专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US07349335B2 Packet metering in high-speed network units 有权
标题翻译：在高速网络单元中进行数据包测量
公开(公告)号：US07349335B2
公开(公告)日：2008-03-25
申请号：US11032762
申请日：2005-01-11
申请人： Daniel Martin O'Keeffe , Michael Joseph Gleeson , Kevin Loughran , Christopher Alan Walker
发明人： Daniel Martin O'Keeffe , Michael Joseph Gleeson , Kevin Loughran , Christopher Alan Walker
IPC分类号： G01R31/08
CPC分类号： H04L47/32 , H04L47/10 , H04L47/11 , H04L47/20 , H04L47/28
摘要： For each metered flow in a network unit there is a memory entry which defines a time stamp and a rate parameter. When a packet in the respective flow arrives, the time of arrival is compared with the time stamp. If the time of arrival is before the time stamp the packet is discarded. If the packet arrives after the date stamp, it is allowed to proceed and a new time stamp is computed in accordance with the rate parameter. One exemplary computation adds to the time stamp a time interval obtained by dividing the size of the packet by the rate parameter and preferably subtracting from the quotient the time interval between the arrival time and the previous time stamp.
摘要翻译：对于网络单元中的每个计量流，存在定义时间戳和速率参数的存储器条目。当相应流程中的分组到达时，将到达时间与时间戳进行比较。如果到达时间在时间戳之前丢包。如果分组在日期戳之后到达，则允许继续进行，并根据速率参数计算新的时间戳。一个示例性计算将通过将分组的大小除以速率参数而获得的时间间隔增加时间戳，并且优选地从商减去到达时间和先前时间戳之间的时间间隔。

2. 发明授权

US07480300B2 Content addressable memory organized to share entries between different entities such as ports of a network unit 有权
标题翻译：内容可寻址存储器被组织以在诸如网络单元的端口的不同实体之间共享条目
公开(公告)号：US07480300B2
公开(公告)日：2009-01-20
申请号：US11064258
申请日：2005-02-22
申请人： Daniel Martin O'Keeffe , Eugene O'Neill , Edele O'Malley , Eoin O'Brien
发明人： Daniel Martin O'Keeffe , Eugene O'Neill , Edele O'Malley , Eoin O'Brien
IPC分类号： H04L12/28 , G06F7/04
CPC分类号： G06F17/30982 , H04L45/7453 , H04L49/90
摘要： A content addressable memory stores entries each comprising a rule and as part of the entry a mask identifying all the entities to which the rule is applicable. A search pattern of data and a bit mask identifying the actual entity (or entities) associated with the data is applied as a search word along with a comparison mask that excludes all the other entities from the comparison of the search word with the entry. The CAM can thereby store efficiently in a single entry a rule that may be applicable to some but not all of a multiplicity of entities such as possible ingress ports of a network unit.
摘要翻译：内容可寻址存储器存储每个包括规则的条目，并且作为该条目的一部分，掩码标识规则所适用的所有实体。将与数据相关联的实际实体（或实体）的搜索模式和位掩码应用为搜索词，以及将搜索词与条目的比较排除所有其他实体的比较掩码。因此，CAM可以在单个条目中有效地存储可适用于多个实体中的一些而不是全部的规则，例如网络单元的可能入口端口。

3. 发明授权

US08331404B2 Signature checking using deterministic finite state machines 有权
标题翻译：使用确定性有限状态机进行签名检查
公开(公告)号：US08331404B2
公开(公告)日：2012-12-11
申请号：US11923869
申请日：2007-10-25
申请人： David Law , Edele O'Malley , Daniel Martin O'Keeffe , Eugene O'Neill
发明人： David Law , Edele O'Malley , Daniel Martin O'Keeffe , Eugene O'Neill
IPC分类号： H04J1/02
CPC分类号： H04L69/16 , H04L63/0236 , H04L63/0245 , H04L63/0263 , H04L63/1416 , H04L69/161 , H04L69/22
摘要： The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria.
摘要翻译：通过组合基于位置的模式匹配，例如，通过组合基于位置的模式匹配来减少误报的发生和经过用于字符串的确定性有限状态机检查的数字流的后处理。分组报头和基于内容的模式匹配，例如，在包的有效载荷上。一种方案允许从头匹配状态自动转换到内容匹配机器的初始状态。另一种方案是基于定义匹配状态串的规则图，并且例如通过标题匹配和内容匹配来检查先前确定的匹配状态（而不是字符）的列表。后者还能够将与匹配状态相关联的偏移和深度值与偏移和深度标准进行比较。

4. 发明授权

US07957390B2 Detection of signatures in disordered message segments 有权
标题翻译：检测无序消息段中的签名
公开(公告)号：US07957390B2
公开(公告)日：2011-06-07
申请号：US11133039
申请日：2005-05-18
申请人： Peter Furlong , Daniel Martin O'Keeffe , Eoghan Stack , Kevin Loughran
发明人： Peter Furlong , Daniel Martin O'Keeffe , Eoghan Stack , Kevin Loughran
IPC分类号： H04L12/28 , G06F11/00
CPC分类号： H04L63/1408 , H04L63/166
摘要： A method of detecting signatures in message segments comprises employing a state machine for the detection of character strings in the message segments. The state machine executes for each input character a transition determined by a current state of the machine and a current input character. The message segments conform to TCP or other ordering transport protocol. The order of arrival of the message segments is monitored. In the event that an intermediate message segment is missing between a processed segment and an immediately subsequent message segment, the current state of said state machine at the end of the said processed segment is stored. The machine is restarted from its null or datum state for the examination of the immediately subsequent message segment, which is then temporarily stored. When the missing segment eventually arrives, it and the stored segment are successively examined for signatures by means of the state machine, beginning at the stored state. The invention allows for examination of overlapping signatures without requiring re-assembly of the segments or substantial buffering.
摘要翻译：检测消息段中的签名的方法包括采用状态机来检测消息段中的字符串。状态机对于每个输入字符执行由机器的当前状态和当前输入字符确定的转变。消息段符合TCP或其他排序传输协议。监视消息段的到达顺序。在经处理段和紧随其后的消息段之间缺少中间消息段的情况下，存储所述处理段的末尾处的所述状态机的当前状态。机器从其零或基准状态重新开始，以便检查紧随其后的消息段，然后临时存储。当丢失段最终到达时，从存储状态开始，通过状态机连续检查存储的段和签名。本发明允许检查重叠签名，而不需要重新组装段或基本缓冲。

5. 发明授权

US08081630B2 Packet diversion in switching fabrics and multiple forwarding instructions for packets 有权
标题翻译：交换结构中的数据包转移和数据包的多个转发指令
公开(公告)号：US08081630B2
公开(公告)日：2011-12-20
申请号：US11121192
申请日：2005-05-03
申请人： Edele O'Malley , Eugene O'Neill , Kam Choi , Daniel Martin O'Keeffe
发明人： Edele O'Malley , Eugene O'Neill , Kam Choi , Daniel Martin O'Keeffe
IPC分类号： H04L12/56
CPC分类号： H04L63/1408 , H04L49/3009 , H04L49/354 , H04L49/355 , H04L2012/5687
摘要： A cascade system of network units includes forwarding units which have external ports, a communication fabric connecting the units and at least one processing unit which needs no forwarding database. The processing unit may perform a security operation such as intrusion prevention or encryption. Each forwarding unit on receipt of a packet performs a look-up to determine an egress port, to determine whether the packet must be diverted to a processing unit, to provide the packet with a first forwarding instruction identifying the egress port uniquely within the system and a second forwarding instruction identifying a diversion port by which the packet can reach the processing unit and to set an order field which determines which of the forwarding instructions shall be performed first. The processing unit is operative on receipt of the packet by way of the diversion port to change the order field to specify that the packet should now be sent to the egress port.
摘要翻译：网络单元的级联系统包括具有外部端口的转发单元，连接单元的通信结构以及不需要转发数据库的至少一个处理单元。处理单元可以执行诸如入侵防御或加密的安全操作。每个转发单元在接收到分组时执行查找以确定出口端口，以确定分组是否必须被转移到处理单元，以向分组提供识别系统内唯一的出口端口的第一转发指令，以及识别分组可以到达处理单元的转移端口的第二转发指令，以及设置首先执行哪个转发指令的顺序字段。处理单元通过转移端口接收到分组，以改变订单字段以指定该分组现在应该被发送到出口端口。

6. 发明授权

US07480299B2 Rules engine for access control lists in network units 有权
标题翻译：以网络为单位的访问控制列表的规则引擎
公开(公告)号：US07480299B2
公开(公告)日：2009-01-20
申请号：US11064227
申请日：2005-02-22
申请人： Daniel Martin O'Keeffe , Eugene O'Neill , Edele O'Malley , Kam Choi
发明人： Daniel Martin O'Keeffe , Eugene O'Neill , Edele O'Malley , Kam Choi
IPC分类号： H04L12/28 , G06F7/04
CPC分类号： H04L45/00 , H04L45/60 , H04L45/7453 , H04L47/20
摘要： A rules engine for the examination of selected fields in an addressed data packet has an access control list table of which the entries each define an access control list rule, an action and a chain identifier. The access control list rule may be a basic rule which refers to network addresses and transport layer port numbers. The rules engine also has an extension rule table of which the entries each define an extension rule, a respective action and a respective rule identifier. The extension rule may refer to a particular TCP flag. When a packet arrives, the engine searches both tables. This search is made independently of the ordinary network layer or link layer address lookup. If there is a match in both tables, and the chain identifier matches the extension rule identifier, the rules engine prescribes the action associated with the extension rule. If the chain identifier of a matched access control list rule does not match a rule identifier of a matched extension rule the rules engine prescribes the action associated with the basic rule. In the absence of a match with any access control list rule the action on a packet is based on the result from the ordinary address lookup.
摘要翻译：用于检查寻址数据分组中的所选字段的规则引擎具有访问控制列表，其中条目各自定义访问控制列表规则，动作和链标识符。访问控制列表规则可以是参考网络地址和传输层端口号的基本规则。规则引擎还具有扩展规则表，其中条目各自定义扩展规则，相应的动作和相应的规则标识符。扩展规则可以指特定的TCP标志。当数据包到达时，引擎将搜索两个表。该搜索独立于普通网络层或链路层地址查找。如果两个表中都有匹配，并且链标识符与扩展规则标识符匹配，则规则引擎规定与扩展规则相关联的操作。如果匹配的访问控制列表规则的链标识符与匹配的扩展规则的规则标识符不匹配，则规则引擎规定与基本规则相关联的动作。在没有与任何访问控制列表规则匹配的情况下，数据包上的操作基于普通地址查找的结果。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式