1. Field
The following description relates to a network apparatus, and more particularly, to a network apparatus for classifying received packets based on a predetermined standard.
2. Description of the Related Art
With the recent introduction and development of new protocols and applications, the variety and scope of the Internet and network environments have been incomparably increasing. Due to the rapid worldwide expansion of network access, the network environments are exposed to various security threats internally and externally, and a violation and attack on an information system becomes more sophisticated to deal with. Such a malicious access to a system is attempted to manipulate, alter, and leak data, causing a diversity of legal problems.
The target of attack is changed from particular and special information systems to many and unspecified information systems, the range of attack expands to the entire network on purpose to neutralize the network and cut off the network service, and more intelligent techniques are involved with such violations. Moreover, since anyone who accesses the Internet can share the information publicized on the Internet on a global scale and there are uncensored an enormous number of bulletin board systems and data exchange methods over the Internet, new hacking tools and methods are easily spread, which help mass-produce similar types of hackers.
To protect a network from the evolving violation and attack, a variety of studies have been being conducted, and there have been made a number of attempts to develop security solutions. The examples of primary security systems among the developed security solutions may include a Firewall, an intrusion detection system (IDS), an intrusion prevention system (IPS), etc. The security system monitors transmission/receipt traffics according to security standards, blocks inappropriate access or traffics, detects, analyzes and processes harmful traffics, such as attack attempts or unauthorized actions, by use of traffic monitoring and attack pattern analysis, and then notifies an administrator of the processing result.
Such the security system can be implemented in a software manner based on a strong processor, and deal with change of various and intelligent attacks. However, the network speed increases with the development and expansion of the network environments, and hence, security systems are also required to have high-speed performance and accuracy.
There have been difficulties of improving speed and accuracy of software based security methods, which cannot catch up with the speed of network development. To overcome such problems, it has been discussed that security tasks in software can be offloaded to hardware which substantially affects on the security performance and accuracy.
A security system is required to analyze and process packets in real-time upon being attacked such as to improve its performance and precision of violation detection. Many of network security systems use a signature-based packet detection method. In the signature-based packet detection method, previously-known attacks are analyzed, signatures are generated for identifying attacking packets, based on the analysis result, and the generated signatures are compared to all packets input to a network so as to detect an attack and violation.
The primary function of the signature-based attack detection method is to search a packet payload for a signature. In signature search, all packets are compared to a plurality of previously stored signatures, and thus a significant amount of system resources are used and the overall system performance is affected by the number and size of the signatures. To overcome such drawbacks, new researches and methods for the signature search function are necessary.
The conventional hardware-based methods for signature search include a one-to-one comparison method which compares every input payload with each signature in a signature table, a comparison method utilizing a hash, and a comparison method which divides a signature in a particular length. The combination of these methods may be used.
However, the one-to-one comparison method takes too much time for comparison and experiences performance degradation if the signature is long. The hash utilizing method may encounter a hash collision problem. Furthermore, in the comparison method by dividing the signature into a given length, there may be an error in comparison results that even when the result of comparison shows that all divided parts are matched with parts of a payload, the divided parts may not be from the same signature, and thus the accuracy cannot be guaranteed. In addition, since comparison data of a specific divided part are possibly applied to several signatures, further search and comparison of signatures is required, and thus procedures are complicated to perform. Moreover, if the length of the signature increases, the amount of data to be compared is increased, thereby degrading the performance.