Intrusion detection state machine for finding attack signatures with reduced buffering requirements for handling out of sequence packets

摘要

Some intrusion detection system look for signature patterns of characters indicative of an attack in received data streams using state machines which react to each received character. Systems where the data stream is segmented (eg. into TCP packets) and the segments are not received in order (n+2 in figure) cause problems. Traditional systems would buffer subsequent sequence packets (n+3 to n+6) until the delayed one was received and then recommence processing. Instead the invention stores the machine state (at n+1) and buffers the immediately subsequent segment (n+3). It then initialises the state machine and processes the subsequent packets, until the late segment is received. Then it again stores the machine state (at n+6), restores the first stored state and processes the missing and buffered segments (n+2 and n+3). Finally the second stored state is restored and normal processing resumes (at n+7). The system thereby reduces the size of buffer required (from 4 segments to 1 in the example).