公开(公告)号：US20110289295A1

公开(公告)日：2011-11-24

申请号：US13147534

申请日：2010-04-02

申请人： Shigang Chen ,  Jih-Kwon Peir ,  Myungkeun Yoon ,  Tao Li

发明人： Shigang Chen ,  Jih-Kwon Peir ,  Myungkeun Yoon ,  Tao Li

IPC分类号： G06F12/02

CPC分类号： H04L43/022 ,  H04L41/142 ,  H04L43/026 ,  H04L49/901

摘要： A data structure is provided for storing network contact information based on an array of physical memory locations. Virtual vectors are constructed for each source, wherein each element in each virtual vector is assigned to a corresponding physical memory location within the array. The physical memory locations are shared between the virtual vectors uniformly at random so that the noise introduced by sharing can be predicted and removed. A method for storing network contact information is also provided in which a hash function is performed using the address of a source host to find a virtual vector for holding information about the source host. A second hash function is performed using the address of a destination host to find a virtual memory location, within the virtual vector, for holding information about the destination host. Finally, information is stored at a physical memory location assigned to the virtual memory location. Estimation range enhancement is further provided by performing multiple estimations with different sampling probabilities and selecting a best estimation based on a maximum likelihood method.

摘要翻译： 提供了一种数据结构，用于基于物理存储器位置的阵列来存储网络联系信息。 为每个源构建虚拟向量，其中每个虚拟向量中的每个元素被分配给阵列内的对应物理存储器位置。 物理存储器位置在虚拟向量之间被随机均匀地共享，使得可以预测和去除通过共享引入的噪声。 还提供了一种用于存储网络联系信息的方法，其中使用源主机的地址执行散列函数，以找到用于保存关于源主机的信息的虚拟向量。 使用目的地主机的地址来执行第二散列函数，以在虚拟向量内找到用于保存关于目的地主机的信息的虚拟存储器位置。 最后，信息被存储在分配给虚拟存储器位置的物理存储器位置。 通过执行具有不同采样概率的多个估计并基于最大似然法选择最佳估计来进一步提供估计范围增强。

公开(公告)号：US20060156280A1

公开(公告)日：2006-07-13

申请号：US11354796

申请日：2006-02-14

申请人： Shigang Chen ,  Branimir Liker ,  Partha Bhattacharya ,  Imin Lee

发明人： Shigang Chen ,  Branimir Liker ,  Partha Bhattacharya ,  Imin Lee

IPC分类号： G06F9/44

CPC分类号： H04L41/12

摘要： A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

公开(公告)号：US07007032B1

公开(公告)日：2006-02-28

申请号：US10188725

申请日：2002-07-01

申请人： Shigang Chen ,  Partha Bhattacharya ,  Liman Wei

发明人： Shigang Chen ,  Partha Bhattacharya ,  Liman Wei

IPC分类号： G06F17/00 ,  G06F7/00

CPC分类号： G06F7/22 ,  Y10S707/959 ,  Y10S707/99942 ,  Y10S707/99945

摘要： A method is disclosed for removing redundancies from a list of data structures. A list of data structures is sorted by first attribute into sub-lists having a common first attribute. Each of these sub-lists is sorted by second attribute into sub-lists having a common first attribute and a common second attribute. Each of these sub-lists is combined into a single combined data structure that includes a third attribute set. Each third attribute set includes third attributes of the data structures in the sub-list from which the combined data structure including that set was formed.

摘要翻译： 公开了一种从数据结构列表中去除冗余的方法。 数据结构列表按照第一个属性排列成具有共同的第一个属性的子列表。 这些子列表中的每一个被第二属性排列成具有公共第一属性和公共第二属性的子列表。 这些子列表中的每一个被组合成包括第三属性集合的单个组合数据结构。 每个第三属性集合包括子列表中的数据结构的第三属性，从中形成包括该集合的组合数据结构。

公开(公告)号：US07464409B2

公开(公告)日：2008-12-09

申请号：US10877437

申请日：2004-06-25

申请人： Shigang Chen

发明人： Shigang Chen

IPC分类号： G06F15/18

CPC分类号： H04L12/2854 ,  H04L47/10 ,  H04L47/20 ,  H04L47/22 ,  H04L63/1458

摘要： A device for mitigating data flooding in a data communication network. The device can include a first module and a second module. The first module can identify flooding data transmitted from at least one offending host and intended for at least one threatened host. The second module can generate a data rate limit that is communicated to at least one of the plurality of edge nodes defining an entry node. The data rate limit can be based upon an observed rate of transmission of flooding data transmitted from the offending host to the entry node and a desired rate of transmission of flooding data transmitted to the threatened host from at least one other of the plurality of edge nodes defining an exit node.

摘要翻译： 用于减轻数据通信网络中的数据洪泛的设备。 该设备可以包括第一模块和第二模块。 第一模块可以识别从至少一个违规主机发送的并且用于至少一个受威胁的主机的洪泛数据。 第二模块可以生成被传送到定义入口节点的多个边缘节点中的至少一个的数据速率限制。 数据速率限制可以基于从违规主机发送到入口节点的观察到的洪泛数据的传输速率和从多个边缘节点中的至少另一个发送到受威胁主机的洪泛数据的期望传输速率 定义一个退出节点。

公开(公告)号：US07000006B1

公开(公告)日：2006-02-14

申请号：US09872056

申请日：2001-05-31

申请人： Shigang Chen

发明人： Shigang Chen

IPC分类号： G06F15/16

CPC分类号： H04L63/0263 ,  H04L63/20

摘要： A method and apparatus for implementing network management policies is provided. A communication path is determined that passes through a domain of a network. The communication path characterizes the first domain as a node, but does not lose information. A management policy is then implemented using the communication path. Another aspect of the invention provides a method implementing a management policy using topology reduction. A network is abstracted into domains, and each domain may be cloudified if that domain is determined to have a cloudification characteristic. Domains that are cloudified are subsequently represented as having reduced topology and internal connectivity, but this representation does not incur information loss when management policies are implemented using the cloudified domains. In other aspects, the invention provides a computer-readable medium and system configured to carry out the foregoing.

摘要翻译： 提供了一种用于实现网络管理策略的方法和装置。 确定通过网络的域的通信路径。 通信路径将第一个域称为节点，但不丢失信息。 然后使用通信路径实现管理策略。 本发明的另一方面提供一种使用拓扑简化实现管理策略的方法。 网络被抽象为域，如果域被确定为具有混浊特性，则每个域可能会变得混浊。 随后，被泛化的域被表示为具有减少的拓扑和内部连接性，但是当使用云化域实施管理策略时，该表示不会导致信息丢失。 在其他方面，本发明提供了一种被配置为执行前述内容的计算机可读介质和系统。

公开(公告)号：US07143283B1

公开(公告)日：2006-11-28

申请号：US10210538

申请日：2002-07-31

申请人： Shigang Chen ,  Bo Zou

发明人： Shigang Chen ,  Bo Zou

IPC分类号： H04L9/00 ,  H04L9/32 ,  G06F15/173 ,  G06F17/00

CPC分类号： H04L63/0263 ,  H04L63/101 ,  H04L63/18

摘要： A plurality of logical nodes are identified from a plurality of elements on a network, where the plurality of elements include security devices. One or more path entries may be determined for at least some of the logical nodes. Each path entry is associated with one of the logical nodes and specifies a set of communication packets, as well as a next node to receive the communication packets from the associated node. The path entries are used to characterize at least a substantial portion of a network path that is to carry communication packets in the set of communication packets.

摘要翻译： 从网络上的多个元素识别多个逻辑节点，其中多个元素包括安全设备。 可以为至少一些逻辑节点确定一个或多个路径条目。 每个路径条目与一个逻辑节点相关联并且指定一组通信分组，以及用于从相关联的节点接收通信分组的下一个节点。 路径条目用于表征在该组通信分组中携带通信分组的网络路径的至少大部分。

公开(公告)号：US07082531B1

公开(公告)日：2006-07-25

申请号：US10006291

申请日：2001-11-30

申请人： Shigang Chen ,  Partha Bhattacharya ,  Liman Wei

发明人： Shigang Chen ,  Partha Bhattacharya ,  Liman Wei

IPC分类号： H04L9/00 ,  H04L12/28 ,  G06F15/173

CPC分类号： H04L41/12 ,  H04L63/0263

摘要： Enforcement firewalls and other security devices are located on a network for a given source node and destination node. Nodes in the network topology are programmatically identified as being part of a non-looping communication path between the source node and the destination node. These nodes may be part of a path closure set. Security devices that are part of the path closure set are identified as the enforcement security devices for the given source and destination node.

摘要翻译： 执行防火墙和其他安全设备位于给定源节点和目标节点的网络上。 网络拓扑中的节点被编程地标识为源节点和目的节点之间的非循环通信路径的一部分。 这些节点可以是路径闭合集的一部分。 作为路径关闭集的一部分的安全设备被标识为给定源和目标节点的强制安全设备。

公开(公告)号：US07036119B1

公开(公告)日：2006-04-25

申请号：US10197301

申请日：2002-07-15

申请人： Shigang Chen ,  Branimir Liker ,  Partha Bhattacharya ,  Imin Lee

发明人： Shigang Chen ,  Branimir Liker ,  Partha Bhattacharya ,  Imin Lee

IPC分类号： G06F9/45

CPC分类号： H04L41/12

摘要： A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

摘要翻译： 公开了一种用于创建包括网络中的所有选择对象的网络拓扑图的方法。 确定网络中的一个或多个非选择对象的集合。 创建网络拓扑图。 网络中的每个选择对象都包含在网络拓扑图中。 集合的元素统称为单个非选择对象。

公开(公告)号：US08842690B2

公开(公告)日：2014-09-23

申请号：US13147534

申请日：2010-04-02

申请人： Shigang Chen ,  Jih-Kwon Peir ,  Myungkeun Yoon ,  Tao Li

发明人： Shigang Chen ,  Jih-Kwon Peir ,  Myungkeun Yoon ,  Tao Li

IPC分类号： H04N1/21 ,  H04L12/26 ,  H04L12/879 ,  H04L12/24

CPC分类号： H04L43/022 ,  H04L41/142 ,  H04L43/026 ,  H04L49/901

摘要： A data structure is provided for storing network contact information based on an array of physical memory locations. Virtual vectors are constructed for each source, wherein each element in each virtual vector is assigned to a corresponding physical memory location within the array. The physical memory locations are shared between the virtual vectors uniformly at random so that the noise introduced by sharing can be predicted and removed. A method for storing network contact information is also provided in which a hash function is performed using the address of a source host to find a virtual vector for holding information about the source host. A second hash function is performed using the address of a destination host to find a virtual memory location, within the virtual vector, for holding information about the destination host. Finally, information is stored at a physical memory location assigned to the virtual memory location. Estimation range enhancement is further provided by performing multiple estimations with different sampling probabilities and selecting a best estimation based on a maximum likelihood method.

摘要翻译： 提供了一种数据结构，用于基于物理存储器位置的阵列来存储网络联系信息。 为每个源构建虚拟向量，其中每个虚拟向量中的每个元素被分配给阵列内的对应物理存储器位置。 物理存储器位置在虚拟向量之间被随机均匀地共享，使得可以预测和去除通过共享引入的噪声。 还提供了一种用于存储网络联系信息的方法，其中使用源主机的地址执行散列函数，以找到用于保存关于源主机的信息的虚拟向量。 使用目的地主机的地址来执行第二散列函数，以在虚拟向量内找到用于保存关于目的地主机的信息的虚拟存储器位置。 最后，信息被存储在分配给虚拟存储器位置的物理存储器位置。 通过执行具有不同采样概率的多个估计并基于最大似然法选择最佳估计来进一步提供估计范围增强。

公开(公告)号：US07636937B1

公开(公告)日：2009-12-22

申请号：US10044019

申请日：2002-01-11

申请人： Partha Bhattacharya ,  Shigang Chen

发明人： Partha Bhattacharya ,  Shigang Chen

IPC分类号： G06F7/04 ,  G06F17/00 ,  H04L9/32 ,  G06F15/173

CPC分类号： H04L63/0263 ,  G06F21/604

摘要： Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

摘要翻译： 为了在网络上配置安全策略，可以比较语法或结构不同的两个或多个访问控制列表的功能或语义等价。 为了配置或验证网络上的安全策略，第一访问控制列表被编程地确定为在功能上等同于第二访问控制列表。 在一个实施例中，盒子数据表示有助于比较列表的条目和子条目。