Context-aware pattern matching accelerator

摘要

Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.

主权项

1. A method comprising:
receiving, by a first stage of a context-aware pattern matching and parsing (CPMP) hardware accelerator of a network device, a packet stream; performing, by the first stage, a pre-matching process, including string matching and overflow pattern matching, on packets within the packet stream to identify a candidate packet within the packet stream that matches one or more strings or over-flow patterns associated with a set of Intrusion Prevention System (IPS) or Application Delivery Controller (ADC) rules; identifying, by the first stage, a candidate rule from the set of IPS or ADC rules based on a correlation of results of the pre-matching process; tokenizing, by the first stage, packet data of the candidate packet to produce matching tokens and corresponding locations of the matching token within the candidate packet; performing, by a second stage of the CPMP hardware accelerator including a plurality of CPMP processors, a full-match process on the candidate packet to determine whether the candidate packet satisfies the candidate rule by fetching and executing special purpose CPMP instructions to perform one or more of (i) context-aware pattern matching on one or more packet field values of the candidate packet, (ii) context-aware string matching on packet data of the candidate packet and (iii) regular expression matching on the packet data based on a plurality of predefined conditions associated with the candidate rule, corresponding contextual information provided by the candidate rule, the matching tokens and the corresponding locations; and providing, by the second stage, results of the full-match process to a general purpose processor of the network device.