Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a rule database that requires less storage capacity than the malware detection rules is generated by substituting tokens for selected symbol strings within the malware detection rules. A compressed traffic stream is generated by substituting the tokens for instances of the selected symbol strings within the input traffic stream, and then compared with the rule database to determine whether the input traffic stream contains one or more symbol sequences that correspond to any of the malware detection rules.

Abstract: In a malware detection device, first characters in a network traffic flow are compared with a plurality of entries within a ternary content addressable memory (TCAM), the plurality of entries including a first entry that constitutes a first segment of a malware signature. In response to an output from the first TCAM indicating that the first characters match the first entry, a variable-character expression engine determines whether second characters in the network traffic flow match a first variable-length regular expression, the variable-length regular expression corresponding to a second segment of the malware signature. A comparand value is generated that includes third characters in the network traffic flow and an expression-match value that indicates whether the second characters match the first variable-length regular expression. The TCAM compares the first comparand value with the plurality of entries therein as part of a determination whether the network traffic flow contains the malware signature.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a sequence of state definitions are generated for each of the rules. The state definitions for each rule correspond to respective segments of the rule and specify conditions under which a state machine is to transition between search states corresponding to those segments, at least one of the segments corresponding to multiple characters within the input traffic stream. A state machine transitions between search states corresponding to one or more of the rules in accordance with contents of the input traffic stream and the conditions specified by the sequence of state definitions.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a rule database that requires less storage capacity than the malware detection rules is generated by substituting tokens for selected symbol strings within the malware detection rules. A compressed traffic stream is generated by substituting the tokens for instances of the selected symbol strings within the input traffic stream, and then compared with the rule database to determine whether the input traffic stream contains one or more symbol sequences that correspond to any of the malware detection rules.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a sequence of state definitions are generated for each of the rules. The state definitions for each rule correspond to respective segments of the rule and specify conditions under which a state machine is to transition between search states corresponding to those segments, at least one of the segments corresponding to multiple characters within the input traffic stream. A state machine transitions between search states corresponding to one or more of the rules in accordance with contents of the input traffic stream and the conditions specified by the sequence of state definitions.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a sequence of state definitions are generated for each of the rules. The state definitions for each rule correspond to respective segments of the rule and specify conditions under which a state machine is to transition between search states corresponding to those segments, at least one of the segments corresponding to multiple characters within the input traffic stream. A state machine transitions between search states corresponding to one or more of the rules in accordance with contents of the input traffic stream and the conditions specified by the sequence of state definitions.

Abstract: In a malware detection device, first characters in a network traffic flow are compared with a plurality of entries within a ternary content addressable memory (TCAM), the plurality of entries including a first entry that constitutes a first segment of a malware signature. In response to an output from the first TCAM indicating that the first characters match the first entry, a variable-character expression engine determines whether second characters in the network traffic flow match a first variable-length regular expression, the variable-length regular expression corresponding to a second segment of the malware signature. A comparand value is generated that includes third characters in the network traffic flow and an expression-match value that indicates whether the second characters match the first variable-length regular expression. The TCAM compares the first comparand value with the plurality of entries therein as part of a determination whether the network traffic flow contains the malware signature.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a sequence of state definitions are generated for each of the rules. The state definitions for each rule correspond to respective segments of the rule and specify conditions under which a state machine is to transition between search states corresponding to those segments, at least one of the segments corresponding to multiple characters within the input traffic stream. A state machine transitions between search states corresponding to one or more of the rules in accordance with contents of the input traffic stream and the conditions specified by the sequence of state definitions.