REAL-TIME NETWORK MONITORING AND SECURITY

摘要

A hardware device for monitoring and intercepting data packetized data traffic at full line rate, is proved. In high bandwidth embodiments, full line rate corresponds to rates that exceed 100 Mbytes/s and in some cases 1000 Mbytes/s. Monitoring and intercepting software, alone, is not able to operate on such volumes of data in real-time. An exemplary embodiment comprises: a data delay buffer with multiple delay outputs; a search engine logic for implementing a set of basic search tools that operate in real-time on the data traffic; a programmable gate array; an interface for passing data quickly to software sub-systems; and control means for implementing software control of the operation of the search tools. The programmable gate array inserts the data packets into the delay buffer, extracts them for searching at the delay outputs and formats and schedules the operation of the search engine logic.

主权项

1. An apparatus for analyzing data streams comprising data packets formed according to a predetermined data transfer protocol, the apparatus comprising:
a network transceiver which receives one or more data streams being conveyed over a network; a bit sequence storage memory array which stores one or more predetermined bit sequences to be recognized in a received data stream; a hardware search engine logic coupled to the network transceiver and with access to the bit sequence storage memory array, configured to perform a bit-wise comparison of a bit sequence stored in the bit sequence storage memory array with data in the received data stream; a delay buffer, coupled to the network transceiver, having a plurality of outputs for outputting the received data stream with different respective lengths of delay; and a software application coupled to the delay buffer and configured to receive data packets in the received data stream from one or more of said plurality of outputs, wherein the software application is triggered, in the event that the hardware search engine logic recognizes a stored bit sequence in one or more data packets of a given received data stream, to perform further processing on data packets of the given data stream being output from the delay buffer with a first level of delay, and wherein the software application is further triggered, in dependence upon a result of said further processing, to perform one or more further stages of processing on data packets of the given data stream being output from the delay buffer at one or more of said plurality of outputs.