throughput. This lower memory usage results in either a lower cost for production of a given system, or a larger capacity of signatures for a given cost of system.

[0027] Alternatively, the present invention including the apparatus can be adapted to fit within a wide range of existing and new network systems by being of a generic form factor and connecting through a standard hardware interface requiring no hardware re-engineering of the network system in order for it to be adapted to use the apparatus. Multiple applications can run simultaneously. The multiple applications are able to have separate databases and separate rule databases yet have the hardware apparatus run all applications simultaneously at wire speed; wire speed being the maximum throughput possible for the given physical medium in use according to other embodiments. In other aspects, the invention provides pattern databases, rule sets, and hence applications that can be updated through the host or the network without manual intervention as either new signatures are provided or new applications. The architecture being designed in such a way as to provide a common format for signature based services.

[0028] Still further, the invention provides for minimizing upper bound worst case jitter and latency. This is accomplished through implementing core network functions in hardware, rather than in software such as in the kernel of a computer operating system or in a software TCP/IP stack. Furthermore combining these network functions with pattern matching functions in hardware, so that they are tightly coupled, results in a system with lower latency and jitter.

[0029] Still further, this invention allows for protocol decoding to be tightly coupled to these network and pattern matching functions so that, in hardware, packets can: be received, classified and reordered; be decoded according to protocol definitions, and have multiple application pattern matching applied. The result of this is that systems can now gain a deeper understanding of network traffic at wire speed, resulting in more accurate signature matching, while also resulting in a system with lower latency and jitter.

[0030] Additionally, the invention allows for regular expressions that can be searched for in some embodiments of the invention be further extended to include "temporal regular expressions". Temporal regular expressions being any expanded set of regular expressions that contain a temporal component. This temporal component allows searching across the data content, but with the additional benefit of being able to utilize information about relative and absolute timing information.

[0031] It is a further benefit of this invention to overcome quality of service problems with running network and pattern matching algorithms used in security applications in software according to a specific embodiment. A class of denial of service attacks exploiting algorithmic deficiencies has emerged exacerbating the existing inability to process network data byte by byte in real-time. These low-bandwidth attacks exploit the fact that many algorithms that run in software have 'average case' rarrtiing times that are much more efficient than 'worst case' running times. An attacker, carefully crafting input can deliberately cause these algorithms to have input causing them to run in the worst case running time. See, for example, "Denial of Service via Algorithmic Complexity Attacks", Scott A. Crosby, Dan S. Wallach, Department of Computer Science, Rice University. These problems may exist in many software implementations of the regular expression matching library (regexp), where input data can cause the regexp matching to process in exponential running time. See, Tim Peters, [Python-Dev] Algorithmic Complexity Attack on Python dated Saturday May 31 , 2003. Many pattern matching security systems make use of this library and are hence vulnerable to this style of algorithmic attack. Most systems that do not use regexp instead make use of variations of simplistic literal (exact) matching, and as a result can easily be fooled by an attacker crafting the attack to avoid the exact pattern being looked for. Preferably, the invention provides for wire speed pattern matching overcomes these deficiencies by pattern matching input data in real-time, while still allowing the full power of regular expressions in the pattern database. One or more of these benefits may be included in the embodiments described herein. These and other benefits are described throughout the present specification and more particularly below. BRIEF DESCRIPTION OF THE DRAWINGS

[0032] Figure 1 depicts a typical network environment including of a Packet Based Network [100], a number of network systems [101], [102], [103] and a number of hosts connected to a Local Area Network (LAN) [104] according to an embodiment of the present invention.

[0033] Figure 2 depicts an embodiment of the Integrated Circuit Apparatus of this invention on a rigid support member (such as a card) [201] according to an embodiment of the present invention. [0034] Figure 3 depicts a block diagram of an embodiment of the Integrated Circuit Apparatus [300] according to an embodiment of the present invention.

[0035] Figure 4 depicts a functional block diagram of an embodiment of the Integrated Circuit Apparatus running in a look-aside (passive) mode of operation according to an embodiment of the present invention.

[0036] Figure 5 depicts a functional diagram of the Integrated Circuit Apparatus running in a look-aside (passive) mode of operation with the inclusion of a Protocol Decoder [513] according to an embodiment of the present invention.

[0037] Figure 6 depicts a functional diagram of an embodiment of the Integrated Circuit Apparatus running in a look-aside (passive) mode of operation with the inclusion of an Update module [614] according to an embodiment of the present invention.

[0038] Figure 7 illustrates that in one embodiment of the present invention multiple sets of patterns [701, 702, 703, 704], one for each application that is executing on the Apparatus, will be present in the Memory [700] of the Apparatus according to an embodiment of the present invention.

[0039] Figure 8 is a flowchart of several of the processes running according to an embodiment of the present invention.

[0040] Figure 9 depicts a flow classification process according to an embodiment of the present invention.

[0041] Figure 10 depicts a functional block diagram of the present invention including the configurable insertion of flexible Stream Processor Blocks [1005] between each of the functional units [1000, 1001, 1002, 1003, 1004] according to an embodiment of the present invention.

[0042] Figure 11 depicts an example taxonomy of Stream Processors according to an embodiment of the present invention.

[0043] Figure 12 depicts an example representation of a plurality of patterns by a Regular Language and method for matching against compressed representation of the Regular Language according to an embodiment of the present invention. [0044] Figure 13 is a flowchart for converting an existing network system into an accelerated signature based network system according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION [0045] According to the present invention, techniques for computer networking security applications are provided. More particularly, the invention includes an integrated circuit implementation of an apparatus for signature based network applications acting upon network packets and stream data at wire-speed. According to a specific embodiment, the invention includes an apparatus and method for high throughput flow classification of packets into network streams, packet reassembly of such streams (where desired), filtering and preprocessing of such streams (including protocol decoding where desired), pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. Merely by way of example, the invention has been applied to networking devices, which are been distributed throughout local, wide area, and world wide area networks.

[0046] In a specific embodiment, the invention comprises an apparatus and method for performing pattern matching for network applications using specialized hardware. This present architecture allows the implementation of high throughput signature based network applications on packet based networks up to wire speed. The novel architecture specifically includes hardware support for pattern matching networking and security operations. This architecture is suited to high performance security systems based upon signature matching. These systems include Intrusion Detection Systems, Intrusion Prevention Systems, Antivirus Gateways, Email Scanning Gateways, Content Filtering Systems, Anti-spam Systems, Content Protection Systems, Bandwidth/Quality of Service Management, Content Monitoring Systems, Network Monitoring Systems, and many others. Another novel aspect of the invention is that the apparatus is adapted to couple to a variety of network systems including Firewalls, Network Appliances, Security Appliances, Servers and other Network Equipment, which have been described in more detail below.

[0047] Figure 1 depicts several examples of network systems which could be coupled to different embodiments of the apparatus. These examples are merely illustrative and should not limit the scope of the claims herein. One of ordinary skill in the art would recognize many variations, alternatives, and modifications. These examples include a look-aside network system at [101], an inline network system at [102] and a network server at [103], and possibly other elements. In this example, the network systems has a Look-aside Gateway Monitoring Device (e.g. network monitor or Intrusion Detection System) [101], a Gateway System (e.g. Router, Firewall or Switch) [102] connecting the LAN to the Packet Based Network [100] and a Host System (e.g. Workstation, Fileserver or Mail Server) [103] connected to the LAN (Communication is achieved between each of the network systems and other systems on both the LAN and Packet Based Network, through a variety of network protocols). At a low level, this data is broken into a series of segments known as packets. These packets are then routed independently across the network from source to destination, and as a result may take different paths and arrive out of order. The packets are then reassembled at the destination to recreate the original data stream. Further details of the present apparatus can be found throughout the present specification and more particularly below.

[0048] The apparatus [201] is shown in Figure 2. This figure is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognizes many variations, modifications, and alternatives. This apparatus may be coupled to a network system [200] through a connector region. Embodiments of the connector region which connect to the Host System include PCI and Compact-PCI standards which define the electrical and mechanical interfaces. The rigid support member has a selected width and selected length, being adapted to couple into a network system [200] such as network appliance, server or network node. Preferably, the rigid support member is suitable to server as a substrate (e.g., printed circuit board, silicon substrate, integrated circuit package) for a number of integrated circuit devices and other hardware, which will be used to implement an embodiment of the present invention. The rigid support member also includes a common bus, which can be coupled to any conventional network appliance, server, or network node.

[0049] The apparatus includes a number of modules for performing high throughput analysis (e.g., wire speed) on network traffic as shown in Figure 3. This figure is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognizes many variations, modifications, and alternatives. Signals are received from the ingress network port within the Network Interface Module [301] according to the physical transmission medium (e.g. optical, electrical). Data is extracted from these signals in the form of bits. This data is passed to the Network Module [302] over the Network Interface Bus [301] (These bits then undergo a number of network preprocessing functions in order to extract the relevant data content). The data is packed into packets before being classified into a flow by the Flow Classification Device. The packet is then placed in Flow Memory (within the Memory Module [308]) until the Flow Assembler Device uses the packet to reconstruct a flow. The flow is then decoded according to pre-defined protocols (e.g. by the Protocol Decoder), filters and preprocessors to produce data content streams.

From these data content streams relevant features are extracted by the Network Event Module [307] (The feature extraction can be thought of, in one embodiment, as a pattern matching process with a database of signatures provided by Pattern Memory within the Memory Module). The extracted features then trigger a message to the Policy Device, which interprets these features according to policies and rules (as provided by the Rule Memory), generating events and actions which are communicated to the Host System [304] via the Host Interface Module [309] and Host Interface Bus [310].

[0050] The Host Interface Bus being a standard hardware bus (e.g. PCI) so that the Integrated Circuit Apparatus can easily be integrated with a wide range of existing network equipment. Also coupled to the apparatus is an Update Module [311], which is controlled either by the Host System or a remote device across the Packet Based Network (coupled to the Network Interface Port via the Connector Region [301]). The Update Module adapting to update any of the memories within the Memory Module, so as to provide updates to patterns, protocol definitions, rales and other device properties.

[0051] The apparatus connects to a Packet Based Network through the connector region [303]. One embodiment of this connector region is the RJ-45 connector for IEEE 802 Ethernet. Alternatively, the network can include, among others, SONET, ATM, and others. Packets are received from the Packet Based Network through this region by the Network Interface Module [301], which may include a number of ingress network ports. One embodiment of the Packet Based Network is an Internet Protocol (IP) network. The Network Interface Module handles the translation of incoming electrical or optical signals into digital bits, and assembles those bits into packets according to a predefined specification (e.g. in one embodiment the IEEE802 Ethernet specification). The Network Interface Module couples to a Network Module [302] via a Network Interface Bus [305]. The Network Interface Bus in several embodiments includes the UTOPIA, SPI-3 and CSIX bus standards.

[0052] The Network Module includes a number of devices which take these digital bits and perform network processing functions. The Network Module receives packets of data from the Network Interface Module and provides the Network Event Module [307] with decoded, contiguous streams of data. In one embodiment, the Network Module may be provided by a single Network Processing Unit (NPU), and in others by a combination of integrated circuits, such as an NPU and Classification Processor. The Network Module is coupled to a Memory Module [308], which provides memory for a variety of devices and databases as explained herein. The Network Module provides a Flow Classification Device, which is responsible for identifying an association between each incoming packet and a flow, where a flow is a predetermined sequence of packets from a source address to a destination network address. The Flow Classification device then identifies the flow queue within Flow Memory (provided by the Memory Module) on which to place the packet, according to this association. The Flow Classification Device is coupled to a Flow Assembler Device, which manages the flow queues on a per-flow basis for these incoming packets, and effectively reorders the packets, according to a predetermined specification. In one embodiment, this specification would be TCP/IP. The Flow Assembler may, in one embodiment, couple to a Protocol Decoder which in turn is coupled to Protocol Memory, provided by the Memory Module. The Protocol

Memory contains a plurality of network protocol definitions, which are used by the Protocol Decoder to identify salient protocol features from the network flow. In one embodiment, examples of such features maybe source and destination email addresses as part of an SMTP e-mail message.

[0053] An embodiment ofoperation ofthe Network Module is illustrated in Figure 9. As shown, Figure 9 depicts the flow classification process for one embodiment of the present invention, h [900] packets from multiple flows arrive serially and possibly out of order. In [901] the first step in flow classification is to determine on which flow queue to place each packet. In [902] each packet is placed in such a queue and the queue is sorted into correct sequence as determined by some pre-determined algorithm (e.g. sequence numbers in TCP/IP).

[0054] Referring back to Figure 3, the Network Event Module [307] includes a number of devices, and analyses whole network streams to extract relevant features and then apply rules (or policy) to these features in order to signal, via events, the Host Interface Module [309]. hi one embodiment, the Network Event Module is searching streams of data using pattern matching algorithms, and then analyzing these matches according to a rule set, in order to then notify the Host System of relevant network events. In one embodiment, the Network Event Module is provided by a Field Programmable Gate Array (FPGA). Incoming data streams from the Network Module are passed to the Feature Extraction Device, which identifies features of importance; a matchable representation of these features being stored within a Pattern Memory provided by the Memory Module.

[0055] In some embodiments of the invention, these patterns may be compiled representations of Regular Expressions, Deterministic Finite Automata, Berkeley Packet Filter expressions, or Approximate Signatures. In some embodiments, these databases of signatures may relate to a plurality of distinct applications executing simultaneously. Matched features are passed to a Policy Device, which analyses the features in relation to a database of rules, provided by the Rule Memory within the Memory Module. These rales are used to make higher level decisions based upon a predetermined schema, as provided by the applications related to these rules. In some embodiments, this allows aggregation of matched features (important in denial-of-service attack detection for Intrusion Detection Systems), or selective rule set enabling (e.g. enabling a rule subset based upon a network event or to provide pre-specified performance characteristics). In some embodiments, these databases of rales may relate to a plurality of separate applications executing simultaneously. The Policy Device may, as a result of a rale, identify an action that needs to be performed. In some embodiments, such actions may include signaling the Host System via the Host Interface Module, signaling the Network Module to drop or modify (in the case that the apparatus is inline) a packet or plurality of packets, or triggering a counter or timer.

[0056] The Host Interface Module may be coupled to the Network Event Module and/or the Network Module. The Host Interface Module is responsible for the interfacing of the apparatus modules with the Host System. The Host Interface Module is coupled to the Host System via the Host Interface Bus [310], via the host component of the connector region [304]. In one embodiment, this may be communications across a PCI bus, where the PCI standard defines the characteristics of the Host Interface Bus and Connector Region. In one embodiment, the Host Interface Module is provided by a separate ASIC or FPGA. Here, a example of a suitable FPGA or ASIC has interfaces to low latency RAM, at least 5,000 logic cells, multiple clocking domains, internal block RAM and a high speed data bus. As merely an example, the FPGA can be one such as the Virtex 2 Pro manufactured by Xilinx, hie, but can be others. In another embodiment it may include an NPU, where the NPU has multiple processing units (e.g. micro-engines), an interface to multiple banks of low latency RAM and a high speed data bus. As merely an example, the NPU can be an IXP 2400 manufactured by Intel Coφoration. Of course, one of ordinary skill in the art would recognize many other variations, alternatives, and modifications.

[0057] In one embodiment, the Host Interface Module will facilitate the signaling of the Host System by the Network Event Module according to triggered rales and/or actions. In one embodiment, the Host Interface Module is coupled to an Update Module [311], and facilitates communications between the Update Module and the Host System, so that the Update Module may update one or more of the databases provided within the Memory Module.

[0058] The Update Module is responsible for the management of the databases provided within the Memory Module. In embodiments of the invention, the Update Module is responsible for the updating of the patterns in the Pattern Memory, the protocol definitions in the Protocol Memory and the Rule databases in the Rule Memory. In certain embodiments, the Update Module may authenticate this process via the Authentication Device according to a pre-determined specification. The Authentication Device, in some embodiments, will do so in a cryptographically strong manner to maintain authenticity, integrity and confidentiality of the updates. In some embodiments the Authentication Device may provide hardware support for the acceleration of cryptographic primitives. In some embodiments the updates are provided by the Host System via the Host Interface Module, and in other embodiments, by a remote system on the Packet Based Network via the Network Module (possibly connected to the Apparatus on a separate Management Interface).

[0059] hi some embodiments the Integrated Circuit Apparatus may be operating in-line such that triggered rales make decisions to drop or modify packets, before passing such packets out on an egress network interface, being provided by the Network Interface Module. In such an embodiment, the Network Event Module will identify such a decision, and signal the Network Module to perform the operation in its Flow Post Processor.

[0060] In Figures [4, 5, 6], different embodiments of the Integrated Circuit Apparatus are represented, showing the data flow from the Packet Based Network, through to the Host System. Referring to Figure 4, the Integrated Circuit Apparatus executes network applications on packets arriving from the Packet Based Network [400]. The packets are first received via the Network Interface Port [401], where they are translated from physical signals (e.g. electrical, optical) into bits and arranged into packets of data. These packets of data are then passed to a Flow Classification Device [402] that associates each packet with a network flow. These packets are then assembled into flows by the Flow Assembler Device [403]. The Flow Assembler Device then passes data, in the form of reassembled flows, through to a Feature Extraction Device [404]. The Feature Extraction Device identifies patterns or signatures within these flows from a database of patterns [410] stored within a Pattern Memory [409], and signals successful matches to the Policy Device [305]. The Policy Device associates one or more matches with events according to a database of rales [412] stored in a Rule Memory [411], translating the matches into network events and associated actions. The Policy Device communicates to the Host System [406] messages about these events, actions and other state information via the Host Interface Device [407]. Depending upon the embodiment, the messages can include an access control list update message, an audit message, an event message, an alarm message, a status message, a query message, an update message, a management message, an error message, a warning message, any combination of these and the like. The Host Interface Device couples to the Host System through the Host Interface Port [407], which translates the message bits into physical signals suitable for transmission.

[0061] Referring to Figure 5, the packets are received via the Network Interface Port [501], where they are translated from physical signals (e.g. electrical, optical) into bits and arranged into packets of data. These packets of data are then passed to a Flow Classification Device [502] that associates each packet with a network flow. These packets are then assembled into flows by the Flow Assembler Device [503]. The Flow Assembler Device then passes data in the form of reassembled flows through to a Protocol Decoder, which parses the flows according to network protocol descriptions into protocol content flows. These protocol content flows are then passed to the Feature Extraction Device [504]. The Feature Extraction Device identifies patterns or signatures within these protocol content flows from a database of patterns [510] stored within a Pattern Memory [509], and signals successful matches to the Policy Device [505]. The Policy Device associates one or more matches with events according to a database of rales [512] stored in a Rule Memory [511], translating the matches into network events and associated network actions. The Policy Device communicates to the Host System [508] messages about these events, actions and other state information via the Host Interface Device [506]. The Host Interface Device couples to the Host System through the Host Interface Port [507], which translates the message bits into physical signals suitable for transmission. [0062] Figure 8 shows logical operations within the apparatus in embodiments of the invention. A high level description of these operations is as follows: in one process [800], packets are received from an ingress network interface, classified as belonging to a flow and queued in Flow Memory. In a second process [801], packets are read from the Flow Memory, reassembled into a contiguous flow. In a third process [802], these reassembled flows are then analyzed for relevant features, the identification of which, desires a decision to be made, based upon a rale database, as to whether to trigger an action, notify the host and the like. In some embodiments, the Integrated Circuit Apparatus is operating in a flow through mode of operation, hi this mode, a fourth process [803], takes packets that have been processed, and may drop them completely or modify them before they are transmitted on an egress network interface.

[0063] Diagram [800] shows the packet receipt process, which includes: waiting for a packet to become available on an ingress network interface port, receiving such packet, classifying the packet according to a flow, then placing the packet in Flow Memory. Diagram [801] shows another process that waits for such packets to be queued in Flow

Memory, then reassembles such packets into flows before placing them on one of the Pattern queues. Diagram [802] depicts a further process which checks the pattern queues for ready data; then removes such data off the queue, updating the context of the device to that of the flow of the current data, extracting the features that are found from such a flow. If no features are found, then the process waits for the next available packet, otherwise it triggers any rales that may be associated with the triggered feature. If the rule is associated with an action, the process then triggers the associated action (e.g. flagging, the notification of the Host System, to drop or modify the packet). Should the host warrant notification by the rule, a message is then passed to the Host System with any relevant information (e.g. packet data or digests of such). [803] is a process which rans for some embodiments of the invention (when the apparatus is running in the "flow-through", otherwise known as "active" or "inline", mode of operation). In this case, the process waits for packets in the Flow Memory to be flagged as processed, it then removes the packet from the queue and either drops or retransmits the packet on the egress interface depending on the action being executed.

[0064] Figure 7 illustrates that the Integrated Circuit Apparatus may have multiple procedures running simultaneously on network traffic. Likewise, each application may have its own rule definitions within rule memory. The operation of the modules within this device [600, 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613] are the same as for Figure 5, with the exception that the Host System [608] may, via the Host Interface Device [606], communicate to the Update Device updates of either of the pattern database, or the rale database. The Update Device controls the management of these updates within the memories [609, 611]. Alternately, the databases may be updated through a management protocol over the Packet Based Network [600] via the Network Interface Module. In such embodiments, each procedure may have its own pattern database in Pattern Memory, and rale database in Rule Memory. Such databases may not necessarily be stored within separate memory blocks in hardware form, and may instead be compact hardware representations within a single database.

[0065] Some embodiments of the invention include Stream Processor Blocks [1005], which can contain several Stream Processors [1006], as shown in Figure 10. Each Stream Processor Block may include one or more Stream Processors [1006]. The Stream Processors can be one or more in a series of algorithmic units that act upon a packet or stream of packets; several examples of the blocks that can be placed in [1006] are shown in Figure 11.

[0066] Figure 11 depicts an example taxonomy of Stream Processors including a Null Processor [1100] which copies data input directly to output with no modification, a MIME Decoder [1101] which decodes MIME encoded data, a Digest Generator [1102] which takes a data stream and outputs some subset or digest of such data (e.g. packet headers), a Unicode Decoder [1103] which decodes Unicode encoded data, an XML Parser [1104] which parses and decodes XML encoded data according to some predetermined specification, a Checksum Verifier [1105] which performs a checksum operation of input data according to some predetermined specification (e.g. CRC-32), a Decompression Processor [1106] which decompresses input data streams according to some predetermined algorithm (e.g. zip), a URL Decoder [1107] which decodes an HTTP encoded URL, a Packet Filter [1108] which filters input data according to some predetermined specification (e.g. BPF), an HTTP Cookie Handler [1109] which parses input data according to the HTML or related specification and decodes a Cookie within the stream and then performs some predetermined function, a Decryption Processor [1110] which decrypts input data according to some predetermined specification (e.g. DES, AES), and a Flood Protector [l l l l] which processes input data according to some predetermined algorithm in order to recognize and/or filter flooding attacks. [0067] As shown, these blocks allow additional computation to be done before the Feature Extraction Device acts upon the data. In one embodiment of the invention, a Decompress Processor might act upon a flow to produce a new set of flow bytes which can now be examined. Because these blocks can be serially configured between other logical modules and devices of the apparatus, a decryption block could be followed by a decompression block. Methods according to alternative embodiments of the present invention are provided throughout the present specification and more particularly below.

[0068] A method for performing high throughput pattern matching according to the present invention is outlined as follows.

[0069] 1. Provide a plurality of patterns defined by a regular language;

[0070] 2. Implement the regular language as a finite automata which includes a transition table to describe the transition function of the finite automata;

[0071] 3. Express the transition table in compressed form such the transition function of the finite automata is able to be computed from the compressed form in a predetermined (e.g., maximum) time that is constant with respect to the size of the compressed form;

[0072] 4. Store the compressed form;

[0073] 5. Match patterns by computing the transition function from the current state of the finite automata and incoming data; and

[0074] 6. Perform other process steps, as desired.

[0075] As shown, the above sequence of steps provides a method for high throughput pattern matching using a Regular language. According to a specific embodiment, the method performs high throughput pattern matching using, for example, the hardware and software described herein. That is, the pattern matching process and storage of patterns can be implemented in the hardware and software features described in one or more of the figures and descriptions. The high throughput pattern matching operation is performed using one or more of a plurality of patterns. The patterns are preferably defined by a regular language; which has been implemented as a finite automaton. The finite automaton includes a transition table representation of the regular language. The transition table describes a transition function for the finite automaton. The transition table is adapted to be stored in a compressed fonn, which is adapted such that the transition function of the finite automaton is able to be computed from the compressed form in a predetermined time (e.g., maximum time) that is constant with respect to the size of the compressed form. Further details of the present method can be found through out the present specification and more particularly below.

[0076] In one embodiment of the invention, the computation of the next state of the finite automata from the current state and incoming data is independent of the size of the compressed transition table, and is constant. In order that high throughput be achieved, this computation should take less than 40 nanoseconds. In another embodiment of the invention, the compressed transition table should occupy less than one-fifth the space of the original transition table. This can be achieved using compression technologies such as those described in United States Provisional Patent Application 60/473,373 filed May 23, 2003, commonly assigned, and titled "Apparatus and Method for Large Hardware Finite State Machine with Embedded Equivalence", and United States Provisional Patent Application 60/454,398 filed on March 12, 2003, commonly assigned, and titled "Apparatus and Method for Memory Efficient Programmable Pattern Matching Finite State Machine Hardware".

Alternatively, other similar technologies, obvious to those trained in the art, to reduce the size of the memory footprint for the transition tables can also be used.

[0077] Further details of the present method are provided according to Figure 12. Merely by way of example, [1200] shows the Regular Language for expressing two example patterns. The first pattern represents the character "a" followed zero or more "b" characters, followed by the character "c". The second pattern represents the literal string "de". The patterns are combined by the " | " symbol which indicates alternation, as familiar to those trained in the art. The ".*" at the front of the Regular Language expression indicates that it can match the patterns anywhere within given data. The finite automata for implementing the Regular Language defined by [1200] is depicted in [1210]. Only the main transitions are shown for clarity. Those trained in the art will recognize the finite automata [1210] as being an implementation of the patterns defined by the Regular Language [1200]. The transition table [1220] expression of the finite automata fully defines all transitions within the automata. This transition table should be compressed in order to conserve memory, and used for matching the patterns against incoming data. The method for performing high throughput pattern matching according to the present invention is outlined in flowchart [1230]. As shown, the flow chart includes processes of start (e.g., initiation), express patterns by regular expression, implement regular language as finite automata, compress transition table from finite automata, store (e.g., memory) transition table in compressed form, and perform patterning matching process. Depending upon the embodiment, certain steps may be combined or even separated further. Additionally, one or more steps may be inserted or even exchanged for others. Depending upon the embodiment, the functionality can be performed in software, hardware, or a combination of hardware and software without departing from the scope of the claims herein.

[0078] A method for converting a network system into an accelerated signature based network system according to the present invention is outlined as follows.

[0079] 1. Provide a network system, e.g., conventional network, IP based, network;

[0080] 2. Provide an integrated circuit apparatus for high throughput signature based network applications;

[0081] 3. Connect the integrated circuit apparatus to the network system, e.g., a firewall, a network management system, an intrusion prevention system, a router, a network switch, a logging system, a network appliance, a security system; an anti- viras system, an anti-spam system, an intrusion detection system, a content filtering system, a network monitoring system, a file server, a mail server, a web server, a proxy server, and

a storage area network system;

[0082] 4. Transfer onto the network system selected driver software which facilitates communications between the network system and the apparatus;

[0083] 5. Initialize the apparatus via a signal generated by the network system; and

[0084] 6. Perform other steps, as desired.

[0085] In one embodiment of the invention, the method involves replacing one or more existing network interface cards in the network system with the apparatus. As shown, the present invention provides a method for converting a network system into an accelerated signature based network system. Further details of the present method are provided according to Figure 13. This diagram is merely an example, which should not unduly limit the scope of the claims herein.

[0086] Preferably, the method includes providing a network system. The network system has one or more input ports. A host processor is coupled to the one or more input ports. A host memory is coupled to the host processor. A host interface bus is coupled to the host processor and a host connector is coupled to the host interface bus. The method also includes providing an integrated circuit apparatus for high throughput pattern matching for network applications. As merely an example, the present apparatus described herein can be used, as well as others. The method also includes connecting the host interface connector region of the integrated circuit apparatus with the host connector on the network system to mechanically and electrically couple the host interface bus of the network system to the host interface bus of the integrated circuit apparatus. The method also transfers selected driver software to the network system. Preferably, the driver software is configured to facilitate communication between the integrated circuit apparatus and the network system via the host interface bus. The method also initializes the integrated circuit apparatus via the driver software. Once the apparatus has been integrated into the networking system, various methods can be performed. An example of such a method is provided in more detail below and well as other portions of the present specification.

[0087] A method for signature based pattern recognition using an integrated circuit apparatus according to the present invention is outlined as follows.

[0088] 1. Provide an integrated circuit apparatus for high throughput signature based network application;

[0089] 2. Transfer information from a packet based network to a network interface port on the apparatus;

[0090] 3. Transfer the information from the network interface port across the network interface bus on the apparatus;

[0091] 4. Receive the information from the network interface bus at a processing unit;

[0092] 5. Identify an association between one or more packets and a flow from the information using the processing unit;

[0093] 6. Place the one or more packets into one or more respective flows, reordering out of order packets;

[0094] 7. Determine if the one or more packets for the one or more respective flows is associated with a pattern stored within the database of patterns, whereupon the determination is performed using a memory having a random access time of less than 8 nanoseconds;

[0095] 8. Send a signal to the policy engine if a match occurs. [0096] As shown, the present invention includes a method for signature based pattern recognition using an integrated circuit apparatus. The method includes providing an integrated circuit apparatus for high throughput pattern matching for network applications. The apparatus can be the one described herein, but can also be others depending upon the embodiment. The apparatus is integrated into a pre-existing network via common interface bus without substantial hardware modifications. Here, the apparatus is merely inserted into the connector for the common interface bus for preferred embodiments. The method then transfers information from a packet based network to a network interface port through the connector and transfers the information from the network interface port through a network interface bus also through the connector. The method receives information from the network interface bus at a processing unit and identifies an association between one or more packets and a flow from the information using the processing unit. Preferably, the method reorders the one or more packets into one or more respective flows and determines if the one or more packets for the one or more respective flows is associated with a signature based pattern stored in memory through a memory bus coupled to the processing unit. The determining occurs using the memory having a random access time of less than 8 nanoseconds in preferred embodiments. The method initiates a signal to a policy engine on the apparatus if an association occurs. Once the apparatus has been integrated into the networking system, various methods can be performed. An example of such a method is provided in more detail below as well as other portions of the present specification. In one embodiment of the invention, the method for signature based pattern recognition further requires the decoding of reordered packets according to specific protocols. The decoding is performed by the processing unit. Some protocols, such as [1104] XML Parsing are shown in Figure 11.

[0097] The previous description of the specific embodiments are provided to enable any person skilled in the art to make or use the present invention. The various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without the use of the inventive faculty. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein. For example, the functionality above may be combined or further separated, depending upon the embodiment. Certain features may also be added or removed. Additionally, the particular order of the features recited is not specifically required in certain embodiments, although may be important in others. The sequence of processes can be carried out in computer code and/or hardware depending upon the embodiment. Of course, one of ordinary skill in the art would recognize many other variations, modifications, and alternatives.

[0098] Although the foregoing invention has been described in some detail for purposes of clarity and understanding, those skilled in the art will appreciate that various adaptations and modifications of the just-described preferred embodiments can be configured without departing from the scope and spirit of the invention. For example, other pattern matching operations may be used, different network and system interfaces may be used, or modifications may be made to the packet processing procedure. Moreover, the described network processing and pattern matching features of this invention may be implemented within separate integrated circuits, or in a single integrated circuit. The present system can also be applied to a variety of applications including intrusion detection, intrusion prevention, firewalling, content filtering, access control, antivirus, network monitoring, traffic filtering, spam filtering, content classification, application-level switching, bandwidth/quality of service management, surveillance, and XML web services, among others. Therefore, the described embodiments should not be limited to the details given herein, but should be defined by the following claims and their full scope of equivalents.

Claims

WHAT IS CLAIMED IS: 1. An integrated circuit apparatus for high throughput pattern matching in network applications, the apparatus comprising: a rigid support member comprising a comiector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the connector region into a network system; one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including: a network interface module coupled to the rigid support member; the network interface module including one or more network interface ports; a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module; a network module coupled to the rigid support member, the network module being coupled to the network interface bus; a network event module coupled to the rigid support member, the network event module being coupled to the network module; a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory being associated with a plurality of pre- stored patterns; a host interface module coupled to the rigid support member, the host interface module being coupled to at least the network event module or at least the network module or both the network event module and the network module; and a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module.

2. Apparatus of claim 1 wherein the network module, the network interface module, the network event module and the host interface module are provided on a single integrated circuit.

3. Apparatus of claim 2 wherein the single integrated circuit is a network processing unit (NPU).

4. Apparatus of claim 2 wherein the single integrated circuit is a reconfigurable logic circuit.

5. Apparatus of claim 2 wherein the single integrated circuit is an application specific integrated circuit.

6. Apparatus of claim 4 wherein the reconfigurable logic circuit is a field programmable gate array (FPGA).

7. Apparatus of claim 1 wherein the network interface module comprises a media access control layer and a physical access layer.

8. Apparatus of claim 1 wherein the integrated circuit apparatus is a multi-stream integrated circuit apparatus, the multi-stream integrated circuit apparatus operates on one or more streams of data simultaneously.

9. Apparatus of claim 1 wherein the rigid support member is selected form at least a printed circuited board (PCB), a silicon substrate, and integrated circuit package.

10. Apparatus of claim 1 where in the network module comprises: a flow classification device, the flow classification device being coupled to the one or more ingress network ports; the flow classification device being capable of identifying one or more packets; the one or more packets being in a first sequence; and identifying a flow out of a plurality of flows to which the one or more packets belong; and a flow assembler device, the flow assembler device being coupled to the flow classification device; the flow assembler device being capable of reordering the one or more packets into a second sequence; the second sequence being a predetermined sequence as determined by the flow.

11. Apparatus of claim 10 wherein the network module additionally comprises a protocol decoder; the protocol decoder being coupled to the flow assembler device; the protocol decoder being adapted to identify the one or more packets in the predetermined sequence and also adapted to process the one or more of the packets in the predetermined sequence to provide payload information from the one or more packets according to one or more protocol definitions.

12. Apparatus of claim 11 wherein the network module additionally comprises a flow post-processor; the flow post-processor being coupled to the network event module; the flow post-processor identifying an association between one or more of a plurality of packets; flow post-processor being adapted to select, using this association, from one or more of a plurality of flow post-processing algorithms; the one or more flow post-processing algorithms being performed on one or more of a plurality of packets.

13. Apparatus of claim 1 wherein the packet based network is an internet protocol (JP ) network.

14. Apparatus of claim 1 wherein the packet based network is asynchronous transfer mode (ATM) network.

15. Apparatus of claim 12 further comprising an update module coupled to the rigid support member, the update module being adapted to update the plurality of pre- stored patterns and the plurality of pre-stored rales; the updated patterns and rales including at least one new pattern or at least one new rule.

16. Apparatus of claim 15 wherein the update module is operable while the pattern matching engine is operable.

17. Apparatus of claim 15 wherein the update module being adapted to update the plurality of pre-stored protocol definitions; the updated protocol definitions including at least one new protocol definition.

18. Apparatus of claim 17 wherein the update module is operable while the protocol decoder is operable.

19. Apparatus of claim 1 wherein the memory module additionally comprises: a feature memory; the feature memory being associated with a plurality of pre- stored features; a rale memory; the rale memory being associated with a plurality of pre-stored rales; the network event module comprises: a feature extraction device; the feature extraction device being coupled to the network module and the memory module; the feature extraction device being capable of identifying a feature association according to a feature extraction algorithm; the feature extraction algorithm identifying a feature association based upon examination of one or more packets according to some pre-determined functionality; the feature association identifying one or more of a plurality of pre-stored features; the pre-stored features being stored in a feature memory; a policy device, the policy device being coupled to the feature extraction device and the memory module; the policy device identifying a rule association based upon the feature association identified by the feature extraction device according to a policy algorithm, the policy algorithm identifying the rale association by examining the feature association according to some pre-determined functionality, the rale association identifying one or more of a plurality of pre-stored rales; the pre-stored rales being stored in a rule memory.

20. Apparatus of claim 19 wherein the feature extraction algorithm is a pattern matching operation; the pre-stored features are one or more of a plurality of pre-stored patterns; the pre-stored patterns are provided by a pattern memory; the pattern memory being provided by the memory module.

21. Apparatus of claim 20 wherein the pre-stored patterns include one or more regular expressions.

22. Apparatus of claim 20 wherein the pre-stored patterns include one or more n-gram expressions, the n-gram expression being a tuple of symbols.

23. Apparatus of claim 20 wherein the feature extraction algorithm is an approximate pattern matching process for at least one or more of the predetermined stored patterns.

24. Apparatus of claim 23 wherein the approximate pattern matching process is performed on a file selected from at least text files of data, text streams of data, binary files of data, binary streams of data, audio streams of data, audio files of data, video streams of data, video files of data, multimedia streams of data, and multimedia files of data.

25. Apparatus of claim 23 wherein the measure of approximation in the approximate pattern matching process is an edit distance; the edit distance is the number of insertions, deletions or substitutions desired to exactly match the pattern.

26. Apparatus of claim 23 wherein the measure of approximation in the approximate pattern matching process is related to human perception.

27. Apparatus of claim 19 wherein the identified rale association signals an action, the action changing the state of the apparatus.

28. Apparatus of claim 27 wherein the action enables one or more of a selection of pre-determined rules in rale memory, the enabling being for a pre-determined quantity of time.

29. Apparatus of claim 1 wherein an update module is coupled to the rigid support member, the update module coupled to the memory module, the update module providing a database manager, the database manager configured to be capable of updating one or more of a plurality of memories within the memory module.

30. Apparatus of claim 29 wherein the update module further comprises an authentication device; the authentication device being adapted to provide cryptographic authentication of the updates being provided to the update module.

31. Apparatus of claim 20 wherein the pre-stored patterns include one or more temporal regular expressions.

32. Apparatus of claim 19 wherein one or more of the pre-stored rules is related to a counting component; the counting component including a counter and a threshold; the threshold being compared against the value of the counter.

33. Apparatus of claim 19 wherein one or more of the pre-stored rales is related to a temporal component.

34. Apparatus of claim 33 wherein the temporal component is selected from at least a quantity of time, an absolute time, infinity, and zero.

35. Apparatus of claim 34 wherein the temporal component is related to a counting component; the counting component including a counter and a threshold; the threshold being compared to the counter; the combined temporal and counter components defining a rate of change.

36. Apparatus of claim 19 wherein the policy device is coupled to the host interface device, the policy device signaling the host interface device with the identified rule association.

37. Apparatus of claim 1 wherein memory module includes one or more memory devices selected from at least random access memories (RAM), content addressable memories (CAM), including ternary content addressable memories (TCAM), and a combination of one or more RAMs and one or more CAMs.

38. Apparatus of claim 1 wherein one or more of the egress network interface ports is a response port; the response port being used to facilitate communications to a remote network system via a signal.

39. Apparatus of claim 38 wherein the remote network system is selected from at least firewall, network management system, intrusion prevention system, router, network switch, and logging system.

40. Apparatus of claim 38 wherein the signal may include one or more of a plurality of messages.

41. Apparatus of claim 40 wherein the one or more of a plurality of messages includes one or more messages selected from at least: an access control list update message; an audit message; an event message; an alarm message; a status message; a query message; an update message; a management message; an error message; and a warning message.

42. Apparatus of claim 1 wherein one or more of the network ports is a management port.

43. Apparatus of claim 42 wherein the management port allows configuration of the device.

44. Apparatus of claim 11 wherein the flow is a bidirectional flow.

45. Apparatus of claim 1 wherein the pre-stored patterns in pattern memory include one or more Berkeley Packet Filter (BPF) patterns or BPF derivatives.

46. Apparatus of claim 1 wherein the pre-stored patterns in pattern memory include one or more Berkeley Packet Filter Plus (BPF+) patterns.

47. Apparatus of claim 1 wherein the pre-stored patterns in pattern memory include one or more subsets of pre-stored patterns; the one or more subsets of pre- stored patterns being related to one or more packet flows.

48. Apparatus of 15 wherein the update module is coupled to a management port; the management port being coupled to an network interface port.

49. Apparatus of claim 1 further comprising one or more of a plurality of stream processing blocks coupled to the rigid support member; the stream processing blocks comprising one or more of a plurality of stream processors wherein each stream processor is characterized by a predefined functionality based upon at least an input sequence of data; each of the stream processors are also characterized by providing an output sequence of data; the output sequence of data is provided according to a predetermined algorithm; and the predetermined algorithm has been provided by the predetermined functionality of each of the stream processors.

50. Apparatus of claim 49 wherein the predetermined functionality for each of the stream processors is programmable through software.

51. Apparatus of claim 49 wherein the stream processing blocks are provided within the network module.

52. Apparatus of claim 49 wherein the stream processors can be selected from one or more processes including: a null stream processor; the null stream processor having a predetermined functionality wherein the output sequence of data is identical to the input sequence of data; a decompression processor; the decompression processor having a predetermined functionality wherein the output sequence of data is typically larger than the input sequence of data and represents a sequence of data of some specific original size and condition; a decoder; the decoder having a predetermined functionality wherein the output sequence of data is determined by the input sequence of data, according to the predetermined functionality; a parser; the parser having a predetermined functionality wherein the output sequence of data is derived from the input sequence of data according to a predetermined specification; a decryption processor; the decryption processor having a predetermined functionality wherein the output sequence of data is determined by the input sequence of data, according to the predetermined functionality; a digest generator; the digest generator having a predetermined functionality wherein a summary of the input sequence of data is generated according to the predetermined functionality; a checksum processor / verifier; the checksum processor or verifier having a predetermined functionality wherein the input sequence of data is checked for correctness; a cyclic redundancy checksum (CRC)'processor / verifier; the CRC processor or Verifier having a predetermined functionality wherein the input sequence of data is checked for corrected according to the cyclic redundancy checksum algorithm; and a filter, the filter having a predetermined functionality wherein the output sequence of data is a reduced set of the input sequence of data.

53. Apparatus of claim 1 wherein the network applications comprise one or more security applications.

54. Apparatus of claim 1 wherein the applications are provided in one or more applications selected from: intrusion detection; intrusion prevention; firewalling; content filtering; access control; antivirus; network monitoring; traffic filtering; spam filtering; content classification; application-level switching; bandwidth/quality of service management; surveillance; and XML web services.

55. Apparatus of claim 1 wherein the network system is one or more network devices, the one or more network devices being selected from: a firewall; a network management system; an intrusion prevention system; a router; a network switch; a logging system; a network appliance; a security system; an anti- virus system; an anti-spam system; an intrusion detection system; a content filtering system; a network monitoring system; a file server; a mail server; a web server; a proxy server; and a storage area network system.

56. Apparatus of claim 1 wherein the host interface bus is selected from: a peripheral components interface bus (PCI); a compact peripheral components interface bus (compact PCI); a peripheral components interface x bus (PCI-X); a peripheral components interface express bus (PCI-express); a universal serial bus (USB); a small computer systems interface (SCSI); and an ISA bus.

57. Apparatus of claim 12 further comprising a defragmentation device coupled to the rigid support member; the defragmentation device being provided by the network module, the defragmentation device being coupled to one or more ingress network ports; the flow classification device being coupled to the defragmentation engine; the defragmentation engine assembling one or more fragmented input packets into a whole unfragmented output packet according to some predetermined specification; the defragmentation engine passing such whole unfragmented output packet to the input of the protocol decoder.

58. Apparatus of claim 57 wherein the predetermined specification is the internet protocol specification.

59. Apparatus of claim 1 wherein the signature based pattern is selected from one or more of a plurality of patterns, the patterns being defined according to a language selected from: a regular language; a temporal regular language; a Berkeley packet filter language; a Linux packet filter language; an approximate pattern language; and a Perl compatible regular expression language.

60. A method for performing high throughput pattern matching wherein the high throughput pattern matching operation is performed using one or more of a plurality of patterns; the patterns being defined by a regular language; the regular language being implemented as a finite automaton; the finite automaton including a transition table representation of the regular language, the transition table describing a transition function for the finite automaton; the transition table being adapted to be stored in a compressed form; the compressed form being adapted such that the transition function of the finite automaton is able to be computed from the compressed form in a maximum time that is constant with respect to the size of the compressed form.

61. Apparatus of claim 1 wherein the pre-stored patterns are defined by a regular language; the regular language being implemented by a finite automaton; the finite automaton including a transition table representation of the regular language, the transition table describing a transition function for the finite automaton; the transition table being adapted to be stored in a compressed form; the compressed form being adapted such that the transition function of the finite automaton is computed from the compressed form in a maximum time that is constant with respect to the size of the compressed form.

62. An apparatus for performing high throughput pattern matching wherein the high throughput pattern matching operation is performed using one or more of a plurality of patterns; the patterns being defined by a regular language; the regular language being implemented as a finite automaton; the finite automaton including a transition table representation of the regular language, the transition table describing a transition function for the finite automaton; wherein the patterns are represented as a single pattern database; the single pattern database comprising the patterns from one or more of a plurality of applications; the pattern matching operation being able to uniquely identify the application from the matching pattern.

63. Apparatus of claim 1 wherein the pre-stored patterns are represented as a single pattern database; the single pattern database comprising the patterns from one or more of a plurality of applications; the pattern matching operation being able to uniquely identify the application from the matching pattern.

64. A method for converting a network system into an accelerated signature based network system, the method comprising: providing a network system, the network system comprising: one or more input ports; a host processor coupled to the one or more input ports; a host memory coupled to the host processor; a host interface bus coupled to the host processor; and a host connector coupled to the host interface bus; providing an integrated circuit apparatus for high throughput pattern matching for network applications, the apparatus comprising: a rigid support member comprising a connector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the comiector region into a network system; one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including: a network interface module coupled to the rigid support member, the network interface module including one or more network interface ports, the one or more network interface ports being coupled via the connector region to a packet based network; a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module to the network module; a network module coupled to the rigid support member, the network module being coupled to the network interface bus; a network event module coupled to the rigid support member, the network event module being coupled to the network module; a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory associated with a plurality of pre-stored patterns; a host interface module coupled to the rigid support member, the host interface module being coupled to the network event module and/or the network module; a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module, the host interface bus being capable of connecting to the host system via the connector region; connecting the host interface comiector region of the integrated circuit apparatus with the host connector on the network system to mechanically and electrically couple the host interface bus of the network system to the host interface bus of the integrated circuit apparatus; transferring selected driver software to the network system, the driver software being configured to facilitate communication between the integrated circuit apparatus and the network system via the host interface bus; and initializing the integrated circuit apparatus via the driver software.

65. The method of claim 64 wherein the initialization of the integrated circuit apparatus includes the transfer of one or more of a plurality of pre-stored patterns from the network system to the integrated circuit apparatus.

66. Apparatus of claim 65 wherein the initialization of the integrated circuit apparatus also includes the transfer of one or more of a plurality of pre-stored protocol definitions from the network system to the integrated circuit apparatus.

67. Apparatus of claim 65 wherein the initialization of the integrated circuit apparatus also includes the transfer of one or more of a plurality of pre-stored rales from the network system to the integrated circuit apparatus.

68. A method for signature based pattern recognition using an integrated circuit apparatus, the method comprising: providing an integrated circuit apparatus for high throughput pattern matching for network applications, the apparatus comprising: a rigid support member comprising a connector region, the connector region including a network connection region and a host connection region, the rigid support member having a selected width and a selected length, the selected width and selected length being adapted to couple via the connector region into a network system; one or more hardware modules disposed onto and coupled to the rigid support member, the one or more hardware modules including: a network interface module coupled to the rigid support member, the network interface module including one or more network interface ports, the one or more network interface ports being coupled via the connector region to a packet based network; a network interface bus coupled to the rigid support member, the network interface bus being adapted to interface the network interface module to the network module; a network module coupled to the rigid support member, the network module being coupled to the network interface bus; a network event module coupled to the rigid support member, the network event module being coupled to the network module; a memory module coupled to the rigid support member, the memory module being coupled to the network event module and the network module, the memory module including a pattern memory, the pattern memory associated with a plurality of pre-stored patterns; a host interface module coupled to the rigid support member, the host interface module being coupled to the network event module and/or the network module; a host interface bus coupled to the rigid support member, the host interface bus being coupled to the host interface module, the host interface bus being capable of connecting to the host system via the connector region; transferring information from a packet based network to a network interface port; transferring the information from the network interface port through a network interface bus; receiving the information from the network interface bus at a processing unit; identifying an association between one or more packets and a flow from the information using the processing unit; reordering the one or more packets into one or more respective flows; determining if the one or more packets for the one or more respective flows is associated with a signature based pattern stored in memory through a memory bus coupled to the processing unit, where upon the determining occurs using the memory having a random access time of less than 8 nanoseconds; and initiating a signal to a policy engine if an association occurs.

69. The method of claim 68 further comprising decoding of the reordered flow from the processing unit according to one or more of a plurality of pre-determined protocol definitions, the pre-determined protocol definitions, the decoding process being adapted to extract salient features of interest from the reordered flow.