Patent application number | Description | Published |
20090185568 | METHOD AND SYSTEM FOR PACKET CLASSIFICATION WITH REDUCED MEMORY SPACE AND ENHANCED ACCESS SPEED - A method and system for packet classification is proposed for applications such as firewalls, intrusion detection, policy-based routing, and network service differentiations, within network systems such as Internet or intranet/extranet systems. The proposed method and system is characterized by the use of protocol-oriented rule rearrangement, the probable bit vector (PBV) based on the aggregated bit vectors (ABV) and folded bit vectors (FBV), an ABV-FBV index table dataset whose data structure is based on a featured split full-tree schema, and a DCBV (Don't-Care Bit Vector) dataset for packet classification. The combination of these features allows the packet classification to be implemented with a reduced amount of memory and access time during operation. | 07-23-2009 |
20090190592 | TWO-STAGE COMPUTER NETWORK PACKET CLASSIFICATION METHOD AND SYSTEM - A two-stage computer network packet classification method and system is proposed, which is designed for integration to a network system for classification of packets within the network system. The proposed method and system is characterized by the use of a two-stage operation for packet classification; wherein the first-stage operation involves the use of a decision-tree data module whose leaf nodes are used to store a bit vector that represents a cluster of rule groups that are located within a particular cut region in a multidimensional Euclidean space that is mapped to the field values of the input packet; and the second-stage operation involves the use of a bit-vector lookup table data module to retrieve a set of bit vectors which represent a set of possible rules in each rule group and which are intersected to find a matched rule for the input packet. This feature allows the packet classification to be implemented with low memory requirement and enhanced system performance. | 07-30-2009 |
20090190597 | DATA ITEM INTERVAL IDENTIFIER LOOKUP METHOD AND SYSTEM - A data item interval identifier lookup method and system is proposed, which is designed for integration to an information processing system for finding which predefined interval the value of an input data item, such as an IP (Internet Protocol) address, belongs. The proposed method and system is characterized by the use of a multi-stage lookup-table data structure having a number of cascaded lookup tables constructed by partitioning the data format of the input data item into a number of segments, each being mapped to one stage of lookup table data structure whose key-value relationships are predefined based on a predefined interval-and-identifier definition table. In operation, the values of the partitioned segments are sequentially used as lookup keys to search through the multi-stage lookup-table data structure until the corresponding interval identifier is found. This feature allows the implementation to have low memory requirement and enhanced system performance. | 07-30-2009 |
20090196291 | COMPUTER NETWORK PACKET CLASSIFICATION METHOD AND SYSTEM BASED ON A NONOVERLAPPING RULE GROUP ENCODING SCHEME - A computer network packet classification method and system based on a nonoverlapping rule group encoding scheme is proposed, which is designed for integration to a network system for classification of packets within the network system. The proposed method and system is characterized by the use of a nonoverlapping rule group encoding scheme which organizes a database of rules into nonoverlapping rule groups and creates a number of consecutive projected intervals over the dimension of each classification-related field of the packet header, whereby a projected-interval to encoded-bit-vector lookup table and an encoded-bit-vector to rule-group lookup table can be established. During the operation of packet classification, these two lookup tables are used to find the corresponding rule for each incoming packet. This scheme allows the encoded bit vectors to have a reduced bit length, and therefore allows the packet classification to be implemented with low memory requirement and enhanced performance. | 08-06-2009 |
20100153420 | DUAL-STAGE REGULAR EXPRESSION PATTERN MATCHING METHOD AND SYSTEM - A dual-stage regular expression pattern matching method and system is proposed, which is designed for integration to a data processing system, such as a computer platform, a firewall, a network intrusion detention system (NIDS), or a DNA sequence analysis system, for checking whether an input code sequence (such as a network data packet) is matched to specific patterns predefined by regular expressions. The proposed system and method includes a first-stage comparison procedure for comparison of the prefix string of each input code sequence and a second-stage comparison procedure for comparison of the postfix string of the same input code sequence. This feature can be used for processing code sequences having a special pattern without producing an enormous amount of state data that would cause the problem of insufficient memory during operation. | 06-17-2010 |
20100158394 | REGULAR EXPESSION PATTERN MATCHING CIRCUIT BASED ON A PIPELINE ARCHITECTURE - A regular expression pattern matching circuit based on a pipeline architecture is proposed, which is designed for integration to a data processing system, such as a computer platform, a firewall, or a network intrusion detention system (NIDS), for checking whether an input code sequence (such as a network data packet) is matched to specific patterns predefined by regular expressions. The proposed circuit architecture includes an incremental improvement on an old combination of a comparator circuit module and an NDFA (non-deterministic finite-state automata) circuit module, where the incremental improvement comprises a data signal delay circuit module installed to the comparator circuit module and an enable signal delay circuit module installed to the NDFA circuit module to thereby constitute a multi-sage pipeline architecture that allows a faster processing speed than the prior art. | 06-24-2010 |
20100183013 | PACKET PROCESSING DEVICE AND METHOD - A packet processing device is provided, which is applied to a network equipment that transmits packets. The device includes: a control module for executing a control schedule; a capture module for capturing at least one packet according to the control schedule; and a disassembling module for disassembling the header of the packet according to the control schedule so as to obtain packet header information. The packet processing device of the present invention can be installed in any network equipment to disassemble and process packets before they are captured by CPUs or memories of back-end computers, thereby achieving rapid processing of packets and reducing usage of CPU resources and occupancy of memories. | 07-22-2010 |
20100195513 | PACKET INSPECTION DEVICE AND METHOD - A packet inspection device and method for use with a packet-retrievable network apparatus are provided. The packet inspection method includes: converting header information of a packet received into a hashing function value in presence of handshaking underway at the Transmission Control Protocol (TCP) layer and comparing the hashing function value by a hashing function unit of the pending processing module, storing the hashing function value in a memory unit, and performing packet state comparison and packet screening and then creating by the session processing module a transmission connection according to the packet screened and selected by the pending processing module upon determination that data stored in the memory unit match the hashing function value resulting from conversion by the hashing function unit, thereby expediting packet inspection, reducing occupied memory space, and cutting costs. | 08-05-2010 |
20140317134 | MULTI-STAGE PARALLEL MULTI-CHARACTER STRING MATCHING DEVICE - A multi-stage parallel multi-character string matching device, including: a rule circuit having multiple rule units, each of the multiple rule units embodying a transition rule based on an AC-trie; a state circuit coupled with the rule circuit for determining multiple next-state data; and an output circuit coupled with the rule circuit for determining multiple matching output data. | 10-23-2014 |