Computer systems now operate in an environment of near ubiquitous connectivity, whether coupled to the internet and networks by wire or via wireless technology. While the availability of online communication has created countless new opportunities for web based businesses and information sharing, there has also been an increase in the frequency of attempted breaches of network security, or hacker attacks, intended to access confidential information or to otherwise interfere with network communications.
Recently, a number of applications aimed at detecting and thwarting attacks in the network have emerged, including anti-virus data filtering, firewalling, intrusion detection/prevention and network protection. At the heart of almost every modern network security system is a content matching engine that scans an input data stream for specific contents that are of known suspicious, threatening or dangerous data. The content matching engine is also known as a pattern matching engine, and the specific contents (patterns) scanned for are usually called the content (pattern) signature residing in a signature database. In the event a match is found between the scanned data stream and a content signature in the signature database, an alert or alarm may be issued, and furthermore the scanned data stream may be captured before any damage is done. Besides implementation in network security applications, content matching is also used in internet protocol (IP) routing where each data stream traversing the router is retrieved to find its IP destination.
One implementation of the content matching engine utilizes a processor (CPU/NPU). In operation, the contents of the signature database are stored in an external static random access memory (SRAM) or a dynamic random access memory (DRAM). Software run by the processor compares the input data stream with the contents in the signature database to perform the content matching function. Because the processor (CPU/NPU) is not specialized to perform the content matching, the matching speed of this processor-based implementation is quite low.
Another implementation of the content matching engine utilizes content addressable memory (CAM) or ternary content addressable memory (TCAM). The CAM (TCAM) is a storage device that is particularly suitable for matching functions. However, the CAM (TCAM) is a very expensive memory component which typically costs five times as much as SRAM. Furthermore, the memory size of the CAM (TCAM) is typically small and cannot scale well with increased contents in the signature database.
Another implementation of the content matching engine utilizes a field reprogrammable gate array (FRGA). In operation, the contents in the signature database are converted into state diagrams and implemented as state machines in the FRGA. The FRGA is programmed to scan the input data stream for the contents in the signature database which have been converted into the state diagrams in the FRGA. However, once the contents in the signature database are modified, the FRGA has to be reconfigured accordingly. Generally, such reconfiguration takes a lot of time such that the flexibility of the FRGA implementation is affected.
To summarize, the implementations discussed above have various drawbacks.