Abstract: A multi-stage parallel multi-character string matching device, including: a rule circuit having multiple rule units, each of the multiple rule units embodying a transition rule based on an AC-trie; a state circuit coupled with the rule circuit for determining multiple next-state data; and an output circuit coupled with the rule circuit for determining multiple matching output data.

Abstract: A multi-stage parallel multi-character string matching device, including: a rule circuit having multiple rule units, each of the multiple rule units embodying a transition rule based on an AC-trie; a state circuit coupled with the rule circuit for determining multiple next-state data; and an output circuit coupled with the rule circuit for determining multiple matching output data.

Abstract: A regular expression pattern matching circuit based on a pipeline architecture is proposed, which is designed for integration to a data processing system, such as a computer platform, a firewall, or a network intrusion detention system (NIDS), for checking whether an input code sequence (such as a network data packet) is matched to specific patterns predefined by regular expressions. The proposed circuit architecture includes an incremental improvement on an old combination of a comparator circuit module and an NDFA (non-deterministic finite-state automata) circuit module, where the incremental improvement comprises a data signal delay circuit module installed to the comparator circuit module and an enable signal delay circuit module installed to the NDFA circuit module to thereby constitute a multi-sage pipeline architecture that allows a faster processing speed than the prior art.

Abstract: A packet inspection device and method for use with a packet-retrievable network apparatus are provided. The packet inspection method includes: converting header information of a packet received into a hashing function value in presence of handshaking underway at the Transmission Control Protocol (TCP) layer and comparing the hashing function value by a hashing function unit of the pending processing module, storing the hashing function value in a memory unit, and performing packet state comparison and packet screening and then creating by the session processing module a transmission connection according to the packet screened and selected by the pending processing module upon determination that data stored in the memory unit match the hashing function value resulting from conversion by the hashing function unit, thereby expediting packet inspection, reducing occupied memory space, and cutting costs.

Abstract: A network device builds connection with a network through a Network Interface Card (NIC). The network device includes a processor and a storage unit. The processor includes at least one transmission processing core, at least one security core, and a main core. The storage unit stores a packet receiving module and a packet output module. The main core loads the packet receiving module to receive several packets from the network, makes the at least one transmission processing core process the packets for a network transmission and makes the at least one security core check the packets for security. The main core loads the packet output module to output the packets after the at least one transmission processing core processes the packets for network transmission and the at least one security core checks the packets for security.

Abstract: An assisting method and an assisting apparatus for accessing a markup language document are provided. First, an intermediate table is established in a storage unit, wherein the intermediate table includes a length field, a depth field, a type field, a parent element field, and an offset field. Then, structure data of each element in the markup language document is transformed into the intermediate table to respectively record a string length, a hierarchy depth, an element type, a parent element index, and an absolute position of the element into the length field, the depth field, the type field, the parent element field, and the offset field. Finally, access to the markup language document is assisted according to the intermediary table.

Abstract: A data item interval identifier lookup method and system is proposed, which is designed for integration to an information processing system for finding which predefined interval the value of an input data item, such as an IP (Internet Protocol) address, belongs. The proposed method and system is characterized by the use of a multi-stage lookup-table data structure having a number of cascaded lookup tables constructed by partitioning the data format of the input data item into a number of segments, each being mapped to one stage of lookup table data structure whose key-value relationships are predefined based on a predefined interval-and-identifier definition table. In operation, the values of the partitioned segments are sequentially used as lookup keys to search through the multi-stage lookup-table data structure until the corresponding interval identifier is found. This feature allows the implementation to have low memory requirement and enhanced system performance.

Abstract: A method and system for packet classification is proposed for applications such as firewalls, intrusion detection, policy-based routing, and network service differentiations, within network systems such as Internet or intranet/extranet systems. The proposed method and system is characterized by the use of protocol-oriented rule rearrangement, the probable bit vector (PBV) based on the aggregated bit vectors (ABV) and folded bit vectors (FBV), an ABV-FBV index table dataset whose data structure is based on a featured split full-tree schema, and a DCBV (Don't-Care Bit Vector) dataset for packet classification. The combination of these features allows the packet classification to be implemented with a reduced amount of memory and access time during operation.

Abstract: For receiving an input data, a pattern data and a data clock signal and outputting a hit signal and an address signal, a content addressable memory includes a plurality of content addressable memory units connected in series, each content addressable memory unit being adapted to receive the input data and the data clock signal and to output a comparison result signal, and an encoder coupled to the comparison result signal of each content addressable memory unit and adapted for outputting a hit signal and a memory address signal subject to the comparison result signal received.

Abstract: A motion estimation device with pipeline architecture is provided, which includes a processing unit array and a motion vector generation unit. The processing unit array generates a number of match values, each of which indicates the match degree between a current block and a corresponding reference block. The processing unit array includes a number of data fetching units and processing units. The data fetching units each are for fetching a number of current data of the current block and a number of reference data of the corresponding reference block. The processing units are coupled to the data fetching unit correspondingly, and each for processing the current data and the corresponding reference data, so as to generate the match values. According to the match values, the motion vector generation unit is for generating a motion vector between the current block and a reference block which corresponds to optimum match degree.

Abstract: An assisting method and an assisting apparatus for accessing a markup language document are provided. First, an intermediate table is established in a storage unit, wherein the intermediate table includes a length field, a depth field, a type field, a parent element field, and an offset field. Then, structure data of each element in the markup language document is transformed into the intermediate table to respectively record a string length, a hierarchy depth, an element type, a parent element index, and an absolute position of the element into the length field, the depth field, the type field, the parent element field, and the offset field. Finally, access to the markup language document is assisted according to the intermediary table.

Abstract: A computer network packet classification method and system based on a nonoverlapping rule group encoding scheme is proposed, which is designed for integration to a network system for classification of packets within the network system. The proposed method and system is characterized by the use of a nonoverlapping rule group encoding scheme which organizes a database of rules into nonoverlapping rule groups and creates a number of consecutive projected intervals over the dimension of each classification-related field of the packet header, whereby a projected-interval to encoded-bit-vector lookup table and an encoded-bit-vector to rule-group lookup table can be established. During the operation of packet classification, these two lookup tables are used to find the corresponding rule for each incoming packet. This scheme allows the encoded bit vectors to have a reduced bit length, and therefore allows the packet classification to be implemented with low memory requirement and enhanced performance.

Abstract: A two-stage computer network packet classification method and system is proposed, which is designed for integration to a network system for classification of packets within the network system. The proposed method and system is characterized by the use of a two-stage operation for packet classification; wherein the first-stage operation involves the use of a decision-tree data module whose leaf nodes are used to store a bit vector that represents a cluster of rule groups that are located within a particular cut region in a multidimensional Euclidean space that is mapped to the field values of the input packet; and the second-stage operation involves the use of a bit-vector lookup table data module to retrieve a set of bit vectors which represent a set of possible rules in each rule group and which are intersected to find a matched rule for the input packet. This feature allows the packet classification to be implemented with low memory requirement and enhanced system performance.

Abstract: A packet inspection device and method for use with a packet-retrievable network apparatus are provided. The packet inspection method includes: converting header information of a packet received into a hashing function value in presence of handshaking underway at the Transmission Control Protocol (TCP) layer and comparing the hashing function value by a hashing function unit of the pending processing module, storing the hashing function value in a memory unit, and performing packet state comparison and packet screening and then creating by the session processing module a transmission connection according to the packet screened and selected by the pending processing module upon determination that data stored in the memory unit match the hashing function value resulting from conversion by the hashing function unit, thereby expediting packet inspection, reducing occupied memory space, and cutting costs.

Abstract: A packet processing device is provided, which is applied to a network equipment that transmits packets. The device includes: a control module for executing a control schedule; a capture module for capturing at least one packet according to the control schedule; and a disassembling module for disassembling the header of the packet according to the control schedule so as to obtain packet header information. The packet processing device of the present invention can be installed in any network equipment to disassemble and process packets before they are captured by CPUs or memories of back-end computers, thereby achieving rapid processing of packets and reducing usage of CPU resources and occupancy of memories.

Abstract: For receiving an input data, a pattern data and a data clock signal and outputting a hit signal and an address signal, a content addressable memory is disclosed to include a plurality of content addressable memory units connected in series, each content addressable memory unit being adapted to receive the input data and the data clock signal and to output a comparison result signal, and an encoder coupled to the comparison result signal of each content addressable memory unit and adapted for outputting a hit signal and a memory address signal subject to the comparison result signal received.

Abstract: A regular expression pattern matching circuit based on a pipeline architecture is proposed, which is designed for integration to a data processing system, such as a computer platform, a firewall, or a network intrusion detention system (NIDS), for checking whether an input code sequence (such as a network data packet) is matched to specific patterns predefined by regular expressions. The proposed circuit architecture includes an incremental improvement on an old combination of a comparator circuit module and an NDFA (non-deterministic finite-state automata) circuit module, where the incremental improvement comprises a data signal delay circuit module installed to the comparator circuit module and an enable signal delay circuit module installed to the NDFA circuit module to thereby constitute a multi-sage pipeline architecture that allows a faster processing speed than the prior art.

Abstract: A dual-stage regular expression pattern matching method and system is proposed, which is designed for integration to a data processing system, such as a computer platform, a firewall, a network intrusion detention system (NIDS), or a DNA sequence analysis system, for checking whether an input code sequence (such as a network data packet) is matched to specific patterns predefined by regular expressions. The proposed system and method includes a first-stage comparison procedure for comparison of the prefix string of each input code sequence and a second-stage comparison procedure for comparison of the postfix string of the same input code sequence. This feature can be used for processing code sequences having a special pattern without producing an enormous amount of state data that would cause the problem of insufficient memory during operation.

Abstract: A computer network packet classification method and system based on a nonoverlapping rule group encoding scheme is proposed, which is designed for integration to a network system for classification of packets within the network system. The proposed method and system is characterized by the use of a nonoverlapping rule group encoding scheme which organizes a database of rules into nonoverlapping rule groups and creates a number of consecutive projected intervals over the dimension of each classification-related field of the packet header, whereby a projected-interval to encoded-bit-vector lookup table and an encoded-bit-vector to rule-group lookup table can be established. During the operation of packet classification, these two lookup tables are used to find the corresponding rule for each incoming packet. This scheme allows the encoded bit vectors to have a reduced bit length, and therefore allows the packet classification to be implemented with low memory requirement and enhanced performance.

Abstract: A two-stage computer network packet classification method and system is proposed, which is designed for integration to a network system for classification of packets within the network system. The proposed method and system is characterized by the use of a two-stage operation for packet classification; wherein the first-stage operation involves the use of a decision-tree data module whose leaf nodes are used to store a bit vector that represents a cluster of rule groups that are located within a particular cut region in a multidimensional Euclidean space that is mapped to the field values of the input packet; and the second-stage operation involves the use of a bit-vector lookup table data module to retrieve a set of bit vectors which represent a set of possible rules in each rule group and which are intersected to find a matched rule for the input packet. This feature allows the packet classification to be implemented with low memory requirement and enhanced system performance.