PATENTSCOPE will be unavailable a few hours for maintenance reason on Tuesday 19.11.2019 at 4:00 PM CET
Search International and National Patent Collections
Some content of this application is unavailable at the moment.
If this situation persists, please contact us atFeedback&Contact
1. (WO2017138936) DETERMINING PATTERN MATCH BASED ON CIRCUIT MATCH AND HASH VALUE MATCH
Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

DETERMINING PATTERN MATCH BASED ON

CIRCUIT MATCH AND HASH VALUE MATCH

BACKGROUND

[0001 ] Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop computers, laptops, workstations, network printers, network scanners, etc. that are networked together across a local area network (LAN), wide area network (WAN), wireless networks, etc. Networks can include deep packet inspection devices, such as an intrusion prevention system (IPS) and/or an intrusion detection system (IDS) to detect unwanted activity acting on the computer network. Further, networks can be managed using a Software Defined Networking controller.

BRIEF DESCRIPTION OF THE DRAWINGS

[0002] The following detailed description references the drawings, wherein:

[0003] FIGs. 1 and 2 are a block diagrams of network infrastructure devices capable of determining a variable sized pattern match in a packet, according to various examples;

[0004] FIG. 3 is a block diagram of a software defined network including network infrastructure devices capable of determining variable sized pattern

matches and performing an action in response to the matches, according to an example;

[0005] FIG. 4 is a flowchart of a method for determining a variable sized pattern match in a packet, according to an example;

[0006] FIG. 5 is a block diagram of a network device including a processing element capable of determining a variable sized pattern match in a packet based on a circuit and a hash value, according to an example;

[0007] FIG. 6 is a flowchart of a method for configuring a network infrastructure device to use a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example; and

[0008] FIG. 7 is a block diagram of a management device capable of configuring a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example.

DETAILED DESCRIPTION

[0009] Deep Packet Inspection devices can examine network packets and flows of packets to detect patterns, for example, to help defend against malware, to prioritize traffic flows, to monitor for data exfiltration, etc. However, deep packet inspection devices tend to be slow relative to current network speeds, with the performance gap widening. Increasing deep packet inspection device capacity, and/or capability, to check all network data is expensive. Examples of deep packet inspection devices include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Next Generation Firewalls (NGFW).

[0010] One option is to inspect the traffic at other network infrastructure devices, such as switches, routers, wireless access points, etc., according to rules to determine whether to perform an action (e.g., drop a packet or packet flow, send the packet or packet flow to an IDS, IPS, NGFW, log the information, etc.). The inspection can be cruder than packet inspection by an IDS, IPS, or NGFW, thus allowing for limited packet inspection that can be performed at various

locations within a network environment. An application-specific integrated circuit (ASIC) can be used to perform the packet inspection in the network devices.

[001 1 ] However, performing packet inspection at network devices (e.g., switches, access points, routers, etc.) can come at a time and/or hardware cost. For example, if a packet is processed using an ASIC, hardware would be needed to quickly identify patterns (e.g., strings) that are matched. As the number of patterns to match grows, the amount of hardware increases. With the growing quantity of patterns increasing, it can be desirable to scale the approach to use these network infrastructure devices. Patterns can be large or small. If a pattern (e.g., a match on a string) is longer than a particular length, additional hardware may be needed.

[0012] Accordingly, various examples disclosed herein relate to using an approach where a network infrastructure device includes a circuit capable of matching a patterns as well as a packet processor to match additional portions of a pattern. The circuit may be capable of matching patterns of a particular size (e.g., between 1 byte and 12 bytes, between 1 byte and 16 bytes, etc.). Circuitry can be implemented using, for example, Bloom tables in hardware.

[0013] If a string or pattern to be matched is longer than the capability of the circuit, a packet processor can be used in conjunction with the circuit. A portion of the pattern can be matched using the circuit. Another portion or portions of the pattern (e.g., an adjacent portion, a superset, a portion with a gap before or after the initial portion, etc.) can be compared based on the match using the circuit. This can be facilitated by using hashing. For example, the portion(s) of the pattern to be examined can be hashed by a management device as a precursor to the pattern search. The management device can provide that hash to the packet processor. Further a data structure, such as a table can be stored on the network infrastructure device so that when a match is made by the circuit, the network infrastructure device can compare the match with a data structure (e.g., a table).

[0014] In one example, the match is a complete match for a pattern or string. In that example, the match is compared in the data structure to determine what to do with the packet and/or associated packet stream. For example, if a match is made, the data structure may indicate to the network infrastructure to perform an action (e.g., drop a packet or flow, divert the packet or flow to another device (e.g., an IPS device, a data collection device, etc.), tag information to the packet and/or flow, etc.).

[0015] In another example, the match is partial. When the match is compared to the data structure, the data structure can indicate one or multiple other portions of the packet to compare. The data structure can also associate the portion(s) with a pre-determined hash value as described above. Moreover, in some examples, the data structure can provide information of where the packet processor should look for the portion (e.g., via an index) and/or a size of the portion. The packet processor can hash the portion and compare the hashed portion with the pre-determined hash value. If the pre-determined hash value matches the hash value determined by the packet processor, the pattern can be considered a match. With this approach, variable sized patterns (e.g., strings) can be searched for in packets. Further, because this approach is not limited to header fields, matches can be for any portion of the packets. As such, this can enable actions to occur based on matches of data. The hash function for the pre-hash and the hashing performed by the packet processor can be the same or compatible.

[0016] For example, the strings "CONFIDENTIAL INFORMATION" and "CONFIDENTIAL DATA" can be searched for as a pattern. In this example, the circuit may have a capability to match 10 characters. Further, in this example, the string "CONFIDENTI" can be searched for using the circuit. In this example, a match in the circuit yields the hash for "AL INFORMATION" and "AL DATA". In one example, the string "CONFIDENTIAL DATA and PRIVILEGED" is present. "CONFIDENTI" is matched using the circuit and then the packet processor processes the next 7 characters "AL DATA" and the next 14 characters "AL DATA and PR." The hash for "AL DATA" matches, however, the hash for "AL INFORMATION" does not. The match can lead to an action to be performed.

[0017] As used herein, a network infrastructure device includes a network chip and can be used to forward packets. In one example, the network infrastructure device can have a number of network ports for the device for receiving and transmitting packets therefrom, and logic that is encoded with application specific integrated circuit (ASIC) primitives to check header fields and payload content in the packets. In other examples, logic can be implemented using other electronic circuitry (e.g., field programmable gate arrays (FPGAs), complex programmable logic devices (CPLDs), etc.). Further, instructions executable by a packet processor can be used in conjunction with the circuitry. In certain examples, the logic can perform pattern matching on the header fields and the payload content according to a number of rules. As noted above, the logic can be combined with the packet processor to allow for variable length pattern matching.

[0018] FIGs. 1 and 2 are a block diagrams of network infrastructure devices capable of determining a variable sized pattern match in a packet, according to various examples. Network infrastructure devices 100, 200 include components that can be utilized to determine a variable sized pattern match in a packet. In one example, network infrastructure device 100 can include a network interface 1 10, packet processor 1 12, a circuit 1 14, and a management engine 1 16. In some examples, network infrastructure device 200 can also include a pattern rule(s) 220, a pre-hash calculation 222, a processor 230, and memory 232. The respective network infrastructure devices 100, 200 may be a network device, a switch, a wireless access point, a hub, a router, or other network device capable of performing the functionality described herein.

[0019] The network interface 1 10 switches traffic between inputs and outputs using standard processing (e.g., a standard switch process based on source and destination addresses of the packets). Traffic includes packetized data ("packets") formatted using multiple layers of protocol, e.g., the Transmission Control Protocol (TCP) Internet Protocol (IP) ("TCP/IP") model, Open Systems Interconnection (OSI) model, or the like. A packet generally includes a header and a payload. The header implements a layer of protocol. The payload

includes data, which may be related to packet(s) at another layer of protocol. In an example, the network interface 1 10 performs switching of the packets at a network access layer. The network access layer provides links between hosts over which packets are transmitted. The network access layer is sometimes referred to as layer 2, referring to layer 2 of the OSI model. The prevailing network access layer today includes the Ethernet family of protocols, although the network interface 1 10 can switch packets using other types of network access protocols. While the network interface 1 10 can switch traffic at the network access layer, the network interface 1 10 may also process packets at layers above the network access layer to implement various other functions (e.g., quality of service (QoS), such as at a network layer (e.g., IP or other OSI layer 3 protocol) and/or transport layer (e.g., TCP, User Datagram Protocol (UDP), or other OSI layer 4 protocol).

[0020] In certain examples, the packet processor 1 12 and/or circuit 1 14 can be used to match patterns in the packets and/or packet flow according to pattern rules 220. The patterns can be byte patterns and/or packet patterns and/or regular expression patterns. Packet(s) matching pattern(s) are deemed to satisfy the rule.

[0021 ] In an example, the pattern rules 220 can be based on at least one Bloom filter. A Bloom filter can be used to test whether an element (e.g., a character, string of characters, a byte pattern from packet(s)) is a member of a set (e.g., interesting byte patterns). In another example, the pattern rules 220 can be based on a regular expression filter. A regular expression filter searches for byte patterns in the packets using regular expressions. As noted above, the circuit 1 14 can be used to implement pattern rules 220 for patterns that are up to a predetermined pattern size (e.g., K bytes). For matched patterns up to that size, the match can be communicated to the packet processor 1 12 and the packet processor 1 12 or other resource can be used to facilitate performance of an action (e.g., add a tag to the packet or packet flow and forward via the network interface 1 10, forward to an intrusion prevention system, forward to an intrusion detection system, forward to another device, copy to another device, drop the packet or associated flow, log the match, check a hash value as described further below, etc.).

[0022] When a pattern rule 220 is set up for a pattern that is greater than K bytes, a combination of the circuit 1 14 and the packet processor 1 12 can be used to implement search of the pattern. For descriptive purposes, the pattern size can be considered N bytes. A pattern rule 220 can be set up for use with a subset of the N bytes (e.g., the first K bytes, K bytes in the middle, K bytes in the end, a smaller subset, etc.).

[0023] Various reasons can be used to choose the subset. In one example, if the pattern was a string "Privileged and Confidential," and K was 12 bytes, one reason to use a rule to match a first portion of the string, "Confidential," in the circuit 1 14 could be that the 12 byte pattern of "Confidential" is already being searched for in another pattern rule 220. In the same example, another pattern "Confidential Material" may also choose "Confidential" for the pattern rule to implement in the circuit 1 14 though it is at the beginning of the pattern instead of the end.

[0024] The circuit 1 14 can be set such that the circuit 1 14 can provide location information of the matched term in the packet. For example, the circuit 1 14 can provide information (e.g., an offset) as to where the beginning of the matched rule is in the packet. The circuit 1 14 may also provide an index value that can be used to actions the packet processor 1 12 or other resource can take in response to a match. The index value can be used by the packet processor 1 12 or other resource to look up, in a data structure (e.g., a table), an action to take based on the match in the circuit 1 14.

[0025] As noted above, various actions can be taken. One particular action can be for the match of the rule in the circuit 1 14 to be considered a partial match of the first portion and the packet processor 1 12 hashing a second portion of the pattern to compare with a pre-hash value.

[0026] The pre-hash value can be determined before monitoring of packets for the rule. The pre-hash value can be determined for a second portion of the pattern. In one example, the second portion includes the remaining bytes of the pattern (e.g., N - K bytes). In other examples, the second portion may include a set of the N - K bytes plus another subset of the pattern. In further examples, the second portion may include the whole pattern. In some examples, the location information and/or the data structure can include information about the second portion. Moreover, as noted above, one match in the circuit 1 14 may lead to multiple possible hashes to be checked as further described below. Conceptually, if the pattern rule 220 does not match in the circuit 1 14, it is known that the larger pattern cannot match and if the rule does match, the packet processor 1 12 can compare the pre-hash value with the newly hashed value to determine whether the pattern is present in the packet or packet flow.

[0027] The pre-hash value can be calculated before the performing an action on the packet or packet flow. The pre-hash value can be calculated on the second portion using a hash algorithm. A management engine 1 16 can be used to determine the pre-hash value from the second portion and the hash algorithm. In some examples, another device, such as a software defined networking (SDN) controller or other management device may be used to determine the pre-hash value. The pre-hash value can be associated in the data structure so that when a first portion is matched in the circuit 1 14, the data structure points the packet processor 1 12 to hash the second portion and compare to the pre-hash value.

[0028] The hash algorithm can be communicated so the same or compatible algorithm is used to determine the pre-hash value and during the hashing by the packet processor 1 12. Examples of hash algorithms that can be used include Cyclic Redundancy Checksum (CRC32), linear feedback shift register (LFSR) hash functions, special purpose hashing functions, etc. In some examples, the data structure may include hashing parameters (e.g., the hash function to be used and/or any parameters used to set the hash function up). In some

examples, a hash key can be a parameter. The hash key may be received (e.g., from an SDN controller).

[0029] In one example, the management engine 1 16 receives a pattern (e.g., N bytes) to be searched for (e.g., from an SDN controller, an input from user, etc.). The management engine 1 16 determines that the length of the pattern is greater than a capacity (e.g., K bytes) of the circuit 1 14. The management engine 1 16 can choose a first portion of the pattern to create a rule for in the pattern rules 220 to implement using the circuit 1 14. The management engine 1 16 can also provide updates to the data structure(s) used to coordinate the circuit and the packet processor. Moreover, the management engine 1 16 can hash a second portion of the pattern (e.g., in a simple illustrative case the first K bytes can be the first portion and the next N - K bytes can be the second portion). In the illustrative case, N - K bytes is the portion of the pattern that is greater than the capability of the circuit (K bytes). As noted above, in other examples, the second portion of the hash may include the first portion. In one example, the circuit can be in the form of a Bloom table. The Bloom table may have potential for false positives. As such, if the entire pattern or a greater portion of the pattern can be confirmed, thus removing false positives.

[0030] In some examples, the management engine 1 16 may receive the hash from another entity (e.g., an external controller). The hashed second portion can be stored in the data structure along with any hash parameters and/or information to help determine the second portion (e.g., length of the second portion, relevant location to the first portion, etc.). As noted above, the index value can point to multiple hashes that can be performed that are associated with different patterns. Moreover, an action or multiple actions can be associated with each of the patterns.

[0031 ] When the network infrastructure device 100 is used, the network interface 1 10 can be used to switch packets. The circuit 1 14 can be used to monitor the packets switched by the network interface 1 10. As noted above, the circuit 1 14 can include a pattern matcher that is capable to identify flows in the packets satisfying patterns up to a predetermined pattern size (in the example above, K bytes). When a match occurs in the circuit 1 14, the circuit 1 14 can communicate that information to the packet processor 1 12. The communication can include, for example, an index value that can be used in a data structure to look up what pattern was matched and what actions can be taken in response.

[0032] In the example that the match is a partial match, the circuit 1 14 may also include location information for the matched portion (e.g., identifying an offset for the packet that locates the beginning of the matched part of the pattern). The data structure may provide the size of the second portion to be hashed and matched based on the index value. As noted above, the size can be used as a parameter in the hash function. Further, the data structure may provide information to locate the second portion (e.g., an offset from the start of the first portion that was matched). The second portion of the packet being analyzed is hashed by the packet processor 1 12. In some examples, the packet processor 1 12 may have additional hardware to help perform this functionality, for example, the packet processor 1 12 may include one or more of: ternary content-addressable memory (TCAMs), hashing circuitry, counters, etc. The packet processor 1 12 can compare the hash value to the corresponding pre-hash value from the data structure. If a match occurs, then an action can be taken. In some examples the action to be taken can be indicated by the data structure.

[0033] Further, in some examples, the index value may lead to multiple possible matches. If there are multiple possible matches, multiple hashes can be performed and checked against corresponding pre-hash values. The action to be taken can be based on the hash value to matches.

[0034] A match in a packet can indicate that the associated flow is matched. Thus, the action can be performed on the packet and/or the associated flow. In some examples, the matching may be stateful. For example, the first portion and/or second portion may extend multiple packets of a flow. As noted above, example actions can include dropping a packet or multiple packets of the flow, sending the packet or flow to a location (e.g., an IPS, a logger, etc.), incrementing a counter, updating state, etc.

[0035] The management engine 1 16 can include hardware and/or combinations of hardware and programming to perform functions provided herein. Moreover, the modules (not shown) can include programing functions and/or combinations of programming functions to be executed by hardware as provided herein. When discussing the engines and modules, it is noted that functionality attributed to an engine can also be attributed to the corresponding module and vice versa. Moreover, functionality attributed to a particular module and/or engine may also be implemented using another module and/or engine.

[0036] A processor 230, such as a central processing unit (CPU) or a microprocessor suitable for retrieval and execution of instructions and/or electronic circuits can be configured to perform the functionality of the management engine described herein and/or various other functionality. In certain scenarios, instructions and/or other information, such as rules, patterns, pre-hash calculations 222, a data structure, etc., can be included in memory 232 or other memory. Input/output interfaces may additionally be provided by the network infrastructure device 200 (e.g., via a network interface). Input/output devices such as communication devices like network communication devices or wireless devices can also be considered devices capable of using the input/output interfaces.

[0037] FIG. 3 is a block diagram of a software defined network including network infrastructure devices capable of determining variable sized pattern matches and performing an action in response to the matches, according to an example. In certain examples, the network infrastructure devices 306a - 306m can be used to facilitate communications between computing devices, for example, computing devices 330a - 330i. Though the software defined network 310 is shown between the communication devices 330 in this example, communications may also travel through other network infrastructure devices that are both part of the network or part of other networks (e.g., via the Internet). The SDN 310 can be controlled using an SDN controller 350 and may communicate

via a control plane while data communications travel through a data plane. The computing devices 330a - 330i can be implemented via a processing element, memory, and/or other components.

[0038] The network infrastructure devices 306 can include a packet processor engine 312, a deep packet inspection engine 314, and a management engine 316. The packet processor engine 312 and/or deep packet inspection engine 314 can be implemented using various technologies, for example, a programmable switch ASIC. The programmable packet processor engine 312 can include a series of resources (e.g., TCAM, hashes, counters, etc.) used to host a SDN pipeline. Further, the deep packet inspection engine 314 can be used to implement deep packet inspection functionality, for example, as circuit 1 14. The management engine 316 can include instructions capable of executing on a physical processing element such as a CPU. The management engine 316 can be used to manage and configure the deep packet inspection engine and the packet processor engine 312. In some examples, the management engine 316 can communicate with the SDN controller 350 using a control plane, in other examples, the management engine 316 can communicate via a data plane of the SDN 310.

[0039] The management engine 316 can configure the DPI engine 314 to search for patterns, for example, string patterns. The patterns to be searched can be obtained from an external entity such as user input or message and/or the SDN controller 350.

[0040] When the packets arrive to the packet processor engine 312, regular table lookups are performed in SDN tables. If one of the SDN actions to be applied contains a go-to table where the next table is a string match table, the packet processor engine 312 can store the current packet state in a meta-data structure. The current packet state can include, for example, a next table, accumulated actions, internal register values, etc. Moreover, in some examples, the packet processor engine 312 can accumulate actions to apply and apply the actions in bulk.

[0041 ] The packet along with the metadata structure can be redirected to the deep packet inspection engine (DPI) 314 in order to search for the desired strings. If a string is found in the packet, the SDN actions associated with the string-hit are either applied or accumulated to the packet (just as a regular flow table lookup). In some examples, this can be a continuation of the packet processor engine 312 performing regular packet processing. If a miss is obtained from the string match table, the SDN actions associated with a string miss are applied to the packet. In some implementations, this could be to drop the packet. In other implementations, this could be to process the packet regularly. Differing applications can desire to use the DPI engine 314 to look for multiple strings and apply a SDN action if one of the strings is found in the packet. In other implementations, different SDN actions could be associated with different strings. The SDN actions that are applied to the packet can include, but are not limited to: drop, send the packet to a port(s), modify a field of the packet, encapsulate the packet and send it to a tunnel interface, increment a counter, send to a DPI device 302 (e.g., an IPS, an IDS, etc.) for more analysis, send to a logging device, etc.

[0042] The SDN 310 and/or other communication network can use wired communications, wireless communications, or combinations thereof. Further, the networks can include multiple sub communication networks such as data networks, wireless networks, telephony networks, etc. Such networks can include, for example, a public data network such as the Internet, local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), cable networks, fiber optic networks, combinations thereof, or the like. In certain examples, wireless networks may include cellular networks, satellite communications, wireless LANs, etc. Various communication structures and infrastructure can be utilized to implement the communication network(s).

[0043] By way of example, the computing devices 330 communicate with each other and other components with access to the communication networks via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the communication network interact with other nodes. Further, communications between network nodes can be implemented by

exchanging discrete packets of data or sending messages. Packets can include header information associated with a protocol (e.g., information on the location of the network node(s) to contact) as well as payload information.

[0044] FIG. 4 is a flowchart of a method for determining a variable sized pattern match in a packet, according to an example. FIG. 5 is a block diagram of a device including a processing element capable of determining a variable sized pattern match in a packet based on a circuit and a hash value, according to an example. The device 500 includes, for example, a processing element 510, and a machine-readable storage medium 520 including instructions 522, 524, 526, 528 for determining a variable sized pattern match on packets. Device 500 may be, for example, a network infrastructure device, a switch, a router, an access point, or other computing device with the hardware components and capabilities described herein.

[0045] Processing element 510 may include, one or multiple central processing unit (CPU), one or multiple semiconductor-based microprocessor, one or multiple graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 520, or combinations thereof. The processing element 510 can be a physical device. Moreover, in one example, the processing element 510 may include multiple cores on a chip, include multiple cores across multiple chips, or combinations thereof. Processing element 510 may fetch, decode, and execute instructions 522, 524, 526, 528 to implement matching of patterns in packets. As an alternative or in addition to retrieving and executing instructions, processing element 510 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 522, 524, 526, 528. For example, the processing element 510 can include a programmable packet processor, which may also include TCAMs, hashes, counters, etc.

[0046] Machine-readable storage medium 520 may be any electronic, magnetic, optical, or other physical storage device that contains or stores

executable instructions. Thus, machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As such, the machine-readable storage medium can be non-transitory. As described in detail herein, machine-readable storage medium 520 may be encoded with a series of executable instructions for determining whether a variable sized pattern is in a packet.

[0047] Packets can be received at the device 500. Interface instructions 522 can be executed by the processing element 510 to switch the packets (e.g., to a destination device or network infrastructure device). In one example, a packet is received at a network interface of the device 500.

[0048] As noted above, a hardware circuit 512 can receive packets and determine whether one or more patterns (e.g., strings) are found in the packet. Packets may automatically processed by the circuit 512 or be checked by the circuit 512 in response to an action by the processing element 510. For example, the processing element 510 may check packets that include a source or destination device within the network that the device 500 is in and go external to the network. As noted above, variable sized patterns can be matched for packets by splitting part of the work to the circuit 512, which is quick, but costs hardware resources and part of the work using the processing element 510.

[0049] At 402, a hardware circuit 512 can determine whether a first packet portion of the packet is matched to a first pattern portion of a pattern. The pattern may include a size N and the circuit may be capable of matching a pattern of size K. The size N can be more than K. If the first portion of size K is not matched, then the processing element 510 knows that the pattern is not present in the packet. If the first portion is matched, the circuit 512 can provide information about the match to the processing element 510. For example, the circuit 512 may provide a notification to the processing element that the first packet portion is matched to the first pattern portion. The notification may include location

information of the matched part of the pattern in the packet (e.g., an offset). The location information can include, for example, the beginning of the pattern in the packet. In some examples, information about the pattern can also be communicated. For example, an index value can be provided. The index value can be used to look up possible matches to complete a pattern that was partially matched by the match of the first packet portion. As noted above, more than one possible patterns can be checked based on the first match. The processing element 510 can receive the notification and execute pattern match instructions 524 to determine parameters for matching a second portion of the pattern. For example, the processing element 510 can determine a second pattern portion to compare to the packet based on the index. As noted above, the second pattern portion can be the remainder of the N - K portion or can be some other part (e.g., the whole N segment). For example, the second pattern portion and/or second packet portion can be a superset of the first packet portion and/or first pattern portion, be adjacent to the first portion, or sequential in an order to the first portion.

[0050] At 404, the processing element 510 can execute hashing instructions 526 to process hash and the second portion of the packet. The hashing can be based on a size of the pattern (size N) and a location of the first packet portion. For example, the hash can be of size N from the beginning of the location of the first packet portion, can be size N - K from the end of the location of the first packet portion, etc. The end result is a hash value for the second packet portion.

[0051 ] At 406, the processing element 510 determines whether the hash value matches a pre-hash value corresponding to a second pattern portion of the pattern. Hash match instructions 528 can be executed by the processing element 510 to implement the determination. Determination of the second pattern portion is further described in the description of FIGs. 6 and 7.

[0052] If a match occurs, then a match of the entire pattern is confirmed. As such, an action can be performed in response to the pattern. A data structure, such as a table can be used to look up an action to perform based on the pattern match. The action can be applied to the packet or a flow associated with the

packet (e.g., based on a session identifier in a header, other header information, etc.). In some examples, the action can include one or more of: dropping the packet, sending the packet to a location, incrementing a counter, etc.

[0053] FIG. 6 is a flowchart of a method for configuring a network infrastructure device to use a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example. FIG. 7 is a block diagram of a management device capable of configuring a hardware circuit to match a portion of a pattern and a packet processor to match a second portion of the pattern, according to an example. Management device 700 may be, for example, a part of a network infrastructure device, located at an SDN controller, a computing device with the capabilities described herein, or the like.

[0054] Processing element 710 may be, one or multiple central processing unit (CPU), one or multiple semiconductor-based microprocessor, one or multiple graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 720, or combinations thereof. The processing element 710 can be a physical device. Moreover, in one example, the processing element 710 may include multiple cores on a chip, include multiple cores across multiple chips, or combinations thereof. Processing element 710 may fetch, decode, and execute instructions 722, 724, 726 to configure a hardware circuit and/or packet processor. As an alternative or in addition to retrieving and executing instructions, processing element 710 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 722, 724, 726.

[0055] Machine-readable storage medium 720 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As such, the machine-

readable storage medium can be non-transitory. As described in detail herein, machine-readable storage medium 720 may be encoded with a series of executable instructions for determining whether a variable sized pattern is in a packet.

[0056] The management device 700 can be used to configure the hardware circuit and/or packet processor of a network infrastructure device. In some examples, the management device 700 can be implemented at an SDN controller. In other examples, the management device 700 can be implemented at the network infrastructure device.

[0057] Interface instructions 722 can be executed by the processing element 710 to receive a pattern to implement matching at a network infrastructure device. The pattern can be, for example, N bytes to be searched for. The pattern can be received from a user, input, an SDN controller, etc.

[0058] At 602, the processing element 710 executing the circuit configuration instructions 724 can determine whether the hardware circuit has capacity to match the pattern. As such, the processing element 710 can determine that the length of the pattern is greater than a capacity (e.g., K bytes) of the circuit. The processing element 710 can choose a first portion of the pattern to create a rule for to implement using the circuit and configure the circuit to implement the rule (604). The management device 700 can also provide updates to the data structure(s) used to coordinate the circuit and the packet processor on the network infrastructure device to be configured.

[0059] Moreover, at 606, the processing element 710 can execute hashing instructions 726 to hash a second portion of the pattern (e.g. , in a simple illustrative case the first K bytes can be the first portion and the next N - K bytes can be the second portion). In the illustrative case, N - K bytes is the portion of the pattern that is greater than the capability of the circuit (K bytes).

[0060] The hashed second portion can be stored in the data structure along with any hash parameters and/or information to help determine the second

portion (e.g., length of the second portion, relevant location to the first portion, etc.). As such, the pre-hash value can be provided to the packet processor by updating the data structure. As noted above, the index value can point to multiple hashes that can be performed that are associated with different patterns. Moreover, an action or multiple actions can be associated with each of the patterns.