公开(公告)号：US07203744B1

公开(公告)日：2007-04-10

申请号：US10264889

申请日：2002-10-07

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Puneet Tutliani ,  Proneet Biswas

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Puneet Tutliani ,  Proneet Biswas

IPC分类号： G06F15/173

CPC分类号： H04L41/0893 ,  H04L45/00 ,  H04L63/0263

摘要： An integrated policy enforcement system for a computer network implements several policies on the network traffic. A rule compiler compiles these policies and converts them into a rule tree-graph, which is then used to provide desired behavior to the network traffic comprising data packets. The rule compiler comprises three sub-modules namely—a rule input module, a rule tree generator module and a rule output module. The rule input module receives the input for the rule compiler and prepares the input for the rule tree generator module. The rule tree generator module generates the rule tree-graph. The rule tree-graph is a data structure comprising tree data structure and graph data structure. Such a data structure combines the properties of tree data structure and graph data structure, and enhances the performance of the policy enforcement systems by striking a balance between the memory requirement for storing the data structure and the processing capabilities of the system required to process the network traffic. The Output module converts the rule tree-graph to policy files, which can be downloaded to various modules of the policy enforcement systems.

摘要翻译： 用于计算机网络的综合策略执行系统对网络流量实施若干策略。 规则编译器编译这些策略并将其转换为规则树图，然后将其用于为包含数据包的网络流量提供所需的行为。 规则编译器包括三个子模块，即规则输入模块，规则树生成器模块和规则输出模块。 规则输入模块接收规则编译器的输入，并准备规则树生成器模块的输入。 规则树生成器模块生成规则树形图。 规则树图是包括树数据结构和图形数据结构的数据结构。 这样的数据结构结合了树形数据结构和图形数据结构的特性，通过在存储数据结构的存储器需求和处理网络所需的系统的处理能力之间取得平衡来增强策略执行系统的性能 交通。 输出模块将规则树图转换为策略文件，可将其下载到策略执行系统的各个模块。

公开(公告)号：US07139837B1

公开(公告)日：2006-11-21

申请号：US10264803

申请日：2002-10-04

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani

IPC分类号： G06F15/173

CPC分类号： H04L45/48 ,  H04L63/0254 ,  H04L63/0263 ,  H04L69/22

摘要： A rule engine for a computer network traverses a rule mesh having path nodes and path edges in form of a tree part and a graph part. The rule engine evaluates data packets flowing through a network to determine rules matched for every packet. Subsequent packets having same expression values as an already checked packet are not rechecked against the same nodes in the rule mesh through the use of a session entry. The rule engine performs a search on every path node of rule mesh to determine the next path edge to traverse. A Tree-Id and Rule Confirmation Bitmap that are indicative of path traversed and rules matched by a packet are generated at the end of rule mesh traversal. These are appended in the packet extension for subsequent modules of Policy Agent.

摘要翻译： 计算机网络的规则引擎遍历具有树形部分和图形部分形式的路径节点和路径边缘的规则网格。 规则引擎评估流经网络的数据包，以确定每个数据包匹配的规则。 通过使用会话条目，不会对规则网格中的相同节点重新检查具有与已经检查的分组相同的表达式值的后续分组。 规则引擎在规则网格的每个路径节点上执行搜索，以确定要遍历的下一个路径边缘。 树标识和规则确认在规则网格遍历结束时生成指示所遍历的路径和数据包匹配的规则的位图。 这些附加在策略代理的后续模块的数据包扩展中。

公开(公告)号：US07039950B2

公开(公告)日：2006-05-02

申请号：US10419548

申请日：2003-04-21

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Saurabh Sarpal

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Saurabh Sarpal

IPC分类号： H04L9/00 ,  G06F11/30

CPC分类号： H04L47/10 ,  H04L43/106 ,  H04L47/24 ,  H04L47/25 ,  H04L47/28 ,  H04L47/32 ,  H04L63/10 ,  H04L63/1441

摘要： A system, method and computer program product for ensuring the quality of services being provided by a protected network of computers during an ongoing security breach is provided. The quality of the services is ensured by performing secure Quality of Service actions on data packets on the network. The sQoS actions depend on whether the data packets correspond to an attack on the computer to which they are directed, called the destination computer. If the data packet corresponds to an attack, then the actions also depend on the type of attack. In case there is no attack, the actions depend on the history of attacks by data packets that had originated from the same source computer and were directed towards the same destination computer. Supported actions include HardenFW, ControlBW and ConnectionLimit.

摘要翻译： 提供了一种系统，方法和计算机程序产品，用于在持续的安全漏洞期间确保受保护的计算机网络提供的服务质量。 通过对网络上的数据包执行安全的服务质量保证来保证服务的质量。 sQoS动作取决于数据包是否对应于它们所指向的计算机上的攻击，称为目标计算机。 如果数据包对应于攻击，则动作也取决于攻击的类型。 如果没有攻击，则动作取决于源自同一源计算机的数据包的攻击历史，并且被引导到同一个目标计算机。 支持的操作包括HardenFW，ControlBW和ConnectionLimit。

公开(公告)号：US20070038775A1

公开(公告)日：2007-02-15

申请号：US11584051

申请日：2006-10-20

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani

IPC分类号： G06F15/173

CPC分类号： H04L45/48 ,  H04L63/0254 ,  H04L63/0263 ,  H04L69/22

摘要： A rule engine for a computer network traverses a rule mesh having path nodes and path edges in form of a tree part and a graph part. The rule engine evaluates data packets flowing through a network to determine rules matched for every packet. Subsequent packets having same expression values as an already checked packet are not rechecked against the same nodes in the rule mesh through the use of a session entry. The rule engine performs a search on every path node of rule mesh to determine the next path edge to traverse. A Tree-Id and Rule Confirmation Bitmap that are indicative of path traversed and rules matched by a packet are generated at the end of rule mesh traversal. These are appended in the packet extension for subsequent modules of Policy Agent.

摘要翻译： 计算机网络的规则引擎遍历具有树形部分和图形部分形式的路径节点和路径边缘的规则网格。 规则引擎评估流经网络的数据包，以确定每个数据包匹配的规则。 通过使用会话条目，不会对规则网格中的相同节点重新检查具有与已经检查的分组相同的表达式值的后续分组。 规则引擎在规则网格的每个路径节点上执行搜索，以确定要遍历的下一个路径边缘。 树标识和规则确认在规则网格遍历结束时生成指示所遍历的路径和数据包匹配的规则的位图。 这些附加在策略代理的后续模块的数据包扩展中。

公开(公告)号：US07120144B1

公开(公告)日：2006-10-10

申请号：US09956394

申请日：2001-09-18

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Himanshu Deoskar

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Himanshu Deoskar

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L67/14 ,  H04L47/2441 ,  H04L47/2475 ,  H04L69/18

摘要： A universal application decode engine that can be programmed to decode packet streams and identify the application which is generating the packet streams is disclosed. The universal application decode engine comprises a packet receiver, a state machine execution engine for executing application decode instructions, and a session correlation lookup engine for correlating a new session to an existing session.

摘要翻译： 公开了一种通用应用解码引擎，其可编程为解码分组流并识别生成分组流的应用。 通用应用解码引擎包括分组接收器，用于执行应用解码指令的状态机执行引擎，以及用于将新会话与现有会话相关联的会话相关查找引擎。

公开(公告)号：US07356027B1

公开(公告)日：2008-04-08

申请号：US10264971

申请日：2002-10-04

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Himanshu Deoskar

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Himanshu Deoskar

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L65/605 ,  H04L67/00 ,  H04L69/22 ,  H04L69/32

摘要： The present invention essentially comprises a Packet Receiver and a Stream Manager for a computer network. When a stream of packets passes through the present invention, they are received by the Packet Receiver. The Packet Receiver identifies the session to which the packet stream belongs, and passes the packet to the Stream Manager. The Stream Manager identifies the application generating the packet stream by scanning an Application ID Hash Table, which is a table that contains a mapping of destination ports to corresponding applications. Thereafter, it uses a State Machine Execution Engine to execute application decode instructions on the packet stream. The application decode instructions are stored in a table called Expression Action Table, and are generated based on a decode script created by the user for each application. The application decode instructions are chosen by the State Machine Execution Engine based on the current state of an Application Decode State Machine, which is a state machine that keeps track of the application decode process. The results of the State Machine Execution Engine are passed to the Stream Manager, and are stored in tables called Session Cache Table and Application Instance Table. Once the Stream Manager has decoded all the transactions and parameters of the application, the decoded information is sent with the packets in the packet stream.

摘要翻译： 本发明基本上包括用于计算机网络的分组接收器和流管理器。 当分组流通过本发明时，它们被分组接收机接收。 分组接收者识别分组流所属的会话，并将分组传递给流管理器。 流管理器通过扫描应用程序ID哈希表来识别生成分组流的应用程序，该表是包含目标端口映射到相应应用程序的表。 此后，它使用状态机执行引擎在分组流上执行应用解码指令。 应用解码指令存储在称为表达式动作表的表中，并且基于由用户为每个应用创建的解码脚本生成。 应用解码指令由状态机执行引擎基于应用程序解码状态机的当前状态来选择，应用程序解码状态机是跟踪应用程序解码过程的状态机。 状态机执行引擎的结果被传递给流管理器，并存储在称为会话缓存表和应用程序实例表的表中。 一旦流管理器解码了应用程序的所有事务和参数，解码的信息就与分组流中的数据包一起发送。

公开(公告)号：US07321556B1

公开(公告)日：2008-01-22

申请号：US10281809

申请日：2002-10-28

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani

IPC分类号： H04J3/14

CPC分类号： H04L47/10 ,  H04L47/20 ,  H04L47/2425 ,  H04L47/27 ,  H04L47/29 ,  H04L47/323

摘要： A system and method for enforcing policies on data packets in a computer network is disclosed. The enforcement of policies is done by prioritizing and regulating the flow of data packets. The regulation of prioritized data packets includes a determination of: service level agreement violations, flow control of data packets of a predefined priority and session resettings. For determination of service level agreements the policy engine carries out a response time calculation and finds if it is in consonance with the response time agreed upon in the service level agreement. Flow control in case of a service level agreement violation is implemented either by reducing the server side window size or by delaying acknowledgement packets sent by the client.

摘要翻译： 公开了一种用于在计算机网络中对数据分组执行策略的系统和方法。 策略的执行是通过对数据包的流量进行优先级排序来实现的。 对优先化数据分组的调节包括确定：服务级别协议违反，预定义优先级的数据分组的流量控制和会话重置。 为了确定服务水平协议，策略引擎执行响应时间计算，并确定是否符合服务级别协议中商定的响应时间。 通过减少服务器端窗口大小或通过延迟客户端发送的确认数据包来实现服务级别协议违规情况下的流量控制。

公开(公告)号：US07219142B1

公开(公告)日：2007-05-15

申请号：US10277197

申请日：2002-10-21

申请人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Atul Jain ,  Sanjay K. Aggarwal

发明人： Pankaj Parekh ,  Sandeep Gupta ,  Vijay Mamtani ,  Atul Jain ,  Sanjay K. Aggarwal

IPC分类号： G06F15/16

CPC分类号： H04L41/0893 ,  H04L41/5048 ,  H04L63/20

摘要： The present invention is a system and method for allowing an administrator of a computer network higher up in a hierarchical arrangement to define the scope of policies for the services offered, and users lower in the hierarchical arrangement to customize policies within the scope defined by the administrator. While defining policy rules, administrators classify them as scoping or non-scoping. Users lower in the hierarchical arrangement can then customize scoping rules by defining sub-rules. Policy rules have a condition part and an action part, and the sub-rules can be used to change the scope of the condition and action parts. The present invention adds all the non-scoping policy rules, all the scoping policy rules, and all the sub-rules (with their scope limited by the scoping rules) to a rules database. This rules database is then used by any policy enforcement engine to enforce policy rules.

摘要翻译： 本发明是一种系统和方法，用于允许计算机网络的管理员以分层布置更高的位置来定义所提供的服务的策略的范围，并且分层布置中的用户较低以定制由管理员定义的范围内的策略 。 在定义策略规则的同时，管理员将其分类为范围或非范围。 然后可以通过定义子规则来定制分层布置中的用户，定义范围规则。 策略规则具有条件部分和动作部分，子规则可用于更改条件和动作部分的范围。 本发明将所有非范围规则策略规则，所有范围规则策略规则以及所有子规则（其范围受范围规则限制）添加到规则数据库。 然后，此规则数据库将被任何策略执行引擎用于实施策略规则。