Signature Detection is the underlying technology behind Intrusion Detection, Intrusion Prevention (IDS/IPS), and Application Recognition systems. Signatures are patterns, which when matched, indicate the system should apply designated security or QoS policies. There are two primary classes of security signatures:
Behavioral signatures are anomalies against actions normally taken by a system. In networking systems, the signature may be a sudden onset of high volume traffic from a Human Resources server to an external IP address.Behavioral signature methods require significant CPU performance, as the task of maintaining a baseline of "normal" traffic and discerning malicious intent from changes to the baseline requires multiple algorithms which may be tweaked on a regular basis. As a result, hardware accelerators and ASICs have limited utility beyond off-loading initial flow classification.
Data signatures are reducible to binary strings which can be located by scanning the data, either in software or with specialized hardware accelerators. The major complexity in detecting binary strings is dealing with strings that are deliberately spread over multiple network datagrams, contain multiple character options (capitalization), or otherwise include wildcards. The language for defining data signatures is known as Regular Expressions and accelerators which scan data for signatures based on regular expression rules are often referred to as RegEx Engines.
Many of Our QorIQ communications processors integrate a RegEx engine called the Pattern Matching Engine (PME).
Advantages of the NXP PME include:
The PME also provides a Stateful Rule Engine (SRE) that allows the user to describe stateful relationships between patterns. This stateful rule capability provides significant additional capabilities beyond simple pattern matching.
Some of the applications which performance can be accelerated by leveraging the pattern matching engine include:
Performance of a deep packet inspection software stack was accelerated two-fold by using the pattern matching engine on the P2041.