There is a class of packet processing applications which need to inspect packets on the link deeper than protocol headers and to analyze its payload. For instance, network security applications require that the packets containing certain malicious strings (i.e., internet worms, computer viruses) be dropped. Further, filtering of SPAM and detection of unauthorized transfer of copyrighted material is necessary. See for example, U.S. Patent Publication No. 20030110229 to Kulig et al., which generally describes a system which scans content.
Content-based billing techniques analyze media files and bill the receiver based on the material transferred over the network. Content forwarding applications look at the HTTP headers and direct the requests to predetermined servers for load balancing.
Most payload applications have a common requirement for string matching—see U.S. Pat. No. 6,377,942 to Hinsley et al. and U.S. Pat. No. 6,169,969 to Cohen. Some randomized string matching techniques use Bloom filters (see B. Bloom, in “Space/time trade-offs in hash coding with allowable errors”, ACM, 13(7):422-426, May 1970). One such technique has been implemented using a unique platform called Splash 2 (Pryor, D., Thistle, M., & Shirazi, N., “Text Searching On Splash 2”, Proceedings of the IEEE Workshop on PRGAs for Custom Computing Machines, Los Alamitos, Calif., IEEE Computer Soc. Press, 1993, pp. 172-177.).
A file can be characterized by the presence of a string of bytes (a string is synonymous with a signature herein), and its transmission across a link can be monitored by looking out for the presence of this string on the network. Since the location of such strings in the packet payload is not deterministic, such applications need the ability to detect strings of different lengths starting at arbitrary locations in the packet payload.
Such packet inspection applications, when deployed at router ports, must be able to operate at wire speeds. With the network speeds doubling every year, it is becoming increasingly difficult for software-based packet monitors to keep up with the line rates. This has underscored the needs for specialized hardware-based solutions which are portable and operate at wire speeds.