Multidimensional data comprises multiple types of information upon which particular processing sequences may be performed to arrive at a given outcome. Portions of such processing sequences may be dependent upon the characteristics of constituent information within the multidimensional data itself. Examples of multidimensional data include vectors, informational databases, and mathematic matrices.
One type of multidimensional data is a networking datagram or packet. A packet comprises a self-contained messaging unit having fields specified or defined in accordance with one or more network transport protocols, for example, Transmission Control Protocol in conjunction with the Internet Protocol (TCP/IP). Particular fields may be reserved for source and/or destination routing information, while other fields may be reserved for data content. The routing information is sufficient to enable elements within a transporting network to deliver the packet to a target destination.
Packets flowing upon a computer network, and/or flowing from one computer network to another, may contain information directed toward compromising network security and/or performing malicious or destructive operations upon one or more computer systems. Such packets are typically associated with an attempted hacker intrusion.
An Intrusion Detection System (IDS) comprises software that performs packet filtering operations. During packet filtering operations, the IDS examines packets flowing upon a computer network, and determines whether any given packet exhibits characteristics associated with known types of network intrusions and/or hacker attacks. The packet filtering operations may include header filtering operations directed toward examining packet headers; and string filtering operations directed toward examining packet data content.
In header filtering operations, an IDS compares various field values within a protocol header with values associated with known hacker attacks, commonly referred to as attack signatures. Unfortunately, hacker attacks may span multiple fields, where field values may be combined as Boolean expressions, thereby complicating header filtering operations. Furthermore, hundreds of known hacker attacks exist, and thus an IDS may need to examine thousands of field value combinations to accurately determine whether a given packet or packet sequence corresponds to an attack signature.
Traditional packet filtering systems and methods typically rely upon tree search algorithms, in which a result of a given field value test narrows a number of possible attack signatures for subsequent consideration. However, such tree search algorithms are performed serially, and are therefore significantly slower than desired. Moreover, their performance degrades as additional attack signatures are discovered.
An additional problem arises because modern networks continue to evolve toward ever-higher data transfer rates. For example, high speed Local Area Networks (LANs) may operate at 1000 Megabits per second (Mbits/sec). Similarly, internet access points commonly operate at 155 Mbits/sec and 622 Mbits/sec; higher operating speeds are likely in the future. Present day systems and methods for packet filtering and/or network intrusion detection are capable of examining only a fraction of the packets traversing such networks, thereby significantly limiting their usefulness. There exists no present day IDS capable of providing adequate packet filtering in high-speed network environments exists.