Introduction

Network devices have been inspecting packets for as long as packets have existed. Traditionally, routers and firewalls look at headers and protocol information to make forwarding decisions, Intrusion Detection Systems (IDS ) look at the headers and content to match them against signatures, and sniffers help watch and analyze what the packets are doing. Perimeter devices such as routers, firewalls, and IDS are combined to form a layered defense against attacks known as defense in depth. However, new attacks such as application layer attacks, are evading traditional perimeter defenses. The application layer has become a focal point of the cyber-criminal, because it holds the actual user data. The application layer also supports numerous, often unsecured, protocols, opening up many more channels of attack. The recent increase in worm activity targeting application-level vulnerabilities such as MyDoom, Slammer, and Blaster, has been successful largely due to the deficiencies in traditional perimeter device technologies. Among these deficiencies are the packet inspection methods used to detect attacks. Application-based attacks are evading traditional perimeter defenses that mainly focus on packet header information, protocols, and signature matching on packet content. In addition, the abundance of zero-day attacks for which signatures and blocking methods do not exist (i.e., new worms), are wreaking havoc on networks and systems. To handle these new types of attacks, firewalls, IDS , and Intrusion Prevention Systems (IPS) are utilizing different methods of packet inspection and attack detection.

Over the last few years, networks have grown dramatically with an exponential increase in speed. The...