1. Field of the Invention
The present invention relates to a method of using memories in a hardware pattern matching apparatus, and more particularly, to a method of storing a string value pattern matching policy and a method of controlling an alert message which can provide a considerable number of traffic patterns to hardware memories with limited storage capacities.
2. Description of the Related Art
As high-speed network infrastructure becomes widespread, the scale of damage to networks caused by malicious attacks has increasingly widened, leading to tremendous loss of time and economic resources. Now that a high-speed network environment such as a gigabit Ethernet environment has become reality, the demand for security analysis techniques capable of processing large amounts of data has grown steadily. In order to meet this demand, various efforts have been made to implement high-speed pattern matching techniques in hardware devices. However, existing pattern matching-based hardware security systems can apply only a limited number of traffic patterns to pattern matching due to their limited storage capacities.
In the meantime, a variety of security systems focusing on network attacks have been developed. With the advent of high-speed networks and an ever-increasing number of transmissions of large amounts of data over networks, the demand for improving conventional low-speed security analysis techniques has increased. In other words, in order to effectively respond to today's network environment which constantly changes in terms of speed and the amount of data transmitted over networks and which suffers a variety of network attacks, security analysis techniques capable of analyzing a considerable amount of data within a short period of time are needed. Improved security systems adopting such security analysis techniques must also be developed.
The performance of conventional security systems is generally low in terms of packet loss rate and attack detection rate. In order to address this problem, high-speed hardware pattern matching techniques which can provide a high-speed attack detection function, a firewall function, and a virus detection function have been developed. Most of the existing security systems, based on high-speed hardware pattern matching techniques, perform a rule-based pattern inspection and require a mechanism that makes it easy to instantly add or remove traffic patterns as required.
Also, the existing security systems, based on high-speed hardware pattern matching techniques, need methods of preventing the performance of the security systems from being adversely affected by the number of traffic patterns applied to pattern matching and the length of strings of traffic patterns. However, many thousands of attack detection rules are currently available wherein the length of strings considerably varies from one attack detection rule to another. For example, the length of strings of attack detection rules range from a minimum of 1 byte to a maximum of over 100 bytes. Therefore, it is difficult to apply a considerable number of attack detection rules to pattern matching without deteriorating the performance of security systems.
For example, attack detection rules are comprised of a header combination and a string, and strings generally occupy a larger memory space than header combinations. Attack detection rules, which have the same string and different header combinations, are highly likely to be classified as being different and are thus allocated to different memory zones.
Hardware security systems, unlike software security systems, have limited memory capacities. Therefore, hardware security systems are required to efficiently apply a considerable number of traffic patterns with their limited memory capacities. In order to address the problem of security with limited memory capacities, hardware security systems can use external memories, in which case, however, deterioration of the performance of hardware security systems is inevitable. Therefore, it is necessary to develop a method of efficiently arranging a considerable number of traffic patterns in a memory with a limited storage capacity.