This invention relates to a method of filtering high data rate traffic based on its content, in particular in firewalls or for lawful intercept.
There are a number of circumstances in which it is permissible and desirable for a third party to review data traffic before it reaches its final destination. One reason for this is to determine whether there is any improper or damaging content, which the reviewer wishes to exclude from their system, for example, as part of a firewall for a corporate or private network, typically using content based searching or email or internet protocol addresses. Another is in the field of lawful intercept i.e. when law enforcement agencies conduct electronic surveillance of communications, usually approved by the government of the day.
Typically, the data under review is being transmitted over a high bandwidth communication link and the data rates are such that a conventional server or personal computer (pc) cannot search the content at these rates. For example, a pc might have difficulty in operating at more than 1 Gbit per second, whereas the communication link may be operating at 10 Gbit/s or more.
In accordance with the present invention, a method of filtering high data rate traffic based on its content comprises identifying candidate fixed size partial strings within the traffic; comparing characters within the candidate partial string with a content addressable memory containing wanted partial string values and identifying matching traffic; wherein the partial string content includes at least one anchor character; wherein the partial string size is set to a predetermined number of characters adjacent to the anchor character; and, wherein partial strings ending in an anchor character are compared with wanted partial string values in the content addressable memory.
The present invention cuts down the processing requirement in that only those sections of the data stream for which a specific partial string match, containing a wanted set of partial keywords, is found are forwarded for further processing. The partial strings have a fixed size which is predetermined as part of system analysis, being a trade-off between speed (smaller is better) and false hit probability (larger size leads to less false hits).
The anchor character is typically an essential character, such as an @ in an email address, or a final character in a keyword.
Preferably, a hash function is applied to the partial string to reduce the length of the partial string to be less than or equal to a width of the content addressable memory.
Preferably, padding characters are inserted at either end of the partial string, when the number of characters in the partial string is less than the number of character spaces available in a width of the content addressable memory.
The partial string may be a keyword in a block of text, but preferably, the partial string comprises one of a partial email address, an internet protocol address, a source or destination port number, or other numeric code.
Preferably, matching traffic is forwarded to a secondary processor and store for further processing.
This simplifies the high speed equipment required, as all storage and further processing is done at a lower than real-time data rate, so is less resource intensive. Typically, the secondary processor is a personal computer.
An example of a method of filtering high data rate traffic based on its content in accordance with the present invention will now be described with reference to the accompany drawings in which:
One approach to the problem of lack of processing speed is to filter the traffic of interest based on IP address, for example those of particular email servers, and/or based on port number, to reduce the traffic volume to a level that can be handled by software processes running on a conventional processing platform. The problem with this approach is that line rate filtering is currently relatively simple, so that port numbers, such as for SMTP email protocol, or IP addresses of, for instance, e-mail servers, need to be known in advance. If certain traffic does not use well known ports, or a more generic capability is required, such as searching for a specific word in a particular context in all traffic, rather than searching for a specific email server, then all packets must be inspected at a line rate which cannot be achieved with software on a general purpose processor. Another problem with needing to know the addresses, or port numbers, is updating that information if the server to which they relate is changed.
The present invention addresses these problems by introducing an algorithm that is split between a programmable front line processor, such as a network processor (NP), at line rate to filter packets and/or sessions that may be of interest and a second line processor, so that the data rate handled by the second line processor is reduced to one slow enough to manage, despite the high data rate of the incoming traffic. Other solutions to this problem either require custom hardware which is expensive and inflexible, or the use of multiple processing platforms to handle the line rate packet processing, which is also expensive.
In the present invention, a high-speed partial string match algorithm is run on the NP in order that the second line processor does not need to handle the same data rates. The NP provides very fast micro-engines that can process packet data, but with limited code and data space, so the algorithm running on the NP needs to be fast and relatively simple.
In a first example of the present invention, as shown in
If a character 7 matches an anchor character, such as the last character of any potential keyword, a look-up of the previous X characters is performed directly using the TCAM functionality of the network search engine NSE. This approach is feasible if the value of X is relatively small so that look-up width can be handled by the TCAM with the resulting table being of sufficient size to hold the dictionary. A hit from the TCAM is then used to filter the packet, or session to an appropriate stream handler on the second line processor 6.
Any keyword can be added to the dictionary including binary sequences. Skip tables based on diagrams (two consecutive characters) can also be used to increase skipping efficiency provided that the look-up table can be encoded in the data space available for each micro-engine. For instance it is possible to encode a 2 character skip table as a shorter hierarchical data structure by limiting the number of first characters allowed for the diagrams.
Another advantage of partial keyword matching is that any substring of the keyword can be chosen for matching, thus less common character sequences can be chosen to reduce false look-up probability and increase performance.
A second example of the present invention, shown in
The example of
Although this example is described with a hash function, the characters can also be presented to the TCAM functionality in the NSE without needing to hash this value, but hashing here has the advantage that the address space can be reduced and therefore the width of table that needs to be stored in the NSE.
For the email example, a large number of hits may occur for particular domains, so at least some portion of the local-part of the e-mail address is usually required, with a target address database stored in the NSE.
It is possible that the local-portion of the e-mail address could be only one character long. If target e-mail addresses contain less than X characters in the local-portion of the address, then special handling is provided. By keeping a check of the last delimiter found whilst searching for the ‘@’ character, the NP code can know the size of the potential local-part of the e-mail address. If this is less than X characters long, the extra characters are padded with a known value and a hash look-up can be performed to check for this address. As local-part identifiers less than 4 characters long are not common this does not add significant processing overhead.
A further option is that the scan to the right of the @ character is modified to scan until an invalid character, end-of-packet or maximum Y value is encountered. The resultant packet or the whole transmission control protocol (TCP) session to which it belongs is then filtered to a process on the second line processor.
The present invention provides a method for string searching and subsequent filtering within packet data for identifiers of interest, such as e-mail addresses, at multi-gigabit/s line rates using a partial string search technique. A partial string match in a front line processor, such as a network processor or general purpose hardware unit, filters traffic down to a rate that can be handled by software running on a conventional computing platform such as a general purpose server. The filtering can pass through matches deemed to be safe, such as in firewall applications, or those deemed of concern, for lawful intercept. There may be some cases where a match picks up data which is not actually what is being searched for, but by filtering out those which are definitely of no interest, the data rate is brought down to something manageable by the slower, second line processor which can then carry out a finer selection.
The CAM generally only indicates the presence or absence of a match, but in some cases it can store data which is output if a match occurs, such as an index as to which protocol the packet relates to or which process on the second line processor should be used for further processing.
Number | Date | Country | Kind |
---|---|---|---|
0601832.9 | Jan 2006 | GB | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/GB07/50027 | 1/18/2007 | WO | 00 | 7/30/2008 |