公开(公告)号：US08239945B2

公开(公告)日：2012-08-07

申请号：US12334481

申请日：2008-12-14

申请人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

发明人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G06B23/00

CPC分类号： H04L63/1416 ,  H04L63/1441

摘要： An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

摘要翻译： 入侵检测系统（IDS）包括耦合到用于存储程序和数据的存储器单元的网络处理器（NP）。 NP还耦合到一个或多个并行模式检测引擎（PPDE），其提供对输入数据流中的模式的高速并行检测。 每个PPDE包括许多处理单元（PU），每个处理单元被设计为将入侵签名存储为具有所选操作码的数据序列。 PU具有用于选择模式识别模式的配置寄存器。 每个PU在每个时钟周期比较一个字节。 如果来自输入模式的字节序列与存储的模式匹配，则用任何适用的比较数据输出检测模式的PU的识别。 通过在多个并行PU中存储入侵签名，IDS可以以NP处理速度处理网络数据。 PU可以级联以增加入侵覆盖或检测长入侵签名。

公开(公告)号：US20120210430A1

公开(公告)日：2012-08-16

申请号：US13455441

申请日：2012-04-25

申请人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

发明人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

IPC分类号： G06F21/00

CPC分类号： H04L63/1416 ,  H04L63/1441

摘要： An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

摘要翻译： 入侵检测系统（IDS）包括耦合到用于存储程序和数据的存储器单元的网络处理器（NP）。 NP还耦合到一个或多个并行模式检测引擎（PPDE），其提供对输入数据流中的模式的高速并行检测。 每个PPDE包括许多处理单元（PU），每个处理单元被设计为将入侵签名存储为具有所选操作码的数据序列。 PU具有用于选择模式识别模式的配置寄存器。 每个PU在每个时钟周期比较一个字节。 如果来自输入模式的字节序列与存储的模式匹配，则用任何适用的比较数据输出检测模式的PU的识别。 通过在多个并行PU中存储入侵签名，IDS可以以NP处理速度处理网络数据。 PU可以级联以增加入侵覆盖或检测长入侵签名。

公开(公告)号：US20090254991A1

公开(公告)日：2009-10-08

申请号：US12334481

申请日：2008-12-14

申请人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

发明人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

IPC分类号： G06F21/00

CPC分类号： H04L63/1416 ,  H04L63/1441

摘要： An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

摘要翻译： 入侵检测系统（IDS）包括耦合到用于存储程序和数据的存储器单元的网络处理器（NP）。 NP还耦合到一个或多个并行模式检测引擎（PPDE），其提供对输入数据流中的模式的高速并行检测。 每个PPDE包括许多处理单元（PU），每个处理单元被设计为将入侵签名存储为具有所选操作码的数据序列。 PU具有用于选择模式识别模式的配置寄存器。 每个PU在每个时钟周期比较一个字节。 如果来自输入模式的字节序列与存储的模式匹配，则用任何适用的比较数据输出检测模式的PU的识别。 通过在多个并行PU中存储入侵签名，IDS可以以NP处理速度处理网络数据。 PU可以级联以增加入侵覆盖或检测长入侵签名。

公开(公告)号：US07487542B2

公开(公告)日：2009-02-03

申请号：US10756904

申请日：2004-01-14

申请人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

发明人： Marc A. Boulanger ,  Clark D. Jeffries ,  C. Marcel Kinard ,  Kerry A. Kravec ,  Ravinder K. Sabhikhi ,  Ali G. Saidi ,  Jan M. Slyfield ,  Pascal R. Tannhof

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G06F15/18 ,  G08B23/00

CPC分类号： H04L63/1416 ,  H04L63/1441

摘要： An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

摘要翻译： 入侵检测系统（IDS）包括耦合到用于存储程序和数据的存储器单元的网络处理器（NP）。 NP还耦合到一个或多个并行模式检测引擎（PPDE），其提供对输入数据流中的模式的高速并行检测。 每个PPDE包括许多处理单元（PU），每个处理单元被设计为将入侵签名存储为具有所选操作码的数据序列。 PU具有用于选择模式识别模式的配置寄存器。 每个PU在每个时钟周期比较一个字节。 如果来自输入模式的字节序列与存储的模式匹配，则用任何适用的比较数据输出检测模式的PU的识别。 通过在多个并行PU中存储入侵签名，IDS可以以NP处理速度处理网络数据。 PU可以级联以增加入侵覆盖或检测长入侵签名。

公开(公告)号：US07274666B2

公开(公告)日：2007-09-25

申请号：US10405673

申请日：2003-04-01

申请人： Ganesh Balakrishnan ,  John P. Chalmers ,  Clark D. Jeffries ,  Jitesh R. Nair ,  Larry W. Nicholson ,  Ravinder K. Sabhikhi ,  Raj K. Singh

发明人： Ganesh Balakrishnan ,  John P. Chalmers ,  Clark D. Jeffries ,  Jitesh R. Nair ,  Larry W. Nicholson ,  Ravinder K. Sabhikhi ,  Raj K. Singh

IPC分类号： H04L12/26

CPC分类号： H04L47/32 ,  H04L47/10 ,  H04L47/29 ,  H04L47/30 ,  H04L49/90

摘要： A flow control method and system including an algorithm for deciding to transmit an arriving packet into a processing queue or to discard it, or, in the case of instructions or packets that must not be discarded, a similar method and system for deciding at a service event to transmit an instruction or packet into a processing queue or to skip the service event. The transmit probability is increased or decreased in consideration of minimum and maximum limits for each flow, aggregate limits for sets of flows, relative priority among flows, queue occupancy, and rate of change of queue occupancy. The effects include protection of flows below their minimum rates, correction of flows above their maximum rates, and, for flows between minimum and maximum rates, reduction of constituent flows of an aggregate that is above its aggregate maximum. Practice of the invention results in low queue occupancy during steady congestion.

摘要翻译： 一种流量控制方法和系统，包括用于决定将到达的分组发送到处理队列或丢弃它的算法，或者在不能被丢弃的指令或分组的情况下，用于在服务中决定的类似方法和系统 将指令或分组发送到处理队列或跳过服务事件的事件。 考虑到每个流量的最小和最大限制，流量集合的限制，流量之间的相对优先级，队列占用率和队列占用率的变化率，发送概率增加或减少。 这些影响包括保护流量低于其最低利率，纠正高于其最大利率的流量，以及最小和最大利率之间的流量减少总量超过其总最大值的组成流量。 本发明的实践导致在稳定拥塞期间的低队列占用。

公开(公告)号：US07738376B2

公开(公告)日：2010-06-15

申请号：US11766190

申请日：2007-06-21

申请人： Garesh Balakrishnan ,  John P. Chalmers ,  Clark D. Jeffries ,  Jitesh R. Nair ,  Larry W. Nicholson ,  Ravinder K. Sabhikhi ,  Raj K. Singh

发明人： Garesh Balakrishnan ,  John P. Chalmers ,  Clark D. Jeffries ,  Jitesh R. Nair ,  Larry W. Nicholson ,  Ravinder K. Sabhikhi ,  Raj K. Singh

IPC分类号： H04L12/26

CPC分类号： H04L47/32 ,  H04L47/10 ,  H04L47/29 ,  H04L47/30 ,  H04L49/90

摘要： A flow control method and system including an algorithm for deciding to transmit an arriving packet into a processing queue or to discard it, or, in the case of instructions or packets that must not be discarded, a similar method and system for deciding at a service event to transmit an instruction or packet into a processing queue or to skip the service event. The transmit probability is increased or decreased in consideration of minimum and maximum limits for each flow, aggregate limits for sets of flows, relative priority among flows, queue occupancy, and rate of change of queue occupancy. The effects include protection of flows below their minimum rates, correction of flows above their maximum rates, and, for flows between minimum and maximum rates, reduction of constituent flows of an aggregate that is above its aggregate maximum. Practice of the invention results in low queue occupancy during steady congestion.

摘要翻译： 一种流量控制方法和系统，包括用于决定将到达的分组发送到处理队列或丢弃它的算法，或者在不能被丢弃的指令或分组的情况下，用于在服务中决定的类似方法和系统 将指令或分组发送到处理队列或跳过服务事件的事件。 考虑到每个流量的最小和最大限制，流量集合的限制，流量之间的相对优先级，队列占用率和队列占用率的变化率，发送概率增加或减少。 这些影响包括保护流量低于其最低利率，纠正高于其最大利率的流量，以及最小和最大利率之间的流量减少总量超过其总最大值的组成流量。 本发明的实践导致在稳定拥塞期间的低队列占用。

公开(公告)号：US07710874B2

公开(公告)日：2010-05-04

申请号：US10454052

申请日：2003-06-04

申请人： Ganesh Balakrishnan ,  Everett A. Corl, Jr. ,  Clark D. Jeffries ,  Ravinder K. Sabhikhi ,  Michael S. Siegel ,  Raj K. Singh ,  Rama M. Yedavalli

发明人： Ganesh Balakrishnan ,  Everett A. Corl, Jr. ,  Clark D. Jeffries ,  Ravinder K. Sabhikhi ,  Michael S. Siegel ,  Raj K. Singh ,  Rama M. Yedavalli

IPC分类号： H04L1/00

CPC分类号： H04L41/0896

摘要： A process control method and system including partitioning transmit decisions and certain measurements into one logical entity (Data Plane) and partitioning algorithm computation to update transmit probabilities into a second logical entity (Control Plane), the two entities periodically communicating fresh measurements from Data Plane to Control Plane and adjusted transmit probabilities from Control Plane to Data Plane. The transmit probability may be used in transmit/discard decisions of packets or instructions exercised at every arrival of a packet or instruction. In an alternative embodiment, the transmit probability may be used in transmit/delay decisions of awaiting instructions or packets exercised at every service event.

摘要翻译： 一种过程控制方法和系统，包括将发送决策和某些测量划分成一个逻辑实体（数据平面）和分区算法计算，以将发送概率更新为第二逻辑实体（控制平面），所述两个实体周期性地将新的测量从数据平面传送到 控制平面和从控制平面到数据平面的调整传输概率。 发送概率可以用于在分组或指令的每个到达时所执行的分组或指令的发送/丢弃决定。 在替代实施例中，发送概率可以用于在每个服务事件处等待指令或分组执行的发送/延迟决定。

公开(公告)号：US20130121159A1

公开(公告)日：2013-05-16

申请号：US13297770

申请日：2011-11-16

申请人： Bruce O. Anthony, JR. ,  Ronald L. Billau ,  Canio Cillis ,  Vincenzo V. Di Luoffo ,  Philip E. Grady ,  Ravinder K. Sabhikhi ,  Raj K. Singh ,  George W. Van Leeuwen

发明人： Bruce O. Anthony, JR. ,  Ronald L. Billau ,  Canio Cillis ,  Vincenzo V. Di Luoffo ,  Philip E. Grady ,  Ravinder K. Sabhikhi ,  Raj K. Singh ,  George W. Van Leeuwen

IPC分类号： H04W40/00 ,  H04W24/00 ,  H04W4/00

CPC分类号： H04W40/02 ,  H04W28/08 ,  H04W76/20 ,  H04W80/04

摘要： Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A first service mechanism in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may include caching of data, data or video compression techniques, push-based services, charging, application serving, analytics, security, data filtering, and new revenue-producing services, as well as others. This architecture allows performing new mobile network services at the edge of a mobile data network within the infrastructure of an existing mobile data network.

公开(公告)号：US07653681B2

公开(公告)日：2010-01-26

申请号：US11035644

申请日：2005-01-14

申请人： Randall W. Alexander ,  Seeta Hariharan ,  David M. Perlsweig ,  Sridhar Rao ,  Ravinder K. Sabhikhi

发明人： Randall W. Alexander ,  Seeta Hariharan ,  David M. Perlsweig ,  Sridhar Rao ,  Ravinder K. Sabhikhi

IPC分类号： G06F15/16

CPC分类号： H04L67/34

摘要： A method for developing portable network processor applications and/or managing heterogeneous network processors in a network is disclosed. The network includes host processor(s) utilizing system configuration application(s) that are network processor independent. In one aspect, the method and system include using standardized interface(s) for each network processor, using a standardized transport layer compatible with the interface(s), and providing a generic message application layer. The generic message application layer defines generic payload(s) and message type(s) for configuration communications between the network and host processors. In another aspect, the method and system include providing packet processing shell(s) and generic protocol software that is coupled with the packet processing shell(s) through standard interface(s), network processor independent, and performs operations for packet processing. The method also include providing a library that includes network processor specific information for performing the operations and providing block(s) for performing other network processor specific operations.

摘要翻译： 公开了一种在网络中开发便携式网络处理器应用和/或管理异构网络处理器的方法。 该网络包括使用与网络处理器无关的系统配置应用的主机处理器。 在一个方面，该方法和系统包括：使用与该接口兼容的标准传输层，并提供通用消息应用层，为每个网络处理器使用标准接口。 通用消息应用层定义了用于网络和主机处理器之间的配置通信的通用有效载荷和消息类型。 另一方面，该方法和系统包括提供分组处理外壳和通过标准接口与网络处理器无关的与分组处理外壳相结合的通用协议软件，并执行分组处理操作。 该方法还包括提供一个库，该库包括用于执行操作的网络处理器特定信息，并提供用于执行其他网络处理器特定操作的块。

公开(公告)号：US07366728B2

公开(公告)日：2008-04-29

申请号：US10832634

申请日：2004-04-27

申请人： Everett A. Corl, Jr. ,  Gordon T. Davis ,  Marco Heddes ,  Piyush C. Patel ,  Ravinder K. Sabhikhi

发明人： Everett A. Corl, Jr. ,  Gordon T. Davis ,  Marco Heddes ,  Piyush C. Patel ,  Ravinder K. Sabhikhi

IPC分类号： G06F7/00

CPC分类号： H03M7/30 ,  Y10S707/99942

摘要： The present invention relates to a method and system for compressing a tree structure. The method of the present invention includes providing a compressed format block for representing a plurality of levels of the tree structure, where the plurality of levels comprises a set of nodes. The method also includes compressing each node in the set of nodes into the compressed format block, such that the plurality of levels is traversed in a single memory access.

摘要翻译： 本发明涉及一种用于压缩树结构的方法和系统。 本发明的方法包括提供用于表示树结构的多个级别的压缩格式块，其中多个级包括一组节点。 该方法还包括将该组节点中的每个节点压缩为压缩格式块，使得在单个存储器访问中遍历多个级别。