Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: In one embodiment, the method for inspecting packets comprises broadcasting data units of packets to a plurality of finite state machine (FSM) comparison units, where each of the FSM comparison units implements a portion of a signature. The method further includes comparing the data units of the packets to signatures, including each FSM comparison unit of the plurality of FSM comparison units independently comparing one of the data units to its associated portion of one signature. The method also includes combining results of the plurality of FSM comparison units independently processing the data units using a logic combinatorial circuit.

Abstract: A packet inspection apparatus is described. In one embodiment, the packet inspection apparatus comprises a packet inspection module to compare data from one or more packets of multiple packets with one or more signatures to identify a match, and at least one network interface modules coupled to the packet inspection module. The network interface module has two ports for forwarding full-duplex traffic therebetween, where the traffic includes packets. The one or more network interface modules forward the packets to the packet inspection module and blocks one or more packets in response to an indication from the packet inspection module.

Abstract: An apparatus to perform hardware-based lossless stateful signature matching is disclosed. In one embodiment, the apparatus comprises a memory and multiple finite state machine (FSM) comparison units operating in parallel to compare packets to signatures to identify matches, if any, between data units in the packets and the plurality of signatures. Each of the FSM comparison units include FSMs having states stored in the memory and at least one transition between pairs of states, and a transition to a new state results in a non-destructive additive operation being performed to store any previous state with the new state.

Abstract: Detecting and protecting against denial of service flooding attacks that are initiated against an end system on a computer network. In accordance with one aspect of the invention, a filter is established at a network location. The filter prevents data packets received at a first network location and deemed responsible for the denial of service flooding condition from being forwarded to a subsequent network location. Data packets received at the first network location are then monitored to determine whether the flow of any data packets from a network source exhibit a legitimate behavior, such as where the flow of data packets exhibits a backoff behavior. The filter is then modified to permit data packets that exhibit legitimate behavior to pass through the filter.

Abstract: Various embodiments include a method of maintaining lists of network characteristics of messages. The messages can be detected. The messages can travel near at least the first network node. The messages can comprise network characteristics. The lists of network characteristics of the messages can be updated. The lists include instances of the network characteristics, based on a frequency of occurrences of the instances.

Abstract: A packet inspection apparatus is described. In one embodiment, the packet inspection apparatus comprises a packet inspection module to compare data from one or more packets of multiple packets with one or more signatures to identify a match, and at least one network interface modules coupled to the packet inspection module. The network interface module has two ports for forwarding full-duplex traffic therebetween, where the traffic includes packets. The one or more network interface modules forward the packets to the packet inspection module and blocks one or more packets in response to an indication from the packet inspection module.

Abstract: Various embodiments include methods and apparatuses limit connection resources at one or more first network nodes. In one method embodiment, at a second network node, a handshake message is detected; a pending network connection is randomly selected; and a message to end the randomly selected pending network connection is sent from the second node. Various embodiments have one or more elements that can begin if a total of pending network connections exceeds a threshold. In one apparatus embodiment, a packet sniffer component detects a handshake message; a random selection component is coupled to the packet sniffer and randomly selects a pending network connection; and a sending component is coupled to the random selection component and sends a message to end the randomly selected pending network connection. Various embodiments have one or more elements that can begin if a total of pending network connections exceeds a threshold.

Abstract: An apparatus to perform hardware-based lossless stateful signature matching is disclosed. In one embodiment, the apparatus comprises a memory and multiple finite state machine (FSM) comparison units operating in parallel to compare packets to signatures to identify matches, if any, between data units in the packets and the plurality of signatures. Each of the FSM comparison units include FSMs having states stored in the memory and at least one transition between pairs of states, and a transition to a new state results in a non-destructive additive operation being performed to store any previous state with the new state.

Abstract: A method and apparatus for inspecting packets is disclosed. In one embodiment, the method comprises broadcasting data units of packets to a plurality of finite state machine (FSM) comparison units, where each of the FSM comparison units implements a portion of a signature. The method further includes comparing the data units of the packets to signatures, including each FSM comparison unit of the plurality of FSM comparison units independently comparing one of the data units to its associated portion of one signature. The method also includes combining results of the plurality of FSM comparison units independently processing the data units using a logic combinatorial circuit.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.

Abstract: Methods and apparatus are disclosed for dynamically discovering and utilizing an optimized network path through overlay routing for the transmission of data. A determination whether to use a default network path or to instead use an alternate data forwarding path through one or more overlay nodes is based on real-time measurement of costs associated with the alternative paths, in response to a user request for transmission of message data to a destination on the network. Cost metrics include delay, throughput, jitter, loss, and security. The system chooses the best path among the default forwarding path and the multiple alternate forwarding paths, and implements appropriate control actions to force data transmission along the chosen path. No modification of established network communication protocols is required.