-
1.发明授权Method for managing of denial of service attacks using bandwidth allocation technology 失效使用带宽分配技术管理拒绝服务攻击的方法公开(公告)号:US08161145B2
公开(公告)日:2012-04-17
申请号:US10375799
申请日:2003-02-27
IPC分类号: G06F15/173
CPC分类号: H04L63/1458
摘要: A method for managing attacks in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of packets, which include a plurality of administrative packets. The method includes determining whether a congestion of the administrative packets exists. Congestion of the administrative packets indicates that a potential attack exists. The method also includes discarding a portion of the plurality of administrative packets if it is declared that the congestion of the administrative packets exists. The portion of the plurality of packets is sufficient to ensure that a remaining portion of the plurality of packets transmitted is not more than a maximum administrative packet bandwidth limit and, if the plurality of administrative packets present a sufficient offered load, not less than a minimum administrative packet bandwidth guarantee.
摘要翻译: 公开了一种用于管理计算机系统中的攻击的方法。 计算机系统用于发送,接收或发送和接收包括多个管理分组的多个分组。 该方法包括确定是否存在管理分组的拥塞。 拥塞管理包表示存在潜在的攻击。 如果声明存在管理分组的拥塞,则该方法还包括丢弃多个管理分组的一部分。 多个分组的部分足以确保所发送的多个分组的剩余部分不大于最大管理分组带宽限制,并且如果多个管理分组呈现足够的提供的负载,则不小于最小 管理包带宽保证。
-
公开(公告)号:US07349342B2
公开(公告)日:2008-03-25
申请号:US10390385
申请日:2003-03-17
CPC分类号: H04L47/20 , H04L43/00 , H04L43/0894 , H04L43/16 , H04L47/215 , H04L47/22 , H04L47/31
摘要: Methods and apparatus are provided for metering data packets having a plurality of different packet lengths in a data communications network. A token count TC is incremented at a token increment rate CIR subject to an upper limit CBS on the token count. On arrival of a packet of length L tokens, it is determined if both TC>0 and TC+n≧L, where n is a defined number of tokens. If so, the data packet is categorized as in profile and L tokens are subtracted from the token count TC. Otherwise the data packet is categorized out of profile. In some embodiments, n is set to a value in the range 0
摘要翻译: 提供了用于在数据通信网络中计量具有多个不同分组长度的数据分组的方法和装置。 令牌计数T C C以在令牌计数上受到上限CBS的令牌增量率CIR递增。 在长度为L个令牌的分组到达时,确定是否都有T个C 0和T C + n> = L,其中n是确定数量的令牌 。 如果是这样,则数据分组被归类为简档,并且从令牌计数T C C中减去L个令牌。 否则数据包将被分类出来。 在一些实施例中,将n设置为0
-
3.发明授权Method and systems for controlling ATM traffic using bandwidth allocation technology 失效使用带宽分配技术控制ATM流量的方法和系统公开(公告)号:US07317727B2
公开(公告)日:2008-01-08
申请号:US10442762
申请日:2003-05-21
CPC分类号: H04L47/32 , H04L12/5602 , H04L47/2408 , H04L47/2416 , H04L47/50 , H04L47/525 , H04L47/621 , H04L2012/5631 , H04L2012/5679
摘要: A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.
摘要翻译: 公开了一种在计算机系统中管理异步传输模式(ATM)流量的方法和系统。 计算机系统用于发送,接收或发送和接收多个ATM流。 每个ATM流具有多个ATM信元,最小ATM带宽保证和最大ATM带宽。 该方法和系统包括确定ATM流是否存在过量带宽。 该方法和系统还包括在超额带宽周期期间适度地增加为每个ATM流发送的ATM信元的一部分。 发送的ATM信元的部分不超过最大ATM带宽限制。 如果ATM流提供足够的提供负载,则在流中发送的ATM信元的部分不小于最小ATM带宽保证。
-
4.发明授权System and method for automatic management of many computer data processing system pipes 有权许多计算机数据处理系统管道的自动管理系统和方法公开(公告)号:US07710874B2
公开(公告)日:2010-05-04
申请号:US10454052
申请日:2003-06-04
申请人: Ganesh Balakrishnan , Everett A. Corl, Jr. , Clark D. Jeffries , Ravinder K. Sabhikhi , Michael S. Siegel , Raj K. Singh , Rama M. Yedavalli
发明人: Ganesh Balakrishnan , Everett A. Corl, Jr. , Clark D. Jeffries , Ravinder K. Sabhikhi , Michael S. Siegel , Raj K. Singh , Rama M. Yedavalli
IPC分类号: H04L1/00
CPC分类号: H04L41/0896
摘要: A process control method and system including partitioning transmit decisions and certain measurements into one logical entity (Data Plane) and partitioning algorithm computation to update transmit probabilities into a second logical entity (Control Plane), the two entities periodically communicating fresh measurements from Data Plane to Control Plane and adjusted transmit probabilities from Control Plane to Data Plane. The transmit probability may be used in transmit/discard decisions of packets or instructions exercised at every arrival of a packet or instruction. In an alternative embodiment, the transmit probability may be used in transmit/delay decisions of awaiting instructions or packets exercised at every service event.
摘要翻译: 一种过程控制方法和系统,包括将发送决策和某些测量划分成一个逻辑实体(数据平面)和分区算法计算,以将发送概率更新为第二逻辑实体(控制平面),所述两个实体周期性地将新的测量从数据平面传送到 控制平面和从控制平面到数据平面的调整传输概率。 发送概率可以用于在分组或指令的每个到达时所执行的分组或指令的发送/丢弃决定。 在替代实施例中,发送概率可以用于在每个服务事件处等待指令或分组执行的发送/延迟决定。
-
公开(公告)号:US07260062B2
公开(公告)日:2007-08-21
申请号:US10325324
申请日:2002-12-20
申请人: Hoyt Edwin Bowen, Jr. , Patrick Droz , Clark D. Jeffries , Lukas Kencl , Andreas Kind , Soenke V. Mannal , Roman A. Pletka
发明人: Hoyt Edwin Bowen, Jr. , Patrick Droz , Clark D. Jeffries , Lukas Kencl , Andreas Kind , Soenke V. Mannal , Roman A. Pletka
CPC分类号: H04L47/2416 , H04L47/10 , H04L47/193 , H04L47/263 , H04L47/29 , H04L47/30 , Y02D50/10
摘要: Methods and apparatus are provided for controlling flow rates of a plurality of data packet flows into a queue 4 corresponding to a resource 3 of a network device 1. The flows comprise a set 7 of non-responsive flows, and a set 8 of other flows which may comprise responsive flows and/or flows whose responsiveness is unknown. The flow rates are managed in accordance with a queue management scheme such that adjustments are made to each flow rate in dependence on excess bandwidth in the resource, the amounts of the adjustments being dependent on one or more adjustment parameters for each flow. An error signal is generated based on the deviation from a desired allocation ratio of the ratio of the total flow rates into the queue 4 for the sets of flows 7, 8. At least one adjustment parameter for at least one flow is then varied in dependence on the error signal in such a manner as to reduce the aforementioned deviation. A closed-loop control scheme thus operates in conjunction with the underlying queue management scheme to promote fair bandwidth allocation even in the presence of a mix of responsive and non-responsive flows.
摘要翻译: 提供了用于控制多个数据分组流到与网络设备1的资源3相对应的队列4中的流量的方法和装置。 这些流包括非响应流的集合7,以及可能包括其响应性未知的响应流和/或流的其他流的集合8。 根据队列管理方案来管理流量,使得根据资源中的过度带宽对每个流量进行调整,调整量取决于每个流的一个或多个调整参数。 基于对于流7,8的总流量与队列4的比率的期望分配比率的偏差而产生误差信号。 然后,至少一个流程的至少一个调整参数根据误差信号以减少上述偏差的方式变化。 因此,闭环控制方案与底层队列管理方案一起运行,以便即使存在响应和非响应流的混合来促进公平的带宽分配。
-
公开(公告)号:US08169906B2
公开(公告)日:2012-05-01
申请号:US11946057
申请日:2007-11-28
CPC分类号: H04L47/32 , H04L12/5602 , H04L47/2408 , H04L47/2416 , H04L47/50 , H04L47/525 , H04L47/621 , H04L2012/5631 , H04L2012/5679
摘要: A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.
摘要翻译: 公开了一种在计算机系统中管理异步传输模式(ATM)流量的方法和系统。 计算机系统用于发送,接收或发送和接收多个ATM流。 每个ATM流具有多个ATM信元,最小ATM带宽保证和最大ATM带宽。 该方法和系统包括确定ATM流是否存在过量带宽。 该方法和系统还包括在超额带宽周期期间适度地增加为每个ATM流发送的ATM信元的一部分。 发送的ATM信元的部分不超过最大ATM带宽限制。 如果ATM流提供足够的提供负载,则在流中发送的ATM信元的部分不小于最小ATM带宽保证。
-
7.发明申请MEDIUM AND SYSTEM FOR CONTROLLING ATM TRAFFIC USING BANDWIDTH ALLOCATION TECHNOLOGY 审中-公开使用带宽分配技术控制ATM交通的媒体和系统公开(公告)号:US20080285455A1
公开(公告)日:2008-11-20
申请号:US12184484
申请日:2008-08-01
CPC分类号: H04L47/32 , H04L12/5602 , H04L47/2408 , H04L47/2416 , H04L47/50 , H04L47/525 , H04L47/621 , H04L2012/5631 , H04L2012/5679
摘要: A medium and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The medium and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.
摘要翻译: 公开了一种用于在计算机系统中管理异步传输模式(ATM)业务的介质和系统。 计算机系统用于发送,接收或发送和接收多个ATM流。 每个ATM流具有多个ATM信元,最小ATM带宽保证和最大ATM带宽。 介质和系统包括确定ATM流是否存在过量带宽。 该方法和系统还包括在超额带宽周期期间适度地增加为每个ATM流发送的ATM信元的一部分。 发送的ATM信元的部分不超过最大ATM带宽限制。 如果ATM流提供足够的提供负载,则在流中发送的ATM信元的部分不小于最小ATM带宽保证。
-
公开(公告)号:US07280477B2
公开(公告)日:2007-10-09
申请号:US10259153
申请日:2002-09-27
申请人: Clark D. Jeffries , Andreas Kind , Bernard Metzler
发明人: Clark D. Jeffries , Andreas Kind , Bernard Metzler
IPC分类号: H04L12/28
摘要: Methods and apparatus are provided for managing a data packet queue corresponding to a resource of a network device. A token count TC is maintained for a predefined flow of data packets, and the transmission of packets in the flow into the queue is controlled in dependence on this token count. The token count is decremented when packets in the flow are transmitted into the queue, and the token count is incremented at a token increment rate C. A bandwidth indicator, indicative of bandwidth availability in the resource, is monitored, and the token increment rate C is varied in dependence on this bandwidth indicator. The bandwidth-dependent variation of the token increment rate C is such that, when available bandwidth is indicated, the increment rate C is increased, and when no available bandwidth is indicated the increment rate C is decreased.
摘要翻译: 提供了用于管理对应于网络设备的资源的数据分组队列的方法和装置。 对于预定义的数据分组流维护令牌计数T C C,并且根据该令牌计数来控制流入队列的流中的分组传输。 当流中的分组被发送到队列中时,令牌计数递减,并且令牌计数以令牌递增率C递增。监视指示资源中的带宽可用性的带宽指示符,并且令牌递增率C 根据这个带宽指标而变化。 令牌递增率C的带宽相关变化使得当指示可用带宽时,增加速率C增加,并且当没有指示可用带宽时,增加速率C减小。
-
9.发明授权Intrusion detection using a network processor and a parallel pattern detection engine 失效使用网络处理器和并行模式检测引擎的入侵检测公开(公告)号:US08239945B2
公开(公告)日:2012-08-07
申请号:US12334481
申请日:2008-12-14
申请人: Marc A. Boulanger , Clark D. Jeffries , C. Marcel Kinard , Kerry A. Kravec , Ravinder K. Sabhikhi , Ali G. Saidi , Jan M. Slyfield , Pascal R. Tannhof
发明人: Marc A. Boulanger , Clark D. Jeffries , C. Marcel Kinard , Kerry A. Kravec , Ravinder K. Sabhikhi , Ali G. Saidi , Jan M. Slyfield , Pascal R. Tannhof
CPC分类号: H04L63/1416 , H04L63/1441
摘要: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.
摘要翻译: 入侵检测系统(IDS)包括耦合到用于存储程序和数据的存储器单元的网络处理器(NP)。 NP还耦合到一个或多个并行模式检测引擎(PPDE),其提供对输入数据流中的模式的高速并行检测。 每个PPDE包括许多处理单元(PU),每个处理单元被设计为将入侵签名存储为具有所选操作码的数据序列。 PU具有用于选择模式识别模式的配置寄存器。 每个PU在每个时钟周期比较一个字节。 如果来自输入模式的字节序列与存储的模式匹配,则用任何适用的比较数据输出检测模式的PU的识别。 通过在多个并行PU中存储入侵签名,IDS可以以NP处理速度处理网络数据。 PU可以级联以增加入侵覆盖或检测长入侵签名。
-
公开(公告)号:US08005989B2
公开(公告)日:2011-08-23
申请号:US12188333
申请日:2008-08-08
申请人: Everett A. Corl, Jr. , Gordon T. Davis , Clark D. Jeffries , Natarajan Vaidhyanathan , Colin B. Verrilli
发明人: Everett A. Corl, Jr. , Gordon T. Davis , Clark D. Jeffries , Natarajan Vaidhyanathan , Colin B. Verrilli
IPC分类号: G06F15/173
摘要: The classification system of a network device includes a cache in which a mapping between predefined characteristics of TCP/IP packets and associated actions are stored in response to the first “Frequent Flyer” packet in of a session. Selected characteristics from subsequent received packets of that session are correlated with the predefined characteristics and the stored actions are applied to the received packets if the selected characteristics and the predefined characteristics match, thus reducing the processing required for subsequent packets. The packets selected for caching may be data packets. For mismatched characteristics, the full packet search of the classification system is used to determine the action to apply to the received packet.
摘要翻译: 网络设备的分类系统包括缓存,其中响应于会话中的第一“频繁传单”分组而存储TCP / IP分组的预定义特性与相关动作之间的映射。 如果所选择的特征和预定义的特征匹配,则从该会话的后续接收到的分组中选出的特征与预定义的特征相关联,并且将存储的动作应用于所接收的分组,从而减少后续分组所需的处理。 选择用于缓存的数据包可能是数据包。 对于不匹配的特征,分类系统的全分组搜索用于确定应用于接收到的分组的动作。
-
-
-
-
-
-
-
-
-
搜索结果
41 条记录 (耗时 0.031 秒)