System, apparatus and methods to implement high-speed network analyzers

摘要

Systems, apparatus and methods for the implementation of high-speed network analyzers are provided. A set of high-level specifications is used to define the behavior of the network analyzer emitted by a compiler. An optimized inline workflow to process regular expressions is presented without sacrificing the semantic capabilities of the processing engine. An optimized packet dispatcher implements a subset of the functions implemented by the network analyzer, providing a fast and slow path workflow used to accelerate specific processing units. Such dispatcher facility can also be used as a cache of policies, wherein if a policy is found, then packet manipulations associated with the policy can be quickly performed. An optimized method of generating DFA specifications for network signatures is also presented. The method accepts several optimization criteria, such as min-max allocations or optimal allocations based on the probability of occurrence of each signature input bit.

主权项

1. A method of analyzing data in a communication device comprising:
receiving, at a protocol input interface, a protocol specification comprising human readable grammar; receiving, at an event interface, an event specification; deriving, in a network analyzer compiler module configured for translating the protocol and event specifications into executable code for a hardware platform, a data plane specification from the protocol specification and the event specification; and outputting the data plane specification to a data plane module, wherein:
the data plane specification comprises a plurality of target events and the data plane module groups the target events into a fast path and a slow path and wherein the fast path implements a logical OR of at least two of the plurality of target events and the slow path implements each of the plurality of target events individually, each target event comprising at least one signature and the logical OR comprises a logical OR of at least two different signatures;the data plane module comprises a Discrete Finite Automata engine; andderiving the data plane specification comprising:
(a) translating a Boolean signature into its conjunctive normal form expression;(b) partitioning, according to a first optimization criterion, the conjunctive normal form expression into a multiplicity of conjunctive normal form sub-expressions;(c) converting the multiplicity of conjunctive normal form sub-expressions into binary decision diagrams; and(d) representing the binary decision diagrams as Discrete Finite Automata specifications.