Real-time network monitoring and security

摘要

A hardware device for monitoring and intercepting data packetized data traffic at full line rate, is proved. In high bandwidth embodiments, full line rate corresponds to rates that exceed 100 Mbytes/s and in some cases 1000 Mbytes/s. Monitoring and intercepting software, alone, is not able to operate on such volumes of data in real-time. An exemplary embodiment comprises: a data delay buffer with multiple delay outputs; a search engine logic for implementing a set of basic search tools that operate in real-time on the data traffic; a programmable gate array; an interface for passing data quickly to software sub-systems; and control means for implementing software control of the operation of the search tools. The programmable gate array inserts the data packets into the delay buffer, extracts them for searching at the delay outputs and formats and schedules the operation of the search engine logic.

主权项

1. An apparatus for analyzing data streams being carried over a network, wherein said data streams comprise streams of data packets formed according to one or more predetermined protocols, the apparatus comprising:
a network interface for extracting data streams being conveyed over the network; a bit pattern memory array which stores one or more predetermined bit patterns; a multi-tap delay buffer, coupled to the network interface to receive an extracted data stream, the delay buffer having a plurality of outputs each arranged to output data packets of the received data stream with a different length of delay; a hardware search engine logic coupled to receive data packets of a data stream extracted by the network interface and, with access to the bit pattern memory array, configured to perform a bit-wise comparison of a bit pattern stored in the bit pattern memory array with bit sequences contained in the received data packets thereby to identify one or more actionable data packets, said one or more actionable data packets comprising at least one data packet in the extracted data stream identified as containing a bit sequence that matches the bit pattern; and a processor, coupled to the multi-tap delay buffer, arranged to perform software-implemented processing on said one or more actionable data packets when output from the delay buffer with a first level of delay and, in dependence upon the result of said processing, to trigger the hardware search engine logic to perform a further bit-wise comparison upon data packets being output from one or more of said plurality of outputs of the delay buffer, thereby to identify one or more further actionable data packets.