1. Field of the Invention
The present invention relates generally to computer networks, and more particularly but not exclusively to network security apparatus.
2. Description of the Background Art
Computer viruses, worms, Trojans, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, malicious codes are collectively referred to herein as “viruses” for ease of illustration and compliance with common usage.
The Internet and similar public networks enable viruses to spread quickly to infect a large number of computers. As a precautionary measure against viruses, private computer networks may deploy a virus scanner between its computers and the Internet. Currently available in-line virus scanners perform either store-scan-forward scanning or stream scanning. Store-scan-forward scanning is typically implemented in software using a complex file-based scanner. A complex file-based scanner stores received incoming data, waits to receive all of the data comprising a file, scans the file for viruses once all of its data are received, and forwards the data to its destination assuming no viruses are found in the file. Being implemented in software, store-scan-forward scanning provides great flexibility, is easily extensible, allows for high virus detection rate with relatively low false positives (i.e., erroneous detection of a virus) and low false negatives (i.e., failure to identify a virus). However, relying on a software implementation yields relatively slow performance, resulting in excessive, sometimes unacceptable, processing delays.
Stream scanning, also referred to as “cut-through” scanning, receives, scans, and forwards data on non-file data units, typically on packet levels. Scanning commences as soon as a number of data units become available, and scanned data units are immediately forwarded out to their destination assuming no viruses are found. This way, data receiving, scanning, and forwarding occur concurrently, allowing for faster throughput compared to store-scan-forward scanning. Stream scanning, whether implemented in hardware or software, provides performance advantage that is noticeable by the end-user. However, stream scanning has relatively low virus detection capability because only forward scanning is possible, and has higher rates of false positives and false negatives. In addition, hardware based implementations often rely on less sophisticated scanning algorithms that open up the network to virus attacks.