Network devices, such as switches and routers, are designed to forward network traffic, in the form of packets, at high line rates. One of the most important considerations for handling network traffic is packet throughput. To accomplish this, special-purpose processors known as network processors have been developed to efficiently process very large numbers of packets per second. In order to process a packet, the network processor (and/or network equipment employing the network processor) needs to extract data from the packet header indicating the destination of the packet, class of service, etc., store the payload data in memory, perform packet classification and queuing operations, determine the next hop for the packet, select an appropriate network port via which to forward the packet, etc. These operations are generally referred to as “packet processing” operations.
In addition to the foregoing packet forwarding operations, there may be a need to search packet payloads for a given string or set of strings. For example, security applications may need to search for certain strings indicative of a virus or Internet worm that is present in the packet payload, such as for load balancing or billing purposes.
The ever increasing number of computers, routers and connections marking up the Internet increases the number of vulnerable points from which these malicious individuals can launch attacks. These attacks can be focused on the Internet as a whole or on specific devices, such as hosts or computers, connected to the network. In fact, each router, switch, or computer connected to the Internet may be a potential entry point from which a malicious individual can launch an attack while remaining largely undetected. Attacks carried out on the Internet often consist of malicious packets being injected into the network. Malicious packets can be injected directly into the network by a computer, or a device attached to the network, such as a router or switch, can be compromised and configured to place malicious packets onto the network.
Searching packet payloads presents a problem with respect to line-rate packet forwarding. The reason for this is that string searches may be very time consuming, especially, if the strings are relatively long. With the network line-rates significantly increasing every year, it is becoming increasingly difficult for software and hardware based solutions to operate at these increasing line rates. Further, bulk of packets received by the routers are forwarded rather than consumed by them and given the increasing line-rates, detection of malicious packets can become extremely difficult.
Current techniques monitor signatures in a network payload by storing a predefined signature of a predetermined length. Further, a data stream on the network is monitored for a signature which corresponds to the predefined signature. Furthermore, using an analyzer, whether the network signature corresponds to the predefined signature and is a false positive is determined. These techniques are used for pattern matching applications, such as network security, application specific service differentiation, QoS enhancement and network engineering and so on. Further, such implementations can be very hardware intensive and an increase in the width of the data-bus to support counter-fields can result in noticeable speed reduction for a wide-bit vector. In addition, these techniques can require complicated application specific integrated circuit (ASIC) layout.
Other features of the present embodiments will be apparent from the accompanying drawings and from the detailed description that follows.