-
公开(公告)号:US08433808B1
公开(公告)日:2013-04-30
申请号:US13019088
申请日:2011-02-01
申请人: Xinhua Hong , Hongbin Wang , Ying Zhang , Krishna Narayanaswamy , Michael Luo
发明人: Xinhua Hong , Hongbin Wang , Ying Zhang , Krishna Narayanaswamy , Michael Luo
IPC分类号: G06F15/16
CPC分类号: H04L67/02 , H04L69/163 , H04L69/22
摘要: A system includes a storage device and a processor. The storage device is configured to store a first set of values of TCP options for a first group of servers. The processor is configured to: transmit first requests to the first group of servers; receive first replies, in response to the first requests, from the first group of servers; determine the first set of values of the TCP options for the first group based on values in the first replies; store the first set of values in the storage device; receive a first message from a client to establish a connection between the client and a server in the first group of servers, and transmit, in response to the first message, a second message to the client.
摘要翻译: 系统包括存储设备和处理器。 存储设备被配置为存储第一组服务器的第一组TCP选项值。 处理器被配置为:将第一请求发送到第一组服务器; 从第一组服务器接收第一个请求的响应,第一个请求; 基于第一个回复中的值确定第一个组的TCP选项的第一组值; 将第一组值存储在存储设备中; 从客户端接收第一消息以建立客户端与第一服务器组中的服务器之间的连接,并且响应于第一消息向客户端发送第二消息。
-
公开(公告)号:US08762534B1
公开(公告)日:2014-06-24
申请号:US13105206
申请日:2011-05-11
申请人: Xinhua Hong , Hongbin Wang , Ying Zhang , Krishna Narayanaswamy , Rakesh Nair , Henry Han
发明人: Xinhua Hong , Hongbin Wang , Ying Zhang , Krishna Narayanaswamy , Rakesh Nair , Henry Han
IPC分类号: G06F15/173
摘要: A fair weighted-hashing technique may be used in load balancing among a group of modules. In one implementation, a device may maintain a table that relates how incoming client resource requests are to be distributed among the modules. The device may update the table, in response to an indication that an additional module, associated with a module identifier, is to be included in the group of modules. The updating may include determining a number of entries to add to the table for the additional module, calculating a first hash value for each of the number of entries, and modifying the table by writing the module identifier to one or more sequential entries of the table, beginning at an index into the table corresponding to the first hash value.
摘要翻译: 在一组模块之间的负载平衡中可以使用公平的加权散列技术。 在一个实现中,设备可以维护关于如何在模块之间分发传入的客户端资源请求的表。 响应于与模块标识符相关联的附加模块将包括在模块组中的指示,设备可以更新表。 更新可以包括确定要添加到附加模块的表的条目的数量,为每个条目数量计算第一散列值,并通过将模块标识符写入表的一个或多个顺序条目来修改该表 ,从索引开始到与第一个哈希值对应的表中。
-
公开(公告)号:US08150976B1
公开(公告)日:2012-04-03
申请号:US13026745
申请日:2011-02-14
申请人: Ying Zhang , Jesse Shu , Krishna Narayanaswamy
发明人: Ying Zhang , Jesse Shu , Krishna Narayanaswamy
IPC分类号: G06F15/16
CPC分类号: H04L63/0236 , H04L29/12433 , H04L29/12952 , H04L61/2539 , H04L61/6077 , H04L67/141
摘要: This disclosure relates to a secure network device for multi-homed devices. An example network device includes a state table, an association establishment module, and an inspection module. The state table is configured to store information for communication associations between devices. The association establishment module is configured to process a request to establish a communication association between a first device and a second device and to store state information for the communication association in the state table. The first device and the second device each comprise a multi-homed device associated with a plurality of Internet Protocol (IP) addresses, and the state information includes the IP addresses associated with the first device and the IP addresses associated with the second device. The inspection module is configured to secure the communication association between the first device and the second device by using the state information that is stored in the state table.
摘要翻译: 本公开涉及一种用于多归属设备的安全网络设备。 示例性网络设备包括状态表,关联建立模块和检查模块。 状态表被配置为存储用于设备之间的通信关联的信息。 关联建立模块被配置为处理在第一设备和第二设备之间建立通信关联的请求,并且在状态表中存储通信关联的状态信息。 第一设备和第二设备各自包括与多个因特网协议(IP)地址相关联的多归属设备,并且状态信息包括与第一设备相关联的IP地址和与第二设备相关联的IP地址。 检查模块被配置为通过使用存储在状态表中的状态信息来保护第一设备和第二设备之间的通信关联。
-
公开(公告)号:US07890637B1
公开(公告)日:2011-02-15
申请号:US12036669
申请日:2008-02-25
申请人: Ying Zhang , Jesse Shu , Krishna Narayanaswamy
发明人: Ying Zhang , Jesse Shu , Krishna Narayanaswamy
IPC分类号: G06F15/16
CPC分类号: H04L63/0236 , H04L29/12433 , H04L29/12952 , H04L61/2539 , H04L61/6077 , H04L67/141
摘要: This disclosure relates to a secure network device for multi-homed devices. An example network device includes a state table, an association establishment module, and an inspection module. The state table is configured to store information for communication associations between devices. The association establishment module is configured to process a request to establish a communication association between a first device and a second device and to store state information for the communication association in the state table. The first device and the second device each comprise a multi-homed device associated with a plurality of Internet Protocol (IP) addresses, and the state information includes the IP addresses associated with the first device and the IP addresses associated with the second device. The inspection module is configured to secure the communication association between the first device and the second device by using the state information that is stored in the state table.
摘要翻译: 本公开涉及一种用于多归属设备的安全网络设备。 示例性网络设备包括状态表,关联建立模块和检查模块。 状态表被配置为存储用于设备之间的通信关联的信息。 关联建立模块被配置为处理在第一设备和第二设备之间建立通信关联的请求,并且在状态表中存储通信关联的状态信息。 第一设备和第二设备各自包括与多个因特网协议(IP)地址相关联的多归属设备,并且状态信息包括与第一设备相关联的IP地址和与第二设备相关联的IP地址。 检查模块被配置为通过使用存储在状态表中的状态信息来确保第一设备和第二设备之间的通信关联。
-
公开(公告)号:US08789180B1
公开(公告)日:2014-07-22
申请号:US13367183
申请日:2012-02-06
申请人: Siying Yang , Krishna Narayanaswamy
发明人: Siying Yang , Krishna Narayanaswamy
IPC分类号: G06F12/14
CPC分类号: H04L63/0245 , G06F21/554 , H04L12/00 , H04L12/4633 , H04L47/2475 , H04L47/2483 , H04L63/02 , H04L63/0263 , H04L63/1416 , H04L63/168 , H04L67/00 , H04L69/22
摘要: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.
摘要翻译: 描述了入侵检测系统,其能够应用多个堆叠(分层)应用层解码器,以从在应用层操作的多个应用或第七层(L7)产生的隧道化分组流提取封装的应用层数据, ,一个网络堆栈。 这就是说,即使当一个或多个软件应用程序利用其他软件应用程序进行数据传输以产生来自网络设备的数据包流时,IDS也能执行应用程序识别和解码。 当应用于给定的分组或分组流时,协议解码器可以被动态地交换,重用和堆叠(分层)。
-
公开(公告)号:US08321595B2
公开(公告)日:2012-11-27
申请号:US13092532
申请日:2011-04-22
申请人: Krishna Narayanaswamy , Siying Yang
发明人: Krishna Narayanaswamy , Siying Yang
IPC分类号: G06F15/16
CPC分类号: H04L43/10 , H04L63/0236 , H04L63/0245 , H04L63/10 , H04L63/1408
摘要: A method may include receiving a communication from a client device and identifying a port number, a protocol and a destination associated with the communication. The method may also include identifying a first application being executed by the first client device based on the port number, the protocol and the destination associated with the first communication.
摘要翻译: 一种方法可以包括从客户端设备接收通信并识别端口号,协议和与该通信相关联的目的地。 该方法还可以包括基于与第一通信相关联的端口号,协议和目的地识别由第一客户端设备执行的第一应用。
-
公开(公告)号:US08209291B1
公开(公告)日:2012-06-26
申请号:US12211167
申请日:2008-09-16
申请人: Qingming Ma , Krishna Narayanaswamy
发明人: Qingming Ma , Krishna Narayanaswamy
IPC分类号: G06F7/00
CPC分类号: G06F17/30442 , H04L67/2847
摘要: A data prefetching technique uses predefined prefetching criteria and prefetching models to identify and retrieve prefetched data. A prefetching model that defines data to be prefetched via a network may be stored. It may be determined whether prefetching initiation criteria have been satisfied. Data for prefetching may be identified based on the prefetching model when the prefetching initiation criteria have been satisfied. The identified data may be prefetched, via the network, based on the prefetching model.
摘要翻译: 数据预取技术使用预定义的预取准则和预取模型来识别和检索预取数据。 可以存储定义要通过网络预取的数据的预取模型。 可以确定是否已经满足预取启动标准。 当预取起始标准已被满足时,可以基于预取模型来识别用于预取的数据。 可以经由网络基于预取模型来预取识别的数据。
-
公开(公告)号:US20110055921A1
公开(公告)日:2011-03-03
申请号:US12607107
申请日:2009-10-28
CPC分类号: H04L63/1458 , H04L63/1416
摘要: A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.
摘要翻译: 网络安全设备对流量执行三阶段分析,以识别恶意客户端。 在一个示例中,设备包括攻击检测模块,在第一阶段期间,在第二阶段期间,监视与受保护网络设备的网络连接,以监视多个网络会话的多种类型的事务,当用于 所述连接超过连接阈值,并且在第三阶段期间,当与所述至少一种类型的事务相关联的参数超过事务类型时,监视与所述至少一种类型的事务的事务起始的网络地址相关联的通信 阈。 当来自所述至少一个网络地址的所述多种类型的交易中的至少一种交易的交易超过客户端交易阈值时,所述设备相对于所述网络地址中的至少一个执行编程动作。
-
公开(公告)号:US20100281539A1
公开(公告)日:2010-11-04
申请号:US12432325
申请日:2009-04-29
申请人: Bryan Burns , Krishna Narayanaswamy
发明人: Bryan Burns , Krishna Narayanaswamy
IPC分类号: G06F21/00
CPC分类号: H04L63/1441 , H04L63/14 , H04L63/1416 , H04L2463/144
摘要: This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.
摘要翻译: 本公开描述了用于确定网络会话是否源于自动化软件代理的技术。 在一个示例中,诸如路由器的网络设备包括用于接收网络会话的分组的网络接口,基于多个度量来计算网络会话数据的多个分数的机器人检测模块,其中, 度量对应于由自动化软件代理发起的网络会话的特征,以从多个分数的聚合中产生聚合分数,并且当聚合分数超过一个分数时,确定网络会话由自动软件代理发起 阈值,以及当网络会话被确定为由自动化软件代理发起时执行编程响应的攻击检测模块。 每个分数表示网络会话由自动化软件代理发起的可能性。
-
10.发明申请DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE 有权用于网络安全设备的端口限制的动态访问控制策略公开(公告)号:US20100095367A1
公开(公告)日:2010-04-15
申请号:US12261512
申请日:2008-10-30
IPC分类号: G06F21/00
CPC分类号: H04L63/20 , H04L63/0245 , H04L63/0254 , H04L63/0263
摘要: A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.
摘要翻译: 网络安全设备支持定义安全策略以控制对网络的访问。 安全策略由匹配标准定义,包括第七层网络应用,传输层协议的第四层端口的静态端口列表,以及适用于匹配匹配标准的数据包流的动作。 基于分组流的分组的有效载荷内的应用层数据的检查,规则引擎动态地识别与接收到的分组流相关联的第七层网络应用的类型,而不必将该标识仅基于由分组中的报头指定的第四层端口 。 规则引擎被配置为应用安全策略来确定数据包流是否与匹配条件指定的静态端口列表匹配。 网络安全设备将安全策略指定的动作应用于数据包流。
-
-
-
-
-
-
-
-
-
搜索结果
46 条记录 (耗时 0.03 秒)
