(1) Field of Invention
The present invention relates to an intrusion detection system and, more particularly, to an intrusion detection system that is operable for performing Deep Packet Inspection (DPI) at wire speeds in software running on conventional processors.
(2) Description of Related Art
Cyber security has become an increasingly important aspect of system business security. Any information generating and accepting device (vehicles, computer systems, etc.) that utilizes many diverse networks may be targeted by malicious attacks aiming to impact both critical and non-critical systems. The backup approach of “security by obscurity” is insufficient. In addition, current trends indicate greater exposure to potential attacks. Current vehicular standards do not include defense-in-depth strategies that require detection as a core building block. V2X networks will be used as an extension of cellular networks to provide high bandwidth to the car, which further exposes vehicle systems to attacks. The use of common third party operating systems makes vehicles vulnerable to a much larger volume of existing attacks and signatures. While the traffic volume inside, into, and out of the vehicle is lower than that on Internet routers in the backbone, the large size of the attack signature database and the need for low size, weight, and power solutions make traditional methods and hardware unacceptable for use in the vehicle.
Within the realm of cyber security, current software solutions for intrusion detection use pattern matching methods, such as Deterministic Finite Automata (DFA) with attack signatures. However, due to the high volume of traffic in Internet data streams, such systems can only operate at approximately 500 Mbps. In addition, traditional methods cannot add new attack signatures to their search in real-time without significant overhead due to rebuilding the DFA; nor can they perform partial matches against attack signatures.
Finite state machines are most widely used in systems that attempt to perform Deep Packet Inspection. For clarity, Deep Packet Inspection (DPI) is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, such as intrusions. Finite state machines are used for DPI due to their ability to handle wildcards in the attack signature matching string (wildcards are places in the matching string that do not require a specific character from the alphabet). The widely-used open source software solution for intrusion detection is called Snort, as provided by Sourcefire, Inc., located at 9770 Patuxent Woods Drive, Columbia, Md. 21046, United States.
Snort uses a particular type of a finite state machine (i.e., DFA) that computes only one state transition per input character, thus its computational complexity is O(1); therefore, theoretically, the speed is independent of pattern length and alphabet size. Snort (DFA) has several disadvantages, such as:                a. It is slow for detecting attach signatures in software for large alphabets and relatively small pattern lengths;        b. Snort DFA requires additional cost for building a state-transition table (for each stored pattern that is to be matched against an input stream, a state-transition table has to be computed). As the alphabet size grows and new attack signatures must be added, it cannot be used in real-time.        c. Snort DFA cannot be parallelized easily, limiting its scalability to high traffic volumes.        d. Snort DFA cannot be used to detect partial patterns and higher order patterns (with long sequences of wildcards).        
Thus, a continuing need exists for a DPI inspection system that enables the detection of attack signatures in software at speeds that are considerably faster than DFA. Further, a continuing need exists for such a system that can efficiently search inside the payload of each packet, while being updated for new attack signatures in real-time and that can also be used to detect partial attack signatures.