1. Field of the Invention
The present invention relates generally to computer systems, and more particularly but not exclusively to detection of computer viruses.
2. Description of the Background Art
As is well known, antivirus software may be employed to protect a computer network from computer viruses. A typical antivirus software includes a scanning engine and a pattern file, which includes patterns (also referred to as “signatures”) of known viruses. Each pattern in the pattern file identifies a particular virus. The scanning engine compares the patterns against files or other units of data being checked to determine if they include one or more viruses. The pattern file is continually updated to keep up with virus coders. Antivirus software vendors, like Trend Micro, Inc., employ a team of antivirus analysts to monitor for new viruses and develop a pattern for each newly discovered virus.
A network virus is a form of malicious code that attacks a computer network. Unlike file-based viruses, a network virus is detected at the network layer, i.e. by scanning packets of the network traffic. Conventional patterns for detecting network viruses are typically written using regular expressions. A regular expression allows for simple string matching techniques to detect viruses in network traffic. A typical regular expression is a single line of character and string matching operators. Due to their nature, regular expressions do not allow for parsing of data structure of network data stored in a buffer. For example, a typical pattern written using regular expressions only allows for byte by byte scanning of a data stream. Because the complexity and destructive potential of viruses continue to increase, what is needed is an improved technique for identifying particular viruses.