1. Field of the Invention
The present invention relates to computer networks. More specifically, the present invention relates to a method and apparatus for monitoring and detecting strings of interest to effect intrusion detection, packet filtering, load balancing, routing, and other network-related operations as disclosed below.
2. Description of the Related Art
Network packets, e.g., those involved in TCP/IP or UDP communications, are routinely split into network datagrams for transmission on a network medium. Standard methods for performing intrusion detection, packet filtering, load balancing, routing, and other network-related operations involve the reassembly of network datagrams into network packets in order to make decisions based on the contents of the packet. As the splitting of packets can occur when each higher-layer in the network stack passes its data to a lower-layer, such reconstruction may be applied at any of such reconstructive boundaries, for example: IP packets being split into network datagrams, TCP packets being split into IP packets, HTTP packets being split into TCP packets, and others as will be clear to those skilled in the art.
Many of such decisions involve searching for particular strings that occur in the monitored network packets. To perform network monitoring, it is often necessary to completely reassemble higher layer (e.g., TCP/IP) packets from the monitored network datagrams in order to effectively match the strings of interest. This is necessary in order to counteract malicious avoidance of the monitoring system by splitting the strings between packets, and the out of order arrival of packets belonging to a particular network activity. However, reassembly of packets requires significant processing and storage, such that traditional methods are unable to scale cost-effectively to modern high-speed networks. Further, by malicious act, the monitoring system may be forced to retain large amounts of state, resulting in a denial of service attack.
Thus, there is a need for a method and apparatus for monitoring and detecting strings of interest to effect intrusion detection, packet filtering, load balancing, routing, and other network-related operations without the need to completely reassemble higher layer packets.