公开(公告)号：US06757279B1

公开(公告)日：2004-06-29

申请号：US09662159

申请日：2000-09-14

申请人： Peter Furlong ,  Daniel M O'Keeffe ,  Eoghan Stack ,  Neil J Clifford ,  Eoin O'Brien

发明人： Peter Furlong ,  Daniel M O'Keeffe ,  Eoghan Stack ,  Neil J Clifford ,  Eoin O'Brien

IPC分类号： H04L1250

CPC分类号： H04L45/02 ,  H04L12/4641 ,  H04L12/4645 ,  H04L45/583 ,  H04L49/351 ,  H04L49/354

摘要： In a stack of multi-port network communication units each unit has a forwarding database, the units are connected by way of a cascade, and at least some of the units are connected to links constituting a trunk. When a unicast data packet is received at a first of said units and the unicast data packet has a destination address which is not the subject of an entry in the forwarding database of the first unit, the unicast data packet is sent by way of the cascade to the other units in the stack, accompanied by a flag. When a second unit has in its forwarding database an entry, associating the destination address with forwarding data, it sends a management packet indicating said destination address and the identity of said second unit, so that the database of the first unit can be immediately updated.

摘要翻译： 在多端口网络通信单元的堆叠中，每个单元具有转发数据库，​​这些单元通过级联连接，并且至少一些单元连接到构成中继线的链路。 当在所述单元中的第一单元处接收到单播数据分组时，单播数据分组具有不是第一单元的转发数据库中的条目的主题的目的地地址时，单播数据分组通过级联发送 到堆栈中的其他单位，附有一个旗帜。 当第二单元在其转发数据库中具有将目的地地址与转发数据相关联的条目时，发送指示所述目的地地址和所述第二单元的身份的管理包，使得可以立即更新第一单元的数据库。

公开(公告)号：US07957390B2

公开(公告)日：2011-06-07

申请号：US11133039

申请日：2005-05-18

申请人： Peter Furlong ,  Daniel Martin O'Keeffe ,  Eoghan Stack ,  Kevin Loughran

发明人： Peter Furlong ,  Daniel Martin O'Keeffe ,  Eoghan Stack ,  Kevin Loughran

IPC分类号： H04L12/28 ,  G06F11/00

CPC分类号： H04L63/1408 ,  H04L63/166

摘要： A method of detecting signatures in message segments comprises employing a state machine for the detection of character strings in the message segments. The state machine executes for each input character a transition determined by a current state of the machine and a current input character. The message segments conform to TCP or other ordering transport protocol. The order of arrival of the message segments is monitored. In the event that an intermediate message segment is missing between a processed segment and an immediately subsequent message segment, the current state of said state machine at the end of the said processed segment is stored. The machine is restarted from its null or datum state for the examination of the immediately subsequent message segment, which is then temporarily stored. When the missing segment eventually arrives, it and the stored segment are successively examined for signatures by means of the state machine, beginning at the stored state. The invention allows for examination of overlapping signatures without requiring re-assembly of the segments or substantial buffering.

摘要翻译： 检测消息段中的签名的方法包括采用状态机来检测消息段中的字符串。 状态机对于每个输入字符执行由机器的当前状态和当前输入字符确定的转变。 消息段符合TCP或其他排序传输协议。 监视消息段的到达顺序。 在经处理​​段和紧随其后的消息段之间缺少中间消息段的情况下，存储所述处理段的末尾处的所述状态机的当前状态。 机器从其零或基准状态重新开始，以便检查紧随其后的消息段，然后临时存储。 当丢失段最终到达时，从存储状态开始，通过状态机连续检查存储的段和签名。 本发明允许检查重叠签名，而不需要重新组装段或基本缓冲。

公开(公告)号：US07818564B2

公开(公告)日：2010-10-19

申请号：US11121231

申请日：2005-05-03

申请人： Kevin Loughran ,  Eoghan Stack ,  Peter Furlong ,  David John Law

发明人： Kevin Loughran ,  Eoghan Stack ,  Peter Furlong ,  David John Law

IPC分类号： H04L29/06

CPC分类号： H04L63/0485 ,  H04L63/164

摘要： The deciphering of fragmented enciphered IP packets is performed without requiring reassembly of the fragments. fragmented packets. When a first frame is deciphered a characteristic poly-tuple is saved against the state of the cipher, particularly an output vector. When the next frame comes in, the cipher would continue on from that previously saved state after a look-up of the poly-tuple. Each frame would then be sent on, deciphered, but still representing a fragment of the original packet. The poly-tuple employed for the look-up includes the identity and protocol fields from the IP header and at least one of the source IP address and the destination IP address. The deciphering process may commence with the combination of input data with an initializing vector and proceed by combining input data with a vector fed back from the output of the deciphering engine. The saved cipher state is employed as the initializing vector for the next frame.

摘要翻译： 在不需要重新组装片段的情况下执行分段加密的IP分组的解密。 碎片包 当第一帧被解密时，针对密码的状态，特别是输出向量，保存特征多元组。 当下一帧进入时，在多元组的查找之后，密码将从先前保存的状态继续。 然后，每个帧将被发送，解密，但仍然表示原始分组的片段。 用于查找的多元组包括来自IP头部的标识和协议字段以及源IP地址和目的地IP地址中的至少一个。 解密过程可以以输入数据与初始化矢量的组合开始，并且通过将输入数据与从解密引擎的输出反馈的向量组合来进行。 采用保存的密码状态作为下一帧的初始化向量。

公开(公告)号：US07672941B2

公开(公告)日：2010-03-02

申请号：US11064257

申请日：2005-02-22

申请人： Peter Furlong ,  Eoghan Stack ,  David John Law ,  Hana Hailichova

发明人： Peter Furlong ,  Eoghan Stack ,  David John Law ,  Hana Hailichova

IPC分类号： G06F17/30

CPC分类号： G06Q10/06

摘要： A deterministic finite state machine is operated to detect any one of a plurality of digital signatures each corresponding to a succession of characters and each defined by a sequence of states in the state machine. The machine is organized such that for each state after the first in any sequence there are not more than two allowed exit transitions of which one is to a default state. Input characters are examined to determine a transition from a current state of the machine to a next state. When the machine responds to an input character to perform a transition to the default state, the input character is re-examined to determine the next state of the state machine. The reduction in transitions saves considerable space in memory.

摘要翻译： 操作确定性有限状态机来检测多个数字签名中的每一个对应于一系列字符的数字签名，并且每个都由状态机中的状态序列定义。 机器被组织使得对于在任何顺序中的第一个之后的每个状态，不超过两个允许的退出转换，其中一个到默认状态。 检查输入字符以确定从机器的当前状态到下一状态的转换。 当机器响应输入字符以执行到默认状态的转换时，重新检查输入字符以确定状态机的下一状态。 转换的减少节省了大量的内存空间。

公开(公告)号：US20060227787A1

公开(公告)日：2006-10-12

申请号：US11133039

申请日：2005-05-18

申请人： Peter Furlong ,  Daniel O'Keeffe ,  Eoghan Stack ,  Kevin Loughran

发明人： Peter Furlong ,  Daniel O'Keeffe ,  Eoghan Stack ,  Kevin Loughran

IPC分类号： H04L1/00

CPC分类号： H04L63/1408 ,  H04L63/166

摘要： A method of detecting signatures in message segments comprises employing a state machine for the detection of character strings in the message segments. The state machine executes for each input character a transition determined by a current state of the machine and a current input character. The message segments conform to TCP or other ordering transport protocol. The order of arrival of the message segments is monitored. In the event that an intermediate message segment is missing between a processed segment and an immediately subsequent message segment, the current state of said state machine at the end of the said processed segment is stored. The machine is restarted from its null or datum state for the examination of the immediately subsequent message segment, which is then temporarily stored. When the missing segment eventually arrives, it and the stored segment are successively examined for signatures by means of the state machine, beginning at the stored state. The invention allows for examination of overlapping signatures without requiring re-assembly of the segments or substantial buffering.

摘要翻译： 检测消息段中的签名的方法包括采用状态机来检测消息段中的字符串。 状态机对于每个输入字符执行由机器的当前状态和当前输入字符确定的转变。 消息段符合TCP或其他排序传输协议。 监视消息段的到达顺序。 在经处理​​段和紧随其后的消息段之间缺少中间消息段的情况下，存储所述处理段的末尾处的所述状态机的当前状态。 机器从其零或基准状态重新开始，以便检查紧随其后的消息段，然后临时存储。 当丢失段最终到达时，从存储状态开始，通过状态机连续检查存储的段和签名。 本发明允许检查重叠签名，而不需要重新组装段或基本缓冲。

公开(公告)号：US20060218390A1

公开(公告)日：2006-09-28

申请号：US11121231

申请日：2005-05-03

申请人： Kevin Loughran ,  Eoghan Stack ,  Peter Furlong ,  David Law

发明人： Kevin Loughran ,  Eoghan Stack ,  Peter Furlong ,  David Law

IPC分类号： H04L9/00

CPC分类号： H04L63/0485 ,  H04L63/164

摘要： The deciphering of fragmented enciphered IP packets is perfomed without requiring reassembly of the fragments fragmented packets. When a first frame is deciphered a characteristic poly-tuple is saved against the state of the cipher, particularly an output vector. When the next frame comes in, the cipher would continue on from that previously saved state after a look-up of the poly-tuple. Each frame would then be sent on, deciphered, but still representing a fragment of the original packet. The poly-tuple employed for the look-up includes the identity and protocol fields from the IP header and at least one of the source IP address and the destination IP address. The deciphering process may commence with the combination of input data with an initialising vector and proceed by combining input data with a vector fed back from the output of the deciphering engine. The saved cipher state is employed as the initialising vector for the next frame.

摘要翻译： 分片加密的IP分组的解密被完成，而不需要重新组合碎片分段的分组。 当第一帧被解密时，针对密码的状态，特别是输出向量，保存特征多元组。 当下一帧进入时，在多元组的查找之后，密码将从先前保存的状态继续。 然后，每个帧将被发送，解密，但仍然表示原始分组的片段。 用于查找的多元组包括来自IP头部的标识和协议字段以及源IP地址和目的地IP地址中的至少一个。 解密过程可以从输入数据与初始化向量的组合开始，并且通过将输入数据与从解密引擎的输出反馈的向量组合来进行。 采用保存的密码状态作为下一帧的初始化向量。

公开(公告)号：US20060167915A1

公开(公告)日：2006-07-27

申请号：US11064257

申请日：2005-02-22

申请人： Peter Furlong ,  Eoghan Stack ,  David Law ,  Hana Hailichova

发明人： Peter Furlong ,  Eoghan Stack ,  David Law ,  Hana Hailichova

IPC分类号： G06F17/00 ,  G06F7/00

CPC分类号： G06Q10/06

摘要： A deterministic finite state machine is operated to detect any one of a plurality of digital signatures each corresponding to a succession of characters and each defined by a sequence of states in the state machine. The machine is organized such that for each state after the first in any sequence there are not more than two allowed exit transitions of which one is to a default state. Input characters are examined to determine a transition from a current state of the machine to a next state. When the machine responds to an input character to perform a transition to the default state, the input character is reexamined to determine the next state of the state machine. The reduction in transitions saves considerable space in memory.

摘要翻译： 操作确定性有限状态机来检测多个数字签名中的每一个对应于一系列字符的数字签名，并且每个都由状态机中的状态序列定义。 机器被组织使得对于在任何顺序中的第一个之后的每个状态，不超过两个允许的退出转换，其中一个到默认状态。 检查输入字符以确定从机器的当前状态到下一状态的转换。 当机器响应输入字符以执行到默认状态的转换时，将重新检查输入字符以确定状态机的下一状态。 转换的减少节省了大量的内存空间。

公开(公告)号：US20120084245A1

公开(公告)日：2012-04-05

申请号：US13252776

申请日：2011-10-04

申请人： David Law ,  Peter Furlong ,  Eugene O'Neill ,  Kevin Loughran

发明人： David Law ,  Peter Furlong ,  Eugene O'Neill ,  Kevin Loughran

IPC分类号： G06N5/02

CPC分类号： H04L45/742 ,  H04L69/22

摘要： An apparatus including logic to receive a data packet comprising a string of characters, said apparatus having a plurality of states and at least one state for every character position in the string of characters; logic to examine the string of characters for matches with a plurality of predefined values, beginning with an initial character; and logic to execute forward exit transitions from any of the plurality of states based upon the examination of the characters, wherein a current state of the apparatus represents a count of a number of characters from the initial character of the string of characters.

摘要翻译： 一种装置，包括用于接收包括一串字符的数据分组的逻辑，所述装置具有多个状态，并且至少一个状态用于字符串中的每个字符位置; 检查用于与初始字符开始的多个预定义值匹配的字符串的逻辑; 以及基于对所述字符的检查来执行从所述多个状态中的任何一个状态的向前退出转换的逻辑，其中所述装置的当前状态表示从所述字符串的初始字符开始的字符数的计数。

公开(公告)号：US08060546B2

公开(公告)日：2011-11-15

申请号：US11848302

申请日：2007-08-31

申请人： David Law ,  Peter Furlong ,  Eugene O'Neill ,  Kevin Loughran

发明人： David Law ,  Peter Furlong ,  Eugene O'Neill ,  Kevin Loughran

IPC分类号： G06F7/00

CPC分类号： H04L45/742 ,  H04L69/22

摘要： A deterministic finite state machine organised for the detection of positionally significant matches of characters in a string of characters examines each character in turn to determine a exit transition for a current state of the machine to another state The machine responds to an examination of the string of characters by executing in response to a first character at the commencement of the string a transition from an initial state to another state. The machine has at least one state for every character position, includes a exit transition from each state for each character to another state; and possesses only forward exit transitions each from any of the states whereby the current state of the machine unambiguously represents a count of the number of characters from the commencement of the string. The machine may include at least one match state which indicates that all character matches in the string required by at least one respective rule have been detected. Some but not all the states in the multiplicity of states each have a single exit transition for any value of a respective character in the string. At least some of the states in the multiplicity of states each define an exit transition to a state indicating ‘no match’. The machine may be disposed to cease its examination of the character string on attaining a ‘no match’state.

摘要翻译： 组织为用于检测字符串中的字符的位置有意义的匹配的确定性有限状态机依次检查每个字符以确定机器的当前状态到另一状态的退出转换。机器响应于对字符串的检查 通过在字符串开始时响应于第一个字符执行从初始状态到另一状态的转变的字符。 机器对于每个字符位置至少有一个状态，包括从每个字符到另一个状态的每个状态的退出转换; 并且仅具有从任何状态的前向退出转换，由此机器的当前状态明确地表示从字符串的开始处的字符数的计数。 机器可以包括至少一个匹配状态，其指示已经检测到至少一个相应规则所需的字符串中的所有字符匹配。 多个状态中的一些但不是全部状态各自对于字符串中相应字符的任何值都具有单个退出转换。 多个状态中的至少一些状态各自定义到指示“不匹配”的状态的退出转换。 可以处理机器以在获得“不匹配”状态时停止对字符串的检查。

公开(公告)号：US20060174107A1

公开(公告)日：2006-08-03

申请号：US11064225

申请日：2005-02-22

申请人： Peter Furlong ,  Andrew Davy ,  Gareth Allwright ,  Jerome Nolan

发明人： Peter Furlong ,  Andrew Davy ,  Gareth Allwright ,  Jerome Nolan

IPC分类号： H04L9/00

CPC分类号： H04L63/1408 ,  H04L47/2441

摘要： Detection of a signature in a data packet comprises performing a pre-classification of the packet, using header information and particularly a 5-tuple access control list, into one of a multiplicity of flows and directing the payload of the packet to a respective one of a multiplicity of deterministic finite state machines each of which stores a plurality of signatres as a sequence of states and acts only on the respective flow.

摘要翻译： 数据分组中的签名的检测包括使用头信息，特别是5元组访问控制列表来执行分组的预分类到多个流中的一个，并将分组的有效载荷指向相应的一个 多个确定性有限状态机，每个存储多个签名作为状态序列，并且仅作用于相应的流。