The present invention relates to the field of pattern matching and searching. In particular the present invention discloses a parallel pattern searching system that allows one or more pattern to be located within a particular data stream.
The Internet is a worldwide interconnection of computer networks that share a common set of well-defined data communication protocols. Specifically, most computer networks are coupled to the Internet communicate using the Transport Control Protocol (TCP) and the Internet Protocol (IP) commonly known as TCP/IP. These protocols provide a data connection between any two computing devices on the Internet. The TCP/IP protocols work in conjunction with higher-level network protocols including HyperText Transfer Protocol (HTTP) File Transfer Protocol (FTP), Network News Transmission Protocol (NNTP), Simple Mail Transport Protocol, and other application protocols to provide useful Internet services.
There is no central controlling authority in the global Internet. Individual entities coupled to the Internet are responsible for their own interactions with the Internet. To protect private networks, most private networks use a gateway that carefully controls the flow of traffic between the private network and the Internet. Examples of such gateways include firewalls and packet filtering routers.
Firewalls and packet filtering routers attempt to prevent unauthorized access by carefully examining each packet and properly routing (or dropping) each packet depending on the packet""s characteristics. Most firewalls and packet filtering routers are implemented using a set of packet filtering rules. Each packet-filtering rule specifies a particular packet filtering policy. For example, all packets incoming from the Internet addressed to vulnerable server ports may be discarded in order to protect the internal servers on the local area network.
Packet filtering is normally performed on packet headers. Specifically, the Transport Control Protocol (TCP) and the Internet Protocol (IP) add a set of headers to each packet that most packet filtering routers examine to determine how to route the packet. However, it would be desirable to have even more precise methods of filtering packets.
In view of the above, it is one of the objects in the present invention to provide a system that provides even greater flexibility for packet filtering in a gateway system. The present invention provides such functionality by providing a high-speed parallel string searching system, that allows the body of a data packet to be searched for one or more patterns such as a string or a series of strings. These strings can be defined by the grammar of regular expressions. Specifically, one or more patterns are loaded into one or more nanocomputers and then the packet body is fed to the participating nanocomputers such that each participating nanocomputer tests for a match. The various tests performed by the nanocomputers may be combined to perform complex searches. These searches are performed in parallel. Furthermore, several different searches may be combined together using control statements. A combination of these searches engines can be supported such that data is also looked at in parallel. This above search mechanism is called xe2x80x9cDeep Packet Searchxe2x80x9d
Objects and advantages together with the foregoing are attained in the exercise of the invention in the following description, resulting in the embodiment illustrated in the accompanying drawings.