公开(公告)号：US08844035B2

公开(公告)日：2014-09-23

申请号：US13369498

申请日：2012-02-09

申请人： Christopher C. O'Rourke ,  Frank Gerard Bordonaro ,  Louis Menditto ,  Robert Batz

发明人： Christopher C. O'Rourke ,  Frank Gerard Bordonaro ,  Louis Menditto ,  Robert Batz

IPC分类号： H04L29/06

CPC分类号： H04L63/0227 ,  H04L63/1408 ,  H04L63/1441

摘要： Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

摘要翻译： 用于响应分组交换网络上的入侵的技术包括在网络接入服务器和内容服务器之间的用户感知网关服务器处接收用户数据。 用户数据包括指示特定用户的唯一标识符的用户标识符数据，指示特定用户使用的主机的网络地址的网络地址数据，指示网络接入服务器的标识符的NAS数据， 指示一个或多个打开的数据分组流和可疑活动数据。 可疑活动数据表示指示可疑活动的开放数据分组流的属性的值。 基于可疑活动数据确定是否满足入侵条件。 如果入侵条件满足，则网关至少部分地基于除了网络地址数据之外的用户数据进行响应。

公开(公告)号：US08266696B2

公开(公告)日：2012-09-11

申请号：US11273112

申请日：2005-11-14

申请人： Christopher C. O'Rourke ,  Frank Gerard Bordonaro ,  Louis Menditto ,  Robert Batz

发明人： Christopher C. O'Rourke ,  Frank Gerard Bordonaro ,  Louis Menditto ,  Robert Batz

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/0227 ,  H04L63/1408 ,  H04L63/1441

摘要： Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

摘要翻译： 用于响应分组交换网络上的入侵的技术包括在网络接入服务器和内容服务器之间的用户感知网关服务器处接收用户数据。 用户数据包括指示特定用户的唯一标识符的用户标识符数据，指示特定用户使用的主机的网络地址的网络地址数据，指示网络接入服务器的标识符的NAS数据， 指示一个或多个打开的数据分组流和可疑活动数据。 可疑活动数据表示指示可疑活动的开放数据分组流的属性的值。 基于可疑活动数据确定是否满足入侵条件。 如果入侵条件满足，则网关至少部分地基于除了网络地址数据之外的用户数据进行响应。

公开(公告)号：US20120137366A1

公开(公告)日：2012-05-31

申请号：US13369498

申请日：2012-02-09

申请人： Christopher C. O'Rourke ,  Frank Gerard Bordonaro ,  Louis Menditto ,  Robert Batz

发明人： Christopher C. O'Rourke ,  Frank Gerard Bordonaro ,  Louis Menditto ,  Robert Batz

IPC分类号： G06F21/00

CPC分类号： H04L63/0227 ,  H04L63/1408 ,  H04L63/1441

摘要： Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

摘要翻译： 用于响应分组交换网络上的入侵的技术包括在网络接入服务器和内容服务器之间的用户感知网关服务器处接收用户数据。 用户数据包括指示特定用户的唯一标识符的用户标识符数据，指示特定用户使用的主机的网络地址的网络地址数据，指示网络接入服务器的标识符的NAS数据， 指示一个或多个打开的数据分组流和可疑活动数据。 可疑活动数据表示指示可疑活动的开放数据分组流的属性的值。 基于可疑活动数据确定是否满足入侵条件。 如果入侵条件满足，则网关至少部分地基于除了网络地址数据之外的用户数据进行响应。

公开(公告)号：US07864771B2

公开(公告)日：2011-01-04

申请号：US11738358

申请日：2007-04-20

申请人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert Mackie

发明人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert Mackie

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L47/10 ,  H04L1/1628 ,  H04L43/18 ,  H04L47/34

摘要： In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

摘要翻译： 在一个实施例中，一种方法包括在网络的本地节点处接收由来自指向目的地节点的源节点的多个排序数据分组组成的流的排序数据分组。 该流程将由本地节点进行解析，以描述网络管理流程。 基于顺序数据包中的序列数据，确定顺序数据包是否在流程中是无序的。 如果确定排序的数据分组是无序的，则在分析排序的数据分组之前，将排序的数据分组转发到目的地节点。 无序排序数据包也存储在本地节点的后续解析中。

公开(公告)号：US20080259926A1

公开(公告)日：2008-10-23

申请号：US11738358

申请日：2007-04-20

申请人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert MacKie

发明人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert MacKie

IPC分类号： H04L12/56

CPC分类号： H04L47/10 ,  H04L1/1628 ,  H04L43/18 ,  H04L47/34

摘要： In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

摘要翻译： 在一个实施例中，一种方法包括在网络的本地节点处接收由来自指向目的地节点的源节点的多个排序数据分组组成的流的排序数据分组。 该流程将由本地节点进行解析，以描述网络管理流程。 基于顺序数据包中的序列数据，确定顺序数据包是否在流程中是无序的。 如果确定排序的数据分组是无序的，则在分析排序的数据分组之前，将排序的数据分组转发到目的地节点。 无序排序数据包也存储在本地节点的后续解析中。

公开(公告)号：US08194675B2

公开(公告)日：2012-06-05

申请号：US12725336

申请日：2010-03-16

申请人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert Mackie

发明人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert Mackie

IPC分类号： H04L12/28

CPC分类号： H04L47/10 ,  H04L1/1628 ,  H04L43/18 ,  H04L47/34

摘要： In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

摘要翻译： 在一个实施例中，一种方法包括在网络的本地节点处接收由来自指向目的地节点的源节点的多个排序数据分组组成的流的排序数据分组。 该流程将由本地节点进行解析，以描述网络管理流程。 基于顺序数据包中的序列数据，确定顺序数据包是否在流程中是无序的。 如果确定排序的数据分组是无序的，则在分析排序的数据分组之前，将排序的数据分组转发到目的地节点。 无序排序数据包也存储在本地节点的后续解析中。

公开(公告)号：US07738452B1

公开(公告)日：2010-06-15

申请号：US11158751

申请日：2005-06-22

申请人： Christopher C. O'Rourke ,  Robert Batz ,  Kevin Shatzkamer

发明人： Christopher C. O'Rourke ,  Robert Batz ,  Kevin Shatzkamer

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L67/2819 ,  H04L47/125 ,  H04L67/02 ,  H04L67/04 ,  H04L67/2823 ,  H04L67/306 ,  H04L67/327 ,  H04L69/08 ,  H04W28/08

摘要： Techniques for distributing network traffic from an access server to a service gateway include receiving, at a load balancer, sticky table data that indicates an association between a particular subscriber IP address and a particular subscriber-aware service gateway in a gateway cluster. An input data packet is received with an input source address and an input transport-layer destination. If it is determined that the input transport-layer destination indicates a type of payload that uses a service gateway, then the particular service gateway associated with the particular subscriber is determined based on the sticky table and IP address in the input source address. An output data packet is directed to the particular service gateway using a link-layer or networking-layer destination address. These techniques allow a load balancer to be located anywhere on the network and to bypass a subscriber-aware service gateway for some data traffic.

摘要翻译： 用于将网络流量从接入服务器分配到服务网关的技术包括在负载平衡器处接收指示特定用户IP地址和网关集群中的特定用户感知服务网关之间的关联的粘性表数据。 用输入源地址和输入传输层目的地接收输入数据分组。 如果确定输入传输层目的地指示使用服务网关的有效载荷的类型，则基于输入源地址中的粘性表和IP地址确定与特定用户相关联的特定服务网关。 使用链路层或网络层目的地址将输出数据分组引导到特定服务网关。 这些技术允许负载平衡器位于网络上的任何地方，并绕过用户感知的服务网关以获取某些数据流量。

公开(公告)号：US20100172356A1

公开(公告)日：2010-07-08

申请号：US12725336

申请日：2010-03-16

申请人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert Mackie

发明人： Humberto Tavares ,  Christopher C. O'Rourke ,  Robert Batz ,  Walter Dixon ,  Robert Mackie

IPC分类号： H04L12/56

CPC分类号： H04L47/10 ,  H04L1/1628 ,  H04L43/18 ,  H04L47/34

摘要： In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

摘要翻译： 在一个实施例中，一种方法包括在网络的本地节点处接收由来自指向目的地节点的源节点的多个排序数据分组组成的流的排序数据分组。 该流程将由本地节点进行解析，以描述网络管理流程。 基于顺序数据包中的序列数据，确定顺序数据包是否在流程中是无序的。 如果确定排序的数据分组是无序的，则在分析排序的数据分组之前，将排序的数据分组转发到目的地节点。 无序排序数据包也存储在本地节点的后续解析中。

公开(公告)号：US07694011B2

公开(公告)日：2010-04-06

申请号：US11333573

申请日：2006-01-17

申请人： Christopher C. O'Rourke ,  Robert Batz ,  Kevin Shatzkamer

发明人： Christopher C. O'Rourke ,  Robert Batz ,  Kevin Shatzkamer

IPC分类号： G06F15/173

CPC分类号： H04L12/287 ,  H04L67/1002 ,  H04L67/327

摘要： Techniques for distributing control plane traffic, from an end node in a packet switched network to a cluster of service gateway nodes that host subscriber-aware application servers, include receiving a control plane message for supporting data plane traffic from a particular subscriber. A particular service gateway node is determined among the cluster of service gateway nodes based on policy-based routing (PBR) for the data plane traffic from the particular subscriber. A message based on the control plane message is sent to a control plane process on the particular service gateway node. Thereby, data plane traffic and control plane traffic from the same subscriber are directed to the same gateway node, or otherwise related gateway nodes, of the cluster of service gateway nodes. This approach allows currently-available, hardware-accelerated PBR to be used with clusters of subscriber-aware service gateways that must also monitor control plane traffic from the same subscriber.

摘要翻译： 用于将控制平面流量从分组交换网络中的终端节点分发到托管用户感知应用服务器的服务网关节点群集的技术包括从特定用户接收用于支持数据平面业务的控制平面消息。 基于用于来自特定用户的数据平面业务的基于策略的路由（PBR），在服务网关节点群集之间确定特定服务网关节点。 基于控制平面消息的消息被发送到特定服务网关节点上的控制平面进程。 因此，来自同一用户的数据平面业务和控制平面业务被定向到服务网关节点集群的相同网关节点或其他相关网关节点。 这种方法允许当前可用的硬件加速的PBR与用户感知服务网关的群集一起使用，其也必须监视来自同一用户的控制平面业务。

公开(公告)号：US20070113284A1

公开(公告)日：2007-05-17

申请号：US11273112

申请日：2005-11-14

申请人： Christopher O'Rourke ,  Frank Bordonaro ,  Louis Menditto ,  Robert Batz

发明人： Christopher O'Rourke ,  Frank Bordonaro ,  Louis Menditto ,  Robert Batz

IPC分类号： G06F12/14

CPC分类号： H04L63/0227 ,  H04L63/1408 ,  H04L63/1441

摘要： Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

摘要翻译： 用于响应分组交换网络上的入侵的技术包括在网络接入服务器和内容服务器之间的用户感知网关服务器处接收用户数据。 用户数据包括指示特定用户的唯一标识符的用户标识符数据，指示特定用户使用的主机的网络地址的网络地址数据，指示网络接入服务器的标识符的NAS数据， 指示一个或多个打开的数据分组流和可疑活动数据。 可疑活动数据表示指示可疑活动的开放数据分组流的属性的值。 基于可疑活动数据确定是否满足入侵条件。 如果入侵条件满足，则网关至少部分地基于除了网络地址数据之外的用户数据进行响应。