VARIABLE-STRIDE STREAM SEGMENTATION AND MULTI-PATTERN MATCHING
    1.
    发明申请
    VARIABLE-STRIDE STREAM SEGMENTATION AND MULTI-PATTERN MATCHING 有权
    可变条纹分段和多模式匹配

    公开(公告)号:US20100266215A1

    公开(公告)日:2010-10-21

    申请号:US12425576

    申请日:2009-04-17

    IPC分类号: G06K9/72

    CPC分类号: G06K9/62

    摘要: A variable-stride multi-pattern matching apparatus segments patterns and input streams into variable-size blocks according to a modified winnowing algorithm. The variable-stride pattern segments are used to determine the block-symbol alphabet for a variable-stride discrete finite automaton (VS-DFA) that is used for detecting the patterns in the input streams. Applications include network-intrusion detection and protection systems, genome matching, and forensics. The modification of the winnowing algorithm includes using special hash values to determine the position of delimiters of the patterns and input streams. The delimiters mark the beginnings and ends of the segments. In various embodiments, the patterns are segmented into head, core, and tail blocks. The approach provides for memory, memory-bandwidth, and processor-cycle efficient, deterministic, high-speed, line-rate pattern matching.

    摘要翻译: 可变跨度多模式匹配装置根据修改的风选算法将模式和输入流分割成可变大小的块。 可变步长模式段用于确定用于检测输入流中的模式的可变步长离散有限自动机(VS-DFA)的块符号字母表。 应用包括网络入侵检测和保护系统,基因组匹配和取证。 风选算法的修改包括使用特殊哈希值来确定模式和输入流的分隔符的位置。 分隔符标记段的开头和结尾。 在各种实施例中,图案被分割为头部,芯部和尾部块。 该方法提供了存储器,存储器带宽和处理器周期效率,确定性,高速的线速率模式匹配。

    Variable-stride stream segmentation and multi-pattern matching
    2.
    发明授权
    Variable-stride stream segmentation and multi-pattern matching 有权
    可变步长分段和多模式匹配

    公开(公告)号:US08250016B2

    公开(公告)日:2012-08-21

    申请号:US12425576

    申请日:2009-04-17

    IPC分类号: G06F17/00

    CPC分类号: G06K9/62

    摘要: A variable-stride multi-pattern matching apparatus segments patterns and input streams into variable-size blocks according to a modified winnowing algorithm. The variable-stride pattern segments are used to determine the block-symbol alphabet for a variable-stride discrete finite automaton (VS-DFA) that is used for detecting the patterns in the input streams. Applications include network-intrusion detection and protection systems, genome matching, and forensics. The modification of the winnowing algorithm includes using special hash values to determine the position of delimiters of the patterns and input streams. The delimiters mark the beginnings and ends of the segments. In various embodiments, the patterns are segmented into head, core, and tail blocks. The approach provides for memory, memory-bandwidth, and processor-cycle efficient, deterministic, high-speed, line-rate pattern matching.

    摘要翻译: 可变跨度多模式匹配装置根据修改的风选算法将模式和输入流分割成可变大小的块。 可变步长模式段用于确定用于检测输入流中的模式的可变步长离散有限自动机(VS-DFA)的块符号字母表。 应用包括网络入侵检测和保护系统,基因组匹配和取证。 风选算法的修改包括使用特殊哈希值来确定模式和输入流的分隔符的位置。 分隔符标记段的开头和结尾。 在各种实施例中,图案被分割为头部,芯部和尾部块。 该方法提供了存储器,存储器带宽和处理器周期效率,确定性,高速的线速率模式匹配。

    Method and apparatus for transparent cloud computing with a virtualized network infrastructure
    3.
    发明授权
    Method and apparatus for transparent cloud computing with a virtualized network infrastructure 有权
    具有虚拟化网络基础架构的透明云计算的方法和装置

    公开(公告)号:US08369333B2

    公开(公告)日:2013-02-05

    申请号:US12582939

    申请日:2009-10-21

    IPC分类号: H04L12/56

    摘要: A capability is provided for providing transparent cloud computing with a virtualized network infrastructure. A method for enabling use of a resource of a data center as an extension of a customer network includes receiving, at a forwarding element (FE), a packet intended for a virtual machine hosted at an edge domain of the data center, determining a VLAN ID of the VLAN for the customer network in the edge domain, updating the packet to include the VLAN ID of the VLAN for the customer network in the edge domain, and propagating the updated packet from the FE toward virtual machine. The edge domain supports a plurality of VLANs for a respective plurality of customer networks. The packet includes an identifier of the customer network and a MAC address of the virtual machine. The VLAN ID of the VLAN for the customer network in the edge domain is determined using the identifier of the customer network and the MAC address of the virtual machine. The FE may be associated with the edge domain at which the virtual machine is hosted, an edge domain of the data center that is different than the edge domain at which the virtual machine is hosted, or the customer network. Depending on the location of the FE at which the packet is received, additional processing may be provided as needed.

    摘要翻译: 提供了一种提供透明云计算与虚拟化网络基础架构的能力。 用于使数据中心的资源能够用作客户网络的扩展的方法包括在转发元件(FE)处接收旨在用于驻留在数据中心的边缘域的虚拟机的分组,确定VLAN 边缘域中客户网络的VLAN ID,更新报文,包括边缘域中客户网络的VLAN的VLAN ID,并将更新的报文从FE传播到虚拟机。 边缘域为相应的多个客户网络支持多个VLAN。 该分组包括客户网络的标识符和虚拟机的MAC地址。 边缘域中客户网络的VLAN的VLAN ID使用客户网络的标识符和虚拟机的MAC地址来确定。 FE可以与托管虚拟机的边缘域,数据中心的边缘域与虚拟机所在的边缘域或客户网络相关联。 根据接收到分组的FE的位置,可以根据需要提供额外的处理。

    Apparatus and method for protection in a data center
    5.
    发明授权
    Apparatus and method for protection in a data center 有权
    数据中心保护装置及方法

    公开(公告)号:US09066160B2

    公开(公告)日:2015-06-23

    申请号:US13350457

    申请日:2012-01-13

    IPC分类号: H04B10/00 H04Q11/00

    摘要: A manner of providing redundancy protection for a data center network that is both reliable and low-cost. In a data center network where the data traffic between numerous access nodes and a network core layer via primary aggregation nodes, an optical network device such as and OLT (optical line terminal) is provided as a backup aggregation node for one or more of the primary aggregation nodes. When a communication path through a primary aggregation node fails, traffic is routed through the optical network device. In a preferred embodiment, a communication link is formed from a plurality of access nodes to a single port of the OLT or other optical network device via an optical splitter that combines upstream transmissions and distributes downstream transmissions. The upstream transmissions from the plurality of access nodes may occur according to an allocation schedule generated when the backup aggregation node is needed.

    摘要翻译: 为可靠和低成本的数据中心网络提供冗余保护的方式。 在通过主聚合节点在多个接入节点和网络核心层之间的数据业务的数据中心网络中,提供诸如OLT(光线路终端)之类的光网络设备作为主要的一个或多个的备份聚合节点 聚合节点。 当通过主聚合节点的通信路径发生故障时,流量将通过光网络设备进行路由。 在优选实施例中,通过组合上行传输并分发下行传输的光分路器,从多个接入节点到OLT或其他光网络设备的单个端口形成通信链路。 来自多个接入节点的上行传输可以根据需要备份聚合节点时生成的分配调度进行。

    Method and apparatus for generating a shape graph from a binary trie
    6.
    发明授权
    Method and apparatus for generating a shape graph from a binary trie 有权
    用于从二进制trie生成形状图的方法和装置

    公开(公告)号:US08631043B2

    公开(公告)日:2014-01-14

    申请号:US12633845

    申请日:2009-12-09

    IPC分类号: G06F17/30

    CPC分类号: G06F17/30958

    摘要: A capability is provided for representing a set of data values using data structures, including converting a binary trie data structure representing the set of data values to a shape graph data structure representing the set of data values. The shape graph data structure is generated from the binary trie data structure based on the shapes of the sub-trees rooted at the nodes of the binary trie data structure. The shape graph includes vertices representing shapes of the sub-trees of the binary trie data structure. A shape graph data structure permits operations similar to the operations that may be performed on the binary trie data structure for performing lookups for data values from the set of data values, while at the same time reducing the structural redundancy of the binary trie data structure such that the shape graph data structure provides significant improvements in memory usage over the binary trie data structure.

    摘要翻译: 提供了一种用于使用数据结构表示一组数据值的能力,包括将表示该组数据值的二进制特里数据结构转换为表示数据值集合的形状图数据结构。 形状图数据结构是从二进制trie数据结构生成的基于二叉树数据结构的节点的子树的形状。 形状图包括表示二进制trie数据结构的子树形状的顶点。 形状图数据结构允许类似于可以对二进制特里数据结构执行的操作的操作,以执行来自该组数据值的数据值的查找,同时减少二进制特里数据结构的结构冗余, 形状图数据结构在二进制数据结构中提供了对存储器使用的显着改进。

    Method And Apparatus For Energy Efficient Distributed And Elastic Load Balancing
    7.
    发明申请
    Method And Apparatus For Energy Efficient Distributed And Elastic Load Balancing 有权
    用于能量效率分布和弹性负载平衡的方法和装置

    公开(公告)号:US20130166943A1

    公开(公告)日:2013-06-27

    申请号:US13334141

    申请日:2011-12-22

    IPC分类号: G06F15/173 G06F11/20

    摘要: Various embodiments provide a method and apparatus of providing a load balancing configuration that adapts to the overall load and scales the power consumption with the load to improve energy efficiency and scalability. The energy efficient distributed and elastic load balancing architecture includes a collection of multi-tiered servers organized as a tree structure. The handling of incoming service requests is distributed amongst a number of the servers. Each server in the virtual load distribution tree accepts handles incoming service requests based on its own load. Once a predetermined loading on the receiving server has been reached, the receiving server passes the incoming requests to one or more of its children servers.

    摘要翻译: 各种实施例提供一种方法和装置,其提供适应于总负载的负载平衡配置,并且与负载缩放功率消耗以提高能量效率和可扩展性。 节能分布式和弹性负载平衡架构包括组织为树结构的多层服务器集合。 传入服务请求的处理分布在多个服务器之间。 虚拟负载分配树中的每个服务器都会根据自己的负载接收传入的服务请求。 一旦达到接收服务器上的预定加载,接收服务器将传入请求传递给其一个或多个子服务器。

    Packet processing using braided tries
    9.
    发明授权
    Packet processing using braided tries 有权
    使用编织尝试的包处理

    公开(公告)号:US08179898B2

    公开(公告)日:2012-05-15

    申请号:US12482533

    申请日:2009-06-11

    IPC分类号: H04L12/28 H04L12/56

    CPC分类号: H04L45/00 H04L45/742

    摘要: Packets are processed (e.g., routed or classified) in accordance with a braided trie, which represents the combination of two or more different original tries (e.g., representing different forwarding/classification tables). The different tries are combined by twisting the mappings for specific trie nodes to make the shapes of the different tries more similar. Each node in the braided trie contains a braiding bit for at least one original trie indicating the mapping for that trie's node. Trie braiding can significantly reduce the number of nodes used to represent the different original tries, thereby reducing memory usage and improving scalability. Braided tries can be used for such applications as virtual routers and packet classification in which different forwarding/classification tables are represented by a single braided trie stored in shared memory.

    摘要翻译: 数据包根据编织特技进行处理(例如,路由或分类),其代表两个或多个不同的原始尝试的组合(例如,表示不同的转发/分类表)。 通过扭转特定特里节点的映射来组合不同的尝试,使不同尝试的形状更相似。 编织特技中的每个节点包含至少一个原始特里的编织位,指示该特里节点的映射。 Trie编织可以显着减少用于表示不同原始尝试的节点数量,从而减少内存使用并提高可扩展性。 编织的尝试可以用于虚拟路由器和分组分类等应用,其中不同的转发/分类表由存储在共享存储器中的单个编织线索表示。

    Network address lookup based on bloom filters
    10.
    发明授权
    Network address lookup based on bloom filters 有权
    基于布隆过滤器的网络地址查找

    公开(公告)号:US08018940B2

    公开(公告)日:2011-09-13

    申请号:US12190633

    申请日:2008-08-13

    IPC分类号: H04L12/56

    摘要: In one embodiment, IP lookup into a routing table having prefixes of different prefix lengths is performed using a Bloom filter that was programmed with the prefixes corresponding to all of the different prefix lengths without having to expand any of the prefixes programmed into the Bloom filter. Membership probes are performed into the Bloom filter using candidate prefix values of a given network address. The Bloom filter can be implemented in a distributed manner using Bloom sub-filters, where each Bloom sub-filter is hashed based on a set of hash functions, where each different hash function in the set corresponds to a different prefix length in the routing table. Each Bloom sub-filter can in turn be implemented using a plurality of practically realizable multi-port memory devices controlled by a port scheduler. False-positive matches can be detected and next-hop information for true-positive matches retrieved using an off-chip, hash-based prefix table.

    摘要翻译: 在一个实施例中,使用具有与所有不同前缀长度相对应的前缀编程的布隆过滤器来执行具有不同前缀长度的前缀的路由表的IP查找,而不必将编程到布隆过滤器中的任何前缀扩展。 使用给定网络地址的候选前缀值对Bloom过滤器进行成员资格探测。 Bloom过滤器可以使用Bloom子过滤器以Bloom子过滤器实现,其中每个Bloom子过滤器基于一组散列函数进行散列,其中集合中的每个不同的散列函数对应于路由表中的不同的前缀长度 。 可以使用由端口调度器控制的多个实际可实现的多端口存储器件来实现每个Bloom子滤波器。 可以检测到假阳性匹配,并使用片外基于散列的前缀表检索真正匹配的下一跳信息。