The successful transmission of messages over a packet-based network is dependent on a multiplicity of different protocols which prescribe formats for message segments, datagrams and packets in successive layers of encapsulation. For present purposes it is necessary to mention only the link layer, the network layer and the transport layer.
The link layer, or media access control layer, governs the transmission of a packet from one device to another in accordance with the link layer addressing of the devices or network cards that a packet will encounter on its route between source and destination.
A network layer protocol, of which the most common example is IP (internet protocol), provides for proper addressing of source and destination hosts for message segments that travel between different networks. It does not provide any delivery mechanism or guarantee of delivery.
A ‘transport layer’ protocol provides logical communication between processes running on different hosts (i.e. source host and destination host). A common transport layer protocol such as TCP (Transmission Control Protocol) provides for such logical communication and a reliable data transfer service in the sense that it ensures ultimately that successive segments of a message are assembled at a destination host in a complete and correct order. The invention will be described in terms of TCP but the invention may be applied to message segments conforming to any other protocol, herein called ‘ordering transport protocol’, that enables identification and correction of the order in which message segments have been received.
A desirable feature in network communication is the prevention or detection of unwanted intrusion by means of the detection of digital signatures. Such signatures may consist of a succession of characters (e.g. ASCII characters) varying from a few tens of characters to many hundreds of characters. A common technique for the detection of digital signature is the use of a state machine, e.g. a DFA (deterministic finite-state automaton), which defines each of a multiplicity of signatures as a respective succession of states. The states may each be represented by one or more locations in memory and a transition may be represented by a pointer which is accessed using the current state and a respective input character; each state may therefore comprise a plurality of locations each including a respective character and a respective pointer.
In current practice, it is necessary to reassemble the TCP segments in a correct order to ensure that the DFA can check for signatures that transcend boundaries between segments.
Currently therefore, if a TCP segment is missing from a sequence, the DFA is halted and the state thereof is stored. Subsequent segments that arrive in the same traffic flow have to be buffered until the missing segment arrives. Then the DFA is reloaded with the stored state and processing of the traffic flow continues. Such buffering, which may need to accommodate a large number of message segments that may be received while a segment is missing, is inconvenient and provision for it represents an undesirable overhead.