To protect against malicious content, intrusion prevention systems (and similarly intrusion detection systems) use an engine to detect signatures of known malicious content. To detect such content, the various communication protocols on the network need to be understood and modeled.
Creating accurate models of protocols and interactions among them is a classic problem. The effectiveness of an IDS/IPS solution is directly correlated to how accurately they describe protocols. Incomplete or incorrect parsing or modeling of protocol behavior may cause attacks to go undetected and/or cause erroneously-reported intrusions to be flagged on legitimate traffic.
At the same time, a parsing operation, whether for network protocols or otherwise, is generally a very expensive operation. In many situations, full or complete parsing is not necessary in order to retrieve the desired information. Designing an optimal parser for a specific usage is relatively simple; however, extending the concept of optimized parsing to generic parsing is a significant challenge. This is pertinent to optimizing protocol parsing as well as to many other applications that require parsing of possibly many different forms of information.
There are thus challenges in creating an accurate model for use in systems that deal heavily with protocols. Many of these challenges are directed towards having to create a model with a reasonable balance between generality and completeness. As mentioned above, performance is also a key issue due to the expensive nature of parsing. Thus, a related problem is how to accurately describe a protocol with enough flexibility to be sufficiently general for a large class of common protocols while, still maintaining good performance across them.