BACKGROUND:  Many internet and other network users are extremely vulnerable to malware such as computer viruses and worms. With the increasing sophistication of malware, new techniques are needed to prevent damage and intrusion of malware. Typical protective measures usually include filtering based on header information such as port numbers or origination address. However, these measures cannot stop packets with seemingly harmless headers but with malware embedded within the payload. Deep packet inspection attempts to remedy this, by examining incoming packets' payloads, and not just their headers.

There are a few obstacles achieving fast and effective deep packet inspection. First, continuous updates are needed as new malware is released. These updates must also be continuously implemented into the filters to keep the filters up to date. Time is usually of the essences, due to speed at which new computer viruses spread.

Second, deep packet inspection at today's network speeds requires greater processing power than most general processors can deliver. High performance filters have been developed to work in parallel with reconfigurable devices to alleviate the demands on these general processors.

However, these devices must be reconfigured every time a new update is issued (e.g., a new virus definition). Maintaining high performance after each subsequent reconfiguration is often a highly time consuming task.

INNOVATION:  UCLA researchers have designed a novel architecture that allows for fast reconfiguration of deep level packet filters. A programmable coprocessor is coupled with the reconfigurable filter, thereby allowing for fast reconfigurations (i.e., updates). This "hybrid" system consisting of a scalable coprocessor and high performance filter allows for efficient deep packet inspection as well fast reconfiguration of new rules.

Unlike typical software-based updates which are easily added to existing rules, optimized reconfiguration of a field programmable gate arrays (FPGAs) can take sometimes take hours. As the speed at which viruses and worms spread, this delay could be very problematic. A coprocessor that can immediately store and detect new updates while the filter is reconfigured allows for immediate updates. This hybrid system can now efficiently perform deep packet inspection at required network speeds and be quickly updated to search for recent malware even before the filter is reconfigured.

POTENTIAL APPLICATIONS

• More efficient and powerful network security systems that can be routinely updated.
• Hardware based malware filters.
• Fast reconfigurable filters for firewalls and routers.

ABOUT THE LAB:   This innovation was created by the researchers from UCLA's Compiler and Architecture Research for Embedded Systems lab which is focused on improving the performance of embedded systems.

Reference: UCLA Case No 2004-676