Patent application number | Description | Published |
20090119768 | Using Application Gateways to Protect Unauthorized Transmission of Confidential Data Via Web Applications - A security gateway receives messages transmitted between a server and a client device on a network and parses the messages into a plurality of data objects, such as strings and name-value pairs. The data objects may represent user personal identification information, such as user name, social security number, credit card number, patient code, driver's license number, and other personal identification information. The security gateway uses rules to recognize data objects and validate the data objects to determine whether the recognized data objects are appropriately included within the context. The security gateway may also perform an action on the data objects. Data objects that are not appropriately included in the context may be transformed, suppressed or disallowed. | 05-07-2009 |
20100017869 | Inferencing Data Types Of Message Components - A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components. | 01-21-2010 |
20100132029 | USING STATISTICAL ANALYSIS TO GENERATE EXCEPTION RULES THAT ALLOW LEGITIMATE MESSAGES TO PASS THROUGH APPLICATION PROXIES AND GATEWAYS - A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway. | 05-27-2010 |
20100269170 | RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING - A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway. | 10-21-2010 |
20110041053 | SCALABLE DERIVATIVE SERVICES - An efficient method for parsing HTML pages identifies pages containing a mix of static and dynamic content. The pages are parsed to form abstract syntax trees (ASTs), which are then cached along with the pages. When a later version of a page is retrieved, it is compared against the cached version, and only those portions of the AST that contain different content are reparsed. | 02-17-2011 |
20120017010 | INFERRING SERVER STATE IN A STATELESS COMMUNICATION PROTOCOL - Server state objects are identified by an intermediate server among packets transmitted between an application server and a client device on a network based upon a stateless communication protocol, by monitoring and analyzing the packets transmitted between the application server and the client device. The packets are parsed into a plurality of name-value pairs. The entropy of the name-value pairs having a same name field is computed, and candidate data objects that are likely to be server state objects are selected based upon the computed entropy. Candidate data objects that were transmitted bi-directionally between the application server and the client device are identified as server state objects. | 01-19-2012 |
20120216274 | INFERENCING DATA TYPES OF MESSAGE COMPONENTS - A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components. | 08-23-2012 |
Patent application number | Description | Published |
20100262650 | SYSTEMS AND METHODS FOR CONNECTION MANAGEMENT FOR ASYNCHRONOUS MESSAGING OVER HTTP - Described are methods and systems for managing the connections between a client, an intermediary appliance and a server, so that asynchronous messages can be transmitted over HTTP from the server to a client. When a connection is established between a client and an intermediary, and the intermediary and a server to establish a logical client-server connection, that logical client-server connection is labeled and not maintained, while the connection between the client and the intermediary is maintained. Messages generated by the server and destined for the client are transmitted to the intermediary along with the connection label. The intermediary can then use the connection label to determine which client should receive the message. | 10-14-2010 |
20100284411 | SYSTEMS AND METHODS FOR PROVIDING A MULTI-CORE ARCHITECTURE FOR AN ACCELERATION APPLIANCE - The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core. | 11-11-2010 |
20100325371 | SYSTEMS AND METHODS FOR WEB LOGGING OF TRACE DATA IN A MULTI-CORE SYSTEM - A method and system for generating a web log that includes transaction entries from transaction queues of one or more cores of a multi-core system. A transaction queue is maintained for each core so that either a packet engine or web logging client executing on the core can write transaction entries to the transaction queue. In some embodiments, a timestamp value obtained from a synchronized timestamp variable can be assigned to the transaction entries. When a new transaction entry is added to the transaction queue, the earliest transaction entry is removed from the transaction queue and added to a heap. Periodically the earliest entry in the heap is removed from the heap and written to a web log. When an entry is removed from the heap, the earliest entry in a transaction queue corresponding to the removed entry is removed from the transaction queue and added to the heap. | 12-23-2010 |
20100332617 | SYSTEMS AND METHODS FOR PROVIDING A VIRTUAL APPLIANCE IN AN APPLICATION DELIVERY FABRIC - The present disclosure is directed to systems and method for providing a virtual appliance. One or more application delivery controller appliances intermediary to a plurality of clients and a plurality of servers perform a plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers. A virtual application delivery controller is deployed on a device intermediary to the plurality of clients and the plurality of servers. The virtual application delivery controller executing on the device performs one or more of the plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers. | 12-30-2010 |
20110153861 | SYSTEMS AND METHODS FOR DETERMINING A GOOD RSS KEY - The present application is directed towards systems and methods for ensuring equal distribution of packet flows among a plurality of cores in a multi-core system by identifying a rank of a matrix created from a hash key. If the rank of the matrix is equal to or greater than a divisor of a modulo operation applied to the results of the hash function, then the hash key may be used to ensure equal distribution of packet flows. | 06-23-2011 |
20110153953 | SYSTEMS AND METHODS FOR MANAGING LARGE CACHE SERVICES IN A MULTI-CORE SYSTEM - A multi-core system that includes a 64-bit cache storage and a 32-bit memory storage that stores a 32-bit cache object directory. One or more cache engines execute on cores of the multi-core system to retrieve objects from the 64-bit cache, create cache directory objects, insert the created cache directory object into the cache object directory, and search for cache directory objects in the cache object directory. When an object is stored in the 64-bit cache, a cache engine can create a cache directory object that corresponds to the cached object and can insert the created cache directory object into an instance of a cache object directory. A second cache engine can receive a request to access the cached object and can identify a cache directory object in the instance of the cache object directory, using a hash key calculated based on one or more attributes of the cached object. | 06-23-2011 |
20110154461 | SYSTEMS AND METHODS FOR MANAGEMENT OF COMMON APPLICATION FIREWALL SESSION DATA IN A MULTIPLE CORE SYSTEM - The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string. The device uses the copy of the received string stored in the allocation arena in place of the string in the web page of the session of the user to process the web page. | 06-23-2011 |
20110154471 | SYSTEMS AND METHODS FOR PROCESSING APPLICATION FIREWALL SESSION INFORMATION ON OWNER CORE IN MULTIPLE CORE SYSTEM - The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core. | 06-23-2011 |
20110277027 | Systems and Methods for Providing a Single Click Access to Enterprise, SAAS and Cloud Hosted Application - The present disclosure is directed to methods and systems of providing a user-selectable list of disparately hosted applications. A device intermediary to a client and one or more servers may receive a user request to access a list of applications published to the user. The device may communicate to the client the list of published applications available to the user, the list comprising graphical icons corresponding to disparately hosted applications, at least one graphical icon corresponding to a third-party hosted application of the disparately hosted applications, the third party hosted application served by a remote third-party server. The device may receive a selection from the user of the at least one graphical icon. The device may communicate, from the remote third party server to the client of the user, execution of the third party hosted application responsive to the selection by the user. | 11-10-2011 |
20120281708 | SYSTEMS AND METHODS FOR CLOUD BRIDGING BETWEEN PUBLIC AND PRIVATE CLOUDS - The cloud bridge may comprise a tunnel between a datacenter network via a WAN to a cloud network. The cloud bridge makes cloud-hosted applications appear as though they are running on one contiguous enterprise network. With a cloud bridge in place, administrators, tools and the applications believe that the application resides on the enterprise network. | 11-08-2012 |
20130336329 | SYSTEMS AND METHODS FOR DISTRIBUTING TRAFFIC ACROSS CLUSTER NODES - The present application is directed towards systems and methods for distributing traffic across nodes of a cluster of intermediary devices through distributed flow distribution (DFD). Upon receipt of network traffic, a cluster node, such as an intermediary computing device or appliance, may internally steer a portion of the traffic via an inter-node communications backplane to one or more other nodes in the cluster so that the load is equally handled by all of the nodes in the cluster. A cluster node may determine whether to process the traffic steered via the backplane by computing a hash of packet parameters of the network traffic. Hash keys may be selected such that uniformity is assured, and the key used in hash computation may be synchronized across all of the nodes so that only one node determines that it should process the particular packets or traffic flow. | 12-19-2013 |
20130336337 | SYSTEMS AND METHODS FOR SHARING L2 INFORMATION & MAC BASED FORWARDING - The present application is directed towards sharing data link layer information of network traffic distributed across a cluster of intermediary devices. A method for sharing data link layer information across a cluster includes receiving a request packet at a first intermediary device. The first intermediary device identifies a first set of data link layer information from a data link layer of the request packet. The first intermediary device modifies the request packet for transmission on a common data backplane of the cluster to include the first set of data link layer information in the request packet. The modified request packet includes a second set of data link layer information that differs from the first set of data link layer information at the data link layer. The first intermediary device transmits the modified request packet on the common data backplane of the cluster to other devices of the cluster. | 12-19-2013 |
20130339516 | SYSTEMS AND METHODS FOR FORWARDING TRAFFIC IN A CLUSTER NETWORK - The present invention is directed towards forwarding network packets in a cluster network. A predetermined identifier may be inserted into a Media Access Control (MAC) ID field of an Ethernet header of a packet to distinguish various types of traffic. Newly received packets may be identified due to the absence of the identifier. The identifier may be added to the source MAC ID field of the Ethernet header of the packet, and the packet may be distributed to cluster nodes for processing via an inter-node communication bus. Thus, received packets with the identifier in the source MAC ID field may be identified as steered for processing by an internal node of the cluster. After processing the packet, the internal node may transmit the processed packets via the inter-node bus with a destination MAC ID including the identifier. | 12-19-2013 |
20130339547 | SYSTEMS AND METHODS FOR ARP RESOLUTION OVER A CLUSTER CHANNEL - In the present solution, when a cluster node sends an ARP request for an external IP, the node sends a message to all the other nodes, which are part of the CLAG to expect an ARP reply for the IP. When a node in the cluster receives the ARP reply, the node informs the other nodes which are part of the same CLAG to update the MAC address. Also when an ARP entry is learned/updated over a CLAG link as part of an ARP request/Gratuitous ARP, the node learning/updating the ARP entry will inform other nodes which are part of the same CLAG about the learned/updated ARP entry. Nodes in a cluster may communicate between with each other over a dedicated backplane, which may be a separate physical medium. | 12-19-2013 |
20130339548 | SYSTEMS AND METHODS FOR ARP RESOLUTION OVER AN ASYNCHRONOUS CLUSTEER NETWORK - In the present solution, when a cluster node sends an ARP request for an external IP, the node sends a message to all the other nodes, which are part of the CLAG to expect an ARP reply for the IP. When a node in the cluster receives the ARP reply, the node informs the other nodes which are part of the same CLAG to update the MAC address. Also when an ARP entry is learned/updated over a CLAG link as part of an ARP request/Gratuitous ARP, the node learning/updating the ARP entry will inform other nodes which are part of the same CLAG about the learned/updated ARP entry. Nodes in a cluster may communicate between with each other over a dedicated backplane, which may be a separate physical medium. | 12-19-2013 |
20130339549 | SYSTEMS AND METHODS FOR SUPPORTING IP OWNERSHIP IN A CLUSTER - While each node in a cluster of nodes sources connections with the same IP if each node allocates a port on this IP independently, there may be port clashes. Also, the return traffic is not guaranteed to hit the originating node. These issues are addressed by allocating a port in such a way that the response traffic hashes back to the originating node. A good hash is chosen such that the ports are equally divided among the nodes. When a node leaves, the other nodes take over the port range used by this node. When a node joins, the node takes back its share of ports. | 12-19-2013 |
Patent application number | Description | Published |
20100284404 | SYSTEMS AND METHODS FOR PACKET STEERING IN A MULTI-CORE ARCHITECTURE - Described herein is a method and system for distributing whole and fragmented requests and responses across a multi-core system. Each core executes a packet engine that further processes data packets and data packet fragments allocated to that core. A flow distributor executing within the multi-core system forwards client requests to a packet engine on a core that is selected based on a value generated when a hash is applied to a tuple comprising a client IP address, a client port, a server IP address and a server port identified in the request. The packet engine maintains each element of the tuple and forwards the request to the selected core. The packet engine can also process data packet fragments by assembling the fragments prior to transmitting them to the selected core, or by transmitting the data packet fragments to the selected core. | 11-11-2010 |
20100322071 | SYSTEMS AND METHODS FOR PLATFORM RATE LIMITING - The present disclosure presents systems and methods for controlling network traffic traversing an intermediary device based on a license or a permit granted for the intermediary device. The systems and methods control a rate of a traffic of a device in accordance with a rate limit identified by a rate limiting license. A rate limiting manager of an intermediary device that processes network traffic between a plurality of clients and a plurality of servers, may identify presence of a rate limiting license that further identifies a performance level. The rate limiting manager may establish a rate limit based on the performance level of the rate limiting license. A throttler of the intermediary may control a rate of receiving network packets in accordance with the rate limit. | 12-23-2010 |
20100325495 | SYSTEMS AND METHOD FOR TRANSACTION STALL DETECTION AND PROPAGATING THE RESULT IN A MULTI-CORE ARCHITECTURE - The present invention is directed towards systems and methods for determining failure in and controlling access to a shared resource in a multi-core system. In some embodiments of a multi-core system, individual cores may share the same resource. Additionally, the resource may occasionally fail or need to be reset, and the period during which the resource is being reset may be non-instantaneous. In an embodiment without coordination between the cores, one core experiencing a failure may reset the resource. During the period in which the resource is resetting, another core may interpret the reset as a failure and reset the resource. As more cores interpret the resets as failures, they will trigger resets, quickly resulting in the resource being constantly reset and unavailable. Thus, in some embodiments, a coordination system may be utilized to determine failure of a shared resource and control resets and access to the shared resource. | 12-23-2010 |
20110280244 | SYSTEMS AND METHODS FOR PACKET STEERING IN A MULTI-CORE ARCHITECTURE - Described herein is a method and system for distributing whole and fragmented requests and responses across a multi-core system. Each core executes a packet engine that further processes data packets and data packet fragments allocated to that core. A flow distributor executing within the multi-core system forwards client requests to a packet engine on a core that is selected based on a value generated when a hash is applied to a tuple comprising a client IP address, a client port, a server IP address and a server port identified in the request. The packet engine maintains each element of the tuple and forwards the request to the selected core. The packet engine can also process data packet fragments by assembling the fragments prior to transmitting them to the selected core, or by transmitting the data packet fragments to the selected core. | 11-17-2011 |
20140304231 | SYSTEMS AND METHODS FOR APPLICATION-STATE DISTRIBUTED REPLICATION TABLE HUNTING - The present application is directed towards systems and methods of hunting for a hash table entry in a hash table distributed over a multi-node system. More specifically, when entries are created in an ASDR table, the owner node of the entry may replicate the entry onto a non-owner node. The replica can act as a backup of the ASDR table entry in the event the node leaves the multi-mode system. When the node returns to the multi-node system, the node may no longer have the most up to date ASDR table entries, and may hunt to find the existence of the value associated with the entry. Responsive to receiving a request for an entry that may be outdated on the node, the node sends a request down a replication chain for an updated copy of the ASDR table entry from one of the replicas. Responsive to receiving the replica copy of the entry, the node responds to the client's request for the entry. | 10-09-2014 |
20140304354 | SYSTEMS AND METHODS FOR RELIABLE REPLICATION OF AN APPLICATION-STATE, DISTRIBUTED REPLICATION TABLE - The present application is directed towards using a distributed hash table to track the use of resources and/or maintain the persistency of resources across the plurality of nodes in the multi-node system. More specifically, the systems and methods can maintain the persistency of resources across the plurality of nodes by the use of a global table. A global table may be maintained on each node. Each node's global table enables efficient storage and retrieval of distributed hash table entries. Each global table may contain a linked list of the cached distributed hash table entries that are currently stored on a node. | 10-09-2014 |
20140304361 | SYSTEMS AND METHODS FOR DISTRIBUTED HASH TABLE CONTRACT RENEWAL - The present application is directed towards ASDR table contract renewal. In some embodiments, a core may cache an ASDR table entry received from an owner core such that when the entry is needed again the core does not need to re-request the entry from the owner core. As storing a cached copy of the entry allows the non-owner core to use an ASDR table entry without requesting the entry from the owner core, the owner core may be unaware of an ASDR table entry's use by a non-owner core. To ensure the owner core keeps the ASDR table entry alive, which the non-owner core has cached, the non-owner core may perform contract renewal for each of its recently used cached entries. The contract renewal method may include sending a message to the owner core that indicates which cached ASDR table entries the non-owner core has recently used or accessed. Responsive to receiving the message the owner core may reset a timeout period associated with the ASDR table entry. | 10-09-2014 |
Patent application number | Description | Published |
20080225719 | SYSTEMS AND METHODS FOR USING OBJECT ORIENTED EXPRESSIONS TO CONFIGURE APPLICATION SECURITY POLICIES - Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching. | 09-18-2008 |
20080229381 | SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES - Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching. | 09-18-2008 |
20130286839 | SYSTEMS AND METHODS FOR PROVIDING A MULTI-CORE ARCHITECTURE FOR AN ACCELERATION APPLIANCE - The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core. | 10-31-2013 |
20130298190 | SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES - Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching. | 11-07-2013 |