Detecting malware on SPDY connections

The invention claimed is: 1. A method, comprising: receiving, by a processor, a multiplexed data stream from a server over a single transmission control protocol (TCP) connection that uses a SPDY protocol, wherein the multiplexed data stream contains data packets associated with a plurality of different data streams addressed to a client; generating, by the processor, a plurality of sub-contexts, wherein each one of the plurality of sub-contexts is associated with a different one of the plurality of different data streams, each of the plurality of sub-contexts comprising a temporary buffer in memory used to re-assemble the data packets into respective data streams of the plurality of different data streams; demultiplexing, by the processor, the data packets from the multiplexed data stream into a respective one of the plurality of sub-contexts; and examining, by the processor, the plurality of different data streams in the respective one of the plurality of sub-contexts to detect a malware. 2. The method of claim 1 , comprising: dropping, by the processor, the single TCP connection to stop transmission of the multiplexed data stream when the malware is detected. 3. The method of claim 1 , wherein the examining is performed on each one of the data packets in the multiplexed data stream. 4. The method of claim 1 , wherein the examining is performed on a completed sub-context that contains an assembled one of the plurality of different data streams. 5. The method of claim 1 , wherein the examining comprises performing a hash computation on the data packets to generate a hash value and comparing the hash value to hash values associated with signatures of malware stored in a database. 6. The method of claim 1 , comprising: receiving, by the processor, a new request for a new data stream that has a priority level that is higher than a priority level of the plurality of different data streams; determining, by the processor, that a memory storing the plurality of sub-contexts is full; and changing, by the processor, the priority level of the new data stream to be equal to the priority level of the plurality of different streams. 7. An apparatus, comprising: a connection processor for passing transmission control protocol (TCP) messages to establish a TCP connection that uses a SPDY protocol; a sub-context generator, in communication with the connection processor, that generates a plurality of sub-contexts, wherein each one of the plurality of sub-contexts is associated with a different one of a plurality of different data streams comprising data packets received from a server via a multiplexed data stream over the TCP connection and addressed to a client, and wherein, each of the plurality of sub-contexts comprises a temporary buffer in memory used to re-assemble the data packets into respective data streams of the plurality of different data streams; and a malware detector that examines the plurality of different data streams in the respective one of the plurality of sub-contexts to detect a malware. 8. The apparatus of claim 7 , wherein the connection processor drops the TCP connection when the malware is detected. 9. The apparatus of claim 7 , wherein the malware detector examines each one of the data packets in the multiplexed data stream. 10. The apparatus of claim 7 , wherein the malware detector examines a completed sub-context that contains an assembled one of the plurality of different data streams. 11. The apparatus of claim 7 , wherein the sub-context generator performs a hash computation on the data packets to generate a hash value and the malware detector compares the hash value to hash values associated with signatures of malware stored in a database. 12. The apparatus of claim 7 , wherein connection processor receives a new request for a new data stream that has a priority level that is higher than a priority level of the plurality of different data streams, determines that a memory that stores the plurality of sub-contexts generated by the sub-context generator is full and changes the priority level of the new data stream to be equal to the priority level of the plurality of different streams. 13. A non-transitory computer readable storage medium encoded with instructions executable by a processor, the non-transitory computer-readable storage medium comprising: instructions to receive a plurality of data packets in a multiplexed data stream from a server over a single connection, wherein the plurality of data packets are associated with a plurality of different data streams of the multiplexed data stream addressed to a client; instructions to analyze each one of the plurality of data packets to determine whether a malware is present in at least one of the plurality of data packets; instructions to sort the each one of the plurality of data packets into a respective one of a plurality of sub-contexts based on the instructions to analyze, each of the plurality of sub-contexts comprising a temporary buffer in memory used to assemble the data packets into respective data streams of the plurality of different data streams; and instructions to analyze each one of the plurality of sub-contexts after respective data packets of the plurality of data packets are assembled in the each one of the plurality of sub-contexts to determine whether the malware is present. 14. The non-transitory computer readable storage medium of claim 13 , comprising: instructions to drop the single connection when the malware is determined to be present. 15. The non-transitory computer readable storage medium of claim 13 , comprising: instructions to receive a new request for a new data stream that has a priority level that is higher than a priority level of the plurality of different data streams; instructions to determine that a memory storing the plurality of sub-contexts is full; and instructions to change the priority level of the new data stream to be equal to the priority level of the plurality of different streams. 16. The method of claim 3 , further comprising: holding each of the data packets associated with each of the plurality of different data streams until an entirety of the data packets associated with a data stream of the plurality of different data streams has been examined; and forwarding a complete file associated with the data stream to the client in response to detecting no malware. 17. The apparatus of claim 11 , wherein the sub-context generator comprises a cache lookup temporarily storing each of the data packets until the malware detector examines an entirety of the data stream to which the data packets belong. 18. The non-transitory computer readable storage medium of claim 13 , comprising instructions to perform a hash computation on the data packets to generate a hash value and compare the hash value to hash values associated with signatures of malware stored in a database.