Signature Detection Technology

Signature Detection is the underlying technology behind Intrusion Detection, Intrusion Prevention (IDS/IPS), and Application Recognition systems. Signatures are patterns, which when matched, indicate the system should apply designated security or QoS policies. There are two primary classes of security signatures:

Behavioral Signatures

Behavioral signatures are anomalies against actions normally taken by a system. In networking systems, the signature may be a sudden onset of high volume traffic from a Human Resources server to an external IP address.Behavioral signature methods require significant CPU performance, as the task of maintaining a baseline of "normal" traffic and discerning malicious intent from changes to the baseline requires multiple algorithms which may be tweaked on a regular basis. As a result, hardware accelerators and ASICs have limited utility beyond off-loading initial flow classification.

Data Signatures

Data signatures are reducible to binary strings which can be located by scanning the data, either in software or with specialized hardware accelerators. The major complexity in detecting binary strings is dealing with strings that are deliberately spread over multiple network datagrams, contain multiple character options (capitalization), or otherwise include wildcards. The language for defining data signatures is known as Regular Expressions and accelerators which scan data for signatures based on regular expression rules are often referred to as RegEx Engines.

Pattern Matching Engine

Many of Our QorIQ communications processors integrate a RegEx engine called the Pattern Matching Engine (PME).

Advantages of the NXP PME include:

  • NFA implementation, with fast pre-scan to determine which NFAs to execute on which portions of the scanned data
  • Fast compilation of pattern database, with fast incremental additions and updates
  • Patterns stored in main DDR DRAM, no requirement for expensive specialty memories
  • On-chip hash tables for low system memory utilization, removing need for costly low-latency memory technologies

The PME also provides a Stateful Rule Engine (SRE) that allows the user to describe stateful relationships between patterns. This stateful rule capability provides significant additional capabilities beyond simple pattern matching.

Some of the applications which performance can be accelerated by leveraging the pattern matching engine include:

  • Residential Gateway Systems
  • Unified Threat Management
  • Intrusion Prevention Systems
  • Security Network Storage

Performance of a deep packet inspection software stack was accelerated two-fold by using the pattern matching engine on the P2041.