Field
Embodiments of the present invention generally relate to adaptive or trainable data-pattern matching performed in the context of network security devices. In particular, embodiments of the present invention relate to rating of signature patterns that are used for pattern matching by selecting one or more rated signature patterns for populating a pre-match list that can be used to reduce the number of patterns required to be processed by a full-match module of an Intrusion Prevention System (IPS), for example.
Description of the Related Art
Packet-data communication, such as that conducted over the Internet, is extremely popular, and is becoming more so every day. People, companies, educational institutions, etc. routinely use Internet-connected computers and networks to conduct their affairs. Myriad types of data are transmitted over the Internet, such as correspondence, medical information, financial information, business plans, etc. Unfortunately, not all uses of the Internet are benign; on the contrary, a significant percentage of the data that is transmitted over the Internet every day is malicious. Examples of this type of data are viruses, spyware, malware, worms, etc.
Not unexpectedly, an industry has developed to combat these attempts to disrupt and harm not only these Internet-based communications, but also the networks and computers used to conduct them. This industry, and the effort to fight these threats generally, is often and herein referred to as “intrusion prevention,” as very commonly such efforts are focused at points of access to private (e.g., corporate) networks. One important aspect of intrusion prevention involves identifying known threats (e.g., files that are or contain viruses, worms, spyware, malware, etc.) by particular data patterns contained therein. These patterns are often and herein referred to as “signatures” of these security threats, and are also often and at times herein referred to as “triggers” and by other names.
As such, data (e.g., Internet Protocol (IP)) packets flowing through, towards, or from a network segment, such as a particular router, switch, or network generally, are often screened—perhaps by an intermediate device, functional component, or other entity—for the presence of these signature data patterns. When particular packets, or sequences of packets, are identified as containing at least one of these signatures, those packets (or, again, sequences of packets) may be “quarantined,” such that those packets cannot cause harm to any more networks and/or computers. These packets, removed from the normal flow of data traffic, can then be further examined without holding up that traffic generally.
In particular, systems that carry out intrusion prevention (i.e., intrusion-prevention systems (IPSs)), use pattern-matching techniques to attempt to detect malicious data, and to prevent that data from entering a given network segment. Typically, IPSs check both packet headers and packet payloads in order to detect content-based security threats. Standard detection methods consist of using pattern-matching or string-matching algorithms to search for malicious packets containing predefined signatures that characterize a threat. Typically, IPSs are deployed in-line with the network segment to be protected, such that all data that flows into and out of the protected network segment must pass through the IPS.
Pattern matching therefore plays a key role in signature-based IPSs. There are usually thousands of signatures in modern IPSs, and such pattern databases are growing fast as additional security holes and attacks are discovered on a daily basis. Most signatures contain a few characteristic patterns at fixed or floating locations but their importance with respect to other patterns/signatures is not evaluated or computed by existing network security systems. As such, when a defined and much smaller number of patterns are to be selected/shortlisted for a pre-matching implementation, for example, it becomes difficult to identify which subset of patterns should be selected/shortlisted for use in connection with performing pre-matching in the context of a high performance IPS, for example, in which memory limitations restrict the number of patterns that can be used for this purpose.
Therefore, there exists a need for systems and methods for rating of signature patterns that are used for pattern matching, and selecting one or more rated signature patterns for populating a pre-match list.