Flourishing network viruses indicate that traditional firewalls that inspect the network packet header alone may not be sufficient to protect computers from intrusion. Many of the new attacks are hidden in a payload portion of the packet in various dynamic locations, and not in the static header portion. For example, many recent worms found in the Internet are application-level attacks that are embedded in the packet payload at an unknown location. The packet header for such attacks may not indicate that the packet is illegitimate, and in fact, may appear as a legitimate packet. It is therefore desirable to have a security system that incorporates a deep packet inspection unit, also referred to as a multi-layer inspection unit, that not only examines the static packet header, but also looks through the entire payload to search for pre-defined patterns.
FIG. 1 is a block diagram of a typical multi-layer inspection system. The system includes a multi-layer inspection unit 10 that tales an incoming packet 20 and inspects layers 3-7 of the packet against all packet filter patterns 30. If any one of the patterns 30 match the information in layers 3-7, the packet is not allowed to pass. Otherwise, the packet is allowed to pass.
The multilayer inspection unit 20 may be embodied as one or more general purpose processors running a rule-based packet filtering software. However, due to an exhaustive pattern detection algorithm used by the software system, it is often difficult for the software to filter high speed network traffic of 1 Gbps or more. Specifically, because the location of the pattern is not predetermined, the patterns must be compared starting from every byte alignment of the payload during the search process. Thus, rule-based packet filtering software is not practical for use with such high speed networks.
There exists in the prior art custom hardware chips that support a faster network. Although these are efficient for use as packet classifiers based on searches of the static fields of a packet, they are poor candidates for dynamic pattern searches required for a deep packet filter. This is mainly due to the underlying sequential algorithm running on a Von Neuman architecture which eventually leads to performance bottleneck as the number of necessary pattern checks increase.
Accordingly, what is desired is an improved deep packet filter system for high speed networks.