公开(公告)号：US07526807B2

公开(公告)日：2009-04-28

申请号：US10723450

申请日：2003-11-26

申请人： Hung-Hsiang Jonathan Chao ,  Mooi Choo Chuah ,  Yoohwan Kim ,  Wing Cheong Lau

发明人： Hung-Hsiang Jonathan Chao ,  Mooi Choo Chuah ,  Yoohwan Kim ,  Wing Cheong Lau

IPC分类号： G06F21/00

CPC分类号： H04L63/1408 ,  H04L63/1458

摘要： In a network including a centralized controller and a plurality of routers forming a security perimeter, a method for selectively discarding packets during a distributed denial-of-service (DDoS) attack over the network. The method includes aggregating victim destination prefix lists and attack statistics associated with incoming packets received from the plurality of routers to confirm a DDoS attack victim, and aggregating packet attribute distribution frequencies for incoming victim related packets received from the plurality of security perimeter routers. Common scorebooks are generated from the aggregated packet attribute distribution frequencies and nominal traffic profiles, and local cumulative distribution function (CDF) of the local scores derived from the plurality of security perimeter routers are aggregated. A common discarding threshold is derived from the CDF and sent to each of the plurality of security perimeter routers, where the discarding threshold defines a condition in which an incoming packet may be discarded at the security perimeter.

摘要翻译： 在包括集中控制器和形成安全边界的多个路由器的网络中，提供了一种在通过网络的分布式拒绝服务（DDoS）攻击中选择性地丢弃分组的方法。 该方法包括聚合受害目的地前缀列表和与从多个路由器接收的传入分组相关联的攻击统计信息，以确认DDoS攻击受害者，并且聚合从多个安全边界路由器接收到的传入的受害者相关分组的分组属性分布频率。 从聚合的分组属性分布频率和标称流量简档生成常用记分簿，并且聚合从多个安全边界路由器导出的局部分数的局部累积分布函数（CDF）。 从CDF导出常见的丢弃阈值，并将其发送到多个安全边界路由器中的每一个，其中丢弃阈值定义了可能在安全边界丢弃输入分组的状况。

公开(公告)号：US08201252B2

公开(公告)日：2012-06-12

申请号：US10232660

申请日：2002-09-03

申请人： Mooi Choo Chuah ,  Wing Cheong Lau ,  On-Ching Yue

发明人： Mooi Choo Chuah ,  Wing Cheong Lau ,  On-Ching Yue

IPC分类号： G06F11/00

CPC分类号： H04L47/10 ,  H04L47/11 ,  H04L47/2441 ,  H04L47/286 ,  H04L47/32 ,  H04L63/0236 ,  H04L63/1458

摘要： The present invention provides systems and methods for providing distributed, adaptive IP filtering techniques used in detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify “attack” flows. In an exemplary embodiment of the present invention, a device tracks certain criteria of all IP packets traveling from IP sources outside a security perimeter to network devices within the security perimeter. The present invention examines the criteria and places them in different classifications in a uniformly random manner, estimates the amount of criteria normally received and then determines when a group of stored classifications is too excessive to be considered normal for a given period of time. After the device determines the criteria that excessive IP packets have in common, the device then determines rules to identify the packets that meet such criteria and filters or blocks so identified packets.

摘要翻译： 本发明提供了用于提供分布式自适应IP过滤技术的系统和方法，所述技术用于通过使用Bloom Filter和泄漏桶概念识别“攻击”流来检测和阻止涉及DDOS攻击的IP分组。 在本发明的示例性实施例中，设备跟踪从安全边界之外的IP源传播到安全范围内的网络设备的所有IP分组的某些标准。 本发明以均匀随机的方式检查标准并将它们置于不同的分类中，估计正常接收的标准的数量，然后确定一组存储的分类何时太过分，以至于在给定的时间段内不被认为是正常的。 在设备确定过多的IP数据包具有共同之处的标准之后，设备然后确定规则以识别符合这些标准的数据包，并过滤或阻止所识别的数据包。

公开(公告)号：US07096039B2

公开(公告)日：2006-08-22

申请号：US10185993

申请日：2002-06-28

申请人： Mooi Choo Chuah ,  Enrique Hernandez-Valencia ,  Wing Cheong Lau

发明人： Mooi Choo Chuah ,  Enrique Hernandez-Valencia ,  Wing Cheong Lau

IPC分类号： H04M1/00

CPC分类号： H04L12/189 ,  H04L12/1836 ,  H04L49/201 ,  H04L49/205 ,  H04L49/351 ,  H04W92/12

摘要： The present invention sets forth a methodology for providing improved downlink backhaul services from a radio network controller (RNC) to a plurality of base stations via a backhaul network that provides Ethernet services. The Ethernet services are provided by a group of provider edge (PE) switches and regular label switch routers (referred to as P switches). Base stations within the network are assigned into clusters, each of the clusters having a cluster ID. The RNC transmits packets to a given switch or switches out on the network based on a cluster ID included within the transmitted packet. The communications traffic is then multicast from at least one last hop switch in the network to candidate base stations on the basis of the cluster ID and an active set within the cluster. Advantageously, the clusters act as subgroups for more easily directing the transmission of the backhaul multicast traffic. Significant advantages are realized through use of the present invention, including the ability to allow faster and smoother handoffs, as well as backhaul bandwidth savings since intelligence regarding cell switching is extended out at a point farther along the network than was previously enabled.

摘要翻译： 本发明提出了一种用于通过提供以太网服务的回程网络从无线电网络控制器（RNC）向多个基站提供改进的下行链路回程业务的方法。 以太网服务由一组提供商边缘（PE）交换机和常规标签交换路由器（称为P交换机）提供。 网络内的基站被分配成簇，每个簇具有簇ID。 RNC根据发送的分组中包含的集群ID，将数据包发送给给定的交换机，或者在网络上进行切换。 然后，基于集群ID和集群内的活动集，将通信业务从网络中的至少一个最后一跳交换机组播到候选基站。 有利地，集群充当用于更容易地指导回程多播业务的传输的子组。 通过使用本发明，可以实现显着的优点，包括允许更快和更平滑的切换以及回程带宽节省的能力，因为关于小区切换的智能在比以前启用的网络更远一点处被扩展。

公开(公告)号：US07283502B1

公开(公告)日：2007-10-16

申请号：US09666809

申请日：2000-09-21

申请人： Santosh P Abraham ,  Mooi Choo Chuah ,  Kameswara Rao Medapalli ,  Ashwin Sampath

发明人： Santosh P Abraham ,  Mooi Choo Chuah ,  Kameswara Rao Medapalli ,  Ashwin Sampath

IPC分类号： H04L12/56 ,  H04L29/06

CPC分类号： H04W72/0406 ,  H04L47/10 ,  H04L47/2433 ,  H04L47/2491 ,  H04L69/16 ,  H04L69/161 ,  H04L69/324 ,  H04W72/087 ,  H04W92/12

摘要： In a UMTS (universal mobile telecommunications system) Terrestrial Radio Access Network (UTRAN) based wireless system, a wireless network element (e.g., a base station) exchanges information with another wireless network element (e.g., a radio network controller) via data frames (uplink or downlink). Each data frame comprising a header portion and a payload portion, which comprises a QoS class indicator field. Illustratively, the eight bit spare extension field of a UTRAN data frame (uplink or downlink) is used to convey a four bit payload type indicator and a four bit QoS class indicator.

摘要翻译： 在基于陆地无线电接入网（UMTS）的UMTS（通用移动电信系统）无线系统中，无线网元（例如，基站）经由数据帧（例如，无线网络控制器）与另一无线网元 上行链路或下行链路）。 每个数据帧包括报头部分和有效载荷部分，其包括QoS类指示符字段。 说明性地，UTRAN数据帧（上行链路或下行链路）的八位备用扩展字段用于传送四位有效载荷类型指示符和四位QoS类别指示符。

公开(公告)号：US07085273B1

公开(公告)日：2006-08-01

申请号：US09349571

申请日：1999-07-08

申请人： Mooi Choo Chuah

发明人： Mooi Choo Chuah

IPC分类号： H04L1/18

CPC分类号： H04L1/1877 ,  H04L1/187 ,  H04L12/4633 ,  H04L2001/0098

摘要： A Layer 2 Tunneling Protocol (L2TP) performs a sender initiated recovery algorithm (SIRA) upon receiving, from an L2TP receiver, a predefined number of packets including the same “next received” (Nr) sequence number. The L2TP sender transmits a payload message that includes the “Reset Sr” (R-bit) indicator, which resets the value for Nr (at the receiver) to either just beyond the first missing packet or to the current send sequence number of the sender.

摘要翻译： 第二层隧道协议（L2TP）在从L2TP接收机接收包括相同“下一个接收”（Nr）序列号的预定数量的分组时执行发送方发起的恢复算法（SIRA）。 L2TP发送方发送一个包含“复位Sr”（R-bit）指示符的有效负载消息，该指示器将Nr（在接收器）的值重置为超出第一个丢失数据包或发送方的当前发送序列号 。

公开(公告)号：US06704311B1

公开(公告)日：2004-03-09

申请号：US09344781

申请日：1999-06-25

申请人： Mooi Choo Chuah ,  Bharat Tarachand Doshi ,  Anlu Yan ,  On-Ching Yue

发明人： Mooi Choo Chuah ,  Bharat Tarachand Doshi ,  Anlu Yan ,  On-Ching Yue

IPC分类号： H04L1256

CPC分类号： H04L65/4084 ,  H04L12/6418 ,  H04L29/06027 ,  H04L65/608 ,  H04L67/00 ,  H04L69/16 ,  H04L69/329

摘要： An Internet Protocol (IP)-based network incorporates an application level switching server and a number of packet endpoints. A packet endpoint multiplexes application sessions destined for different packet endpoints into one multiplexed session that is terminated with the application level switching server. The latter extracts each application session (or packets associated therewith) and repackages, or switches, them into other multiplexed sessions such that at least two switched packets are transmitted to different packet endpoints. The multiplexed sessions utilize either RTP/UDP/IP or UDP/IP encapsulation.

摘要翻译： 基于互联网协议（IP）的网络集成了应用级交换服务器和多个分组端点。 分组端点将发往不同分组端点的应用会话复用到由应用级交换服务器终止的一个多路复用会话中。 后者提取每个应用程序会话（或与之相关的数据包）和重新包装，或者将它们切换到其他复用的会话中，使得至少两个交换分组被发送到不同的分组端点。 复用的会话使用RTP / UDP / IP或UDP / IP封装。

公开(公告)号：US06654808B1

公开(公告)日：2003-11-25

申请号：US09285817

申请日：1999-04-02

申请人： Mooi Choo Chuah

发明人： Mooi Choo Chuah

IPC分类号： G06F1516

CPC分类号： H04L69/16 ,  H04L12/2856 ,  H04L12/2859 ,  H04L12/4633 ,  H04L47/2408 ,  H04L69/168 ,  H04W28/24 ,  H04W76/10 ,  H04W80/04

摘要： New Attribute Value Pairs (AVP)s are defined for use in the L2TP control messages for setting up a call. In particular, an L2TP Incoming-Call-Request (ICRQ) or Outgoing-Call-Request (OCRQ) message includes a QoS_Request AVP, which includes a field for defining the number of classes of service within the call. In another embodiment, a new QoS_Request extension and a new QoS_Reply extension are defined for use in Mobile IP networks.

摘要翻译： 新的属性值对（AVP）被定义为用于设置呼叫的L2TP控制消息。 特别地，L2TP进入呼叫请求（ICRQ）或出局呼叫请求（OCRQ）消息包括QoS_Request AVP，其包括用于定义呼叫中的服务等级数量的字段。 在另一个实施例中，新的QoS_Request扩展和新的QoS_Reply扩展被定义为用于移动IP网络。

公开(公告)号：US06327254B1

公开(公告)日：2001-12-04

申请号：US09083675

申请日：1998-05-22

申请人： Mooi Choo Chuah

发明人： Mooi Choo Chuah

IPC分类号： H04J316

CPC分类号： H04W72/1257 ,  H04L43/00 ,  H04L43/0829 ,  H04L43/16 ,  H04L47/10 ,  H04L47/14 ,  H04L47/26 ,  H04L47/286 ,  H04L47/30 ,  H04L47/32 ,  H04W28/14 ,  H04W52/10 ,  H04W52/50 ,  H04W72/1278 ,  H04W88/08

摘要： A method for data transmission in a wireless communication network utilizes an on-demand multiple access method with a fair queuing service discipline for efficient utilization of the limited bandwidth available in the network by sharing bandwidth among the remote hosts. In one embodiment, the base station broadcasts the system virtual time and the assigned shares of service classes to each of the wireless remotes. Each remote host computes its own service tag and reports it to the base station, which assigns transmit permits based on the service tag values and the available data slots. If a packet is lost or in error, the sending remote recomputes the service tag values of all its queued packets, including the packet whose transmission failed. Alternatively, the remote informs the base station of its queue size and the base station computes service tags for each remote based on the service shares of the remote and the available data slots. If a packet is lost or in error, the base station recomputes the service tag values for that remote host based on the current system virtual time. In an alternate embodiment, the AP or wireless node maintains a packet queue and a head-of-line tag. If a packet is lost, only the head-of-line tag needs to be changed. Once the head-of-line packet has been transmitted successfully, the rest of the queued packets will automatically receive the correct tag, the recomputed head-of-line tag plus appropriate increments. For half-duplex, both the uplink and downlink queues at the access points are managed as if there is only one system virtual time. For full-duplex, separate system virtual times for the uplink and the downlink traffic may be used. Remotes may also be divided into one or more separate groups, with each group having a different priority and receiving a different system virtual time. Service tags of all other remotes remain unaffected by the retransmission of a packet from any particular remote, meaning that the QoS experienced by the other remotes does not suffer.

公开(公告)号：US07388838B2

公开(公告)日：2008-06-17

申请号：US10652277

申请日：2003-08-29

申请人： Santosh P Abraham ,  Mooi Choo Chuah ,  Tao Liu

发明人： Santosh P Abraham ,  Mooi Choo Chuah ,  Tao Liu

IPC分类号： H04L12/26

CPC分类号： H04W28/24 ,  H04W72/1247

摘要： An advance over the prior art is achieved through an efficient method for an admission control algorithm and a scheduling mechanism that complement each other in providing the following three classes of service. A first class of service is termed Class 1 where users specify a nominal amount of bandwidth desired. A second, lower tier service class is termed Class 2, wherein users specify a nominal and minimum amount of bandwidth desired when entering into a network connection. A third server class is Class 3, where Class 3 users are treated as best effort users. For Class 1 users the methodology of the present invention provides a guaranteed nominal amount of bandwidth. The admission control procedure ensures that Class 1 users are admitted only if resources exist to satisfy the nominal bandwidth requirements of the Class 1 users. Class 2 users are admitted if resources exist to satisfy the minimum bandwidth requirements of the user. Class 2 users are served with a bandwidth of up to their nominal bandwidths if there is capacity left after serving the Class 1 users with their nominal capacities. Class 3 users are served only if the Class 2 users have received their nominal bandwidths.

摘要翻译： 通过用于准入控制算法和调度机制的有效方法来实现现有技术的进步，所述准入控制算法和调度机制在提供以下三类服务时相互补充。 第一类服务被称为1类，用户指定所需的额定带宽量。 第二个较低级别的服务类称为2类，其中用户在进入网络连接时指定所需的标称和最小带宽量。 第三个服务器类是Class 3，其中Class 3用户被视为尽力而为的用户。 对于1类用户，本发明的方法提供了有保证的标称带宽量。 接纳控制程序确保只有在存在资源以满足1类用户的标称带宽要求的情况下才允许1类用户。 如果存在资源以满足用户的最低带宽要求，则允许2类用户使用。 如果在服务具有标称容量的Class 1用户之后剩余容量，则Class 2用户的带宽可达到其标称带宽。 仅当Class 2用户已经收到其标称带宽时才能使用3级用户。

公开(公告)号：US07206286B2

公开(公告)日：2007-04-17

申请号：US10202271

申请日：2002-07-24

申请人： Santosh P Abraham ,  Ching-Roung Chou ,  Mooi Choo Chuah ,  Philip Charles Sapiano ,  Steven E. Sommars

发明人： Santosh P Abraham ,  Ching-Roung Chou ,  Mooi Choo Chuah ,  Philip Charles Sapiano ,  Steven E. Sommars

IPC分类号： H04J1/16

CPC分类号： H04W36/26

摘要： In a UMTS network, each packet data service user requires a dedicated channel (DCH) to transmit at high data rates. However, the number of DCHs available is small due to code and power limitations. Thus many users will have to be allocated the same DCH on a time sharing basis. Such sharing will not impact the quality of service for users whose applications are not delay sensitive and whose traffic generation pattern toggles between transmit and idle states. Such applications include web browsing, FTP sessions and E-mail. The present invention discloses four algorithms that can be used to dynamically allocate DCH channels to a contending user based on the user's need according to its traffic generation. One embodiment of the invention discloses a methodology of allocating user channels for packet data services in a wireless communications network, a first type channel having a given data rate and a second type channel having a lower data rate, including the steps of determining an estimated bandwidth requirement for the packet data services, switching a user to the second channel type from said first channel type if said estimated bandwidth requirement is below a first threshold, and switching a user to the first channel type from said second channel type if the estimated bandwidth requirement is greater than a second threshold. Another embodiment discloses methodology of allocating user channels for packet data services in a wireless communications network, a first type channel having a given data rate and a second type channel having a lower data rate, comprising the steps of providing an inactivity timer per user, and switching from the first channel type to said second channel type depending on a state of said inactivity timer.

摘要翻译： 在UMTS网络中，每个分组数据业务用户需要专用信道（DCH）以高数据速率进行发送。 然而，由于代码和功率限制，DCH的数量很少。 因此，许多用户将必须在时间分配的基础上分配相同的DCH。 这种共享不会影响其应用不延迟敏感并且其业务生成模式在发送和空闲状态之间切换的用户的服务质量。 这样的应用程序包括网页浏览，FTP会话和电子邮件。 本发明公开了四种算法，可以根据用户的流量生成，根据用户需要，动态地向竞争用户分配DCH信道。 本发明的一个实施例公开了一种在无线通信网络中分配用户信道用于分组数据业务的方法，具有给定数据速率的第一类型信道和具有较低数据速率的第二类型信道，包括以下步骤：确定估计带宽 对于分组数据业务的要求，如果所述估计的带宽要求低于第一阈值，则从所述第一信道类型切换用户到第二信道类型，并且如果估计的带宽需求，则将用户切换到来自所述第二信道类型的第一信道类型 大于第二阈值。 另一实施例公开了在无线通信网络中分配用户信道用于分组数据业务的方法，具有给定数据速率的第一类型信道和具有较低数据速率的第二类型信道，包括以下步骤：为每个用户提供不活动定时器，以及 根据所述不活动定时器的状态，从第一通道类型切换到所述第二通道类型。