Abstract: Solid-state storage devices (SSD) are combined with larger capacity magnetic disk-based RAID arrays for storing write data to ensure data consistency across multiple RAID disks. Write operations are stored in a sequential write buffer in at least one SSD to guarantee their storage and then copied from the sequential write buffer to the destination address in RAID array. The sequential write buffer stores write data in locations corresponding to the order of receipt of write operations. Write data from the sequential write buffer is transferred to the RAID array in the same order and a checkpoint index is frequently updated to indicate the completion of some transfers. During system initialization, a copy of the sequential write buffer and its associated checkpoint index are retrieved and used as a starting location for transferring write data from the sequential write buffer to the magnetic disk storage devices in the RAID array.

Abstract: Relatively small capacity solid-state storage devices (SSD) are combined with larger capacity magnetic disk storage devices for storing storage block write data to ensure data consistency. Write operations are stored in a sequential write buffer in an SSD to guarantee the storage of write data and then copied from the sequential write buffer to the destination address in a magnetic disk storage device. The sequential write buffer store write data in locations corresponding to the order of receipt of write operations. Write data from the sequential write buffer is transferred to the magnetic disk storage device in the same order and a checkpoint index is frequently updated to indicate the completion of some transfers. During system initialization, the most recent value of the checkpoint index is retrieved and used as a starting location for transferring write data from the sequential write buffer to the magnetic disk storage device.

Abstract: A system, method, and computer program product for identifying a worm are disclosed. The system, method, and computer product are configured to generate a signature for a computer worm by identifying a set of bits representing the signature, generate a first worm signature based on the signature, and generate a second worm signature based on the signature. The first worm signature is formatted for a first device and the second worm signature is formatted for a second, different device. The first worm signature and the second worm signature are different.

Abstract: Network devices include hosted virtual machines and virtual machine applications. Hosted virtual machines and their applications implement additional functions and services in network devices. Network devices include data taps for directing network traffic to hosted virtual machines and allowing hosted virtual machines to inject network traffic. Network devices include unidirectional data flow specifications, referred to as hyperswitches. Each hyperswitch is associated with a hosted virtual machine and receives network traffic received by the network device from a single direction. Each hyperswitch processes network traffic according to rules and rule criteria. A hosted virtual machine can be associated with multiple hyperswitches, thereby independently specifying the data flow of network traffic to and from the hosted virtual machine from multiple networks.

Abstract: A method for protecting a Web application running on a first local Web Server bases from hacker attacks, said Web Server being connectable to at least one client, the method comprising the following steps: —providing a plurality of preset rules on said Server, which correspond to specific characteristics of HTTP requests; —receiving an HTTP request on said server from the client, said HTTP request comprising a plurality of characteristics; —analyzing said characteristics of said received HTTP request in accordance with said rules provided on said server; —rejecting said HTTP request, if said rules identify said HTTP request as harmful request; —accepting said HTTP request, if said rules identify said HTTP request as trustable request; —classifying said HTTP request as doubtful request, if said rules identify said request neither as harmful request nor as trustable request; —evaluating the characteristics of said doubtful local request; —generating a learned rule on basis of the edge base evaluation.

Abstract: Access to compound data over a wide-area network is optimized by analyzing metadata within compound data to identify internal and external data streams to be prefetched. Upon receiving or intercepting a network packet including an access request for a data resource, metadata in this data resource is analyzed to identify associated data streams and their storage locations within and/or outside of the data resource. Data streams may be proactively or reactively prefetched. Proactive prefetching identifies and retrieves data streams or portions thereof likely to be accessed by a client based on attributes associated with the data resource. Reactive prefetching identifies portions of data streams associated with received access requests and retrieves additional portions of these data streams. Prefetched data streams or portions thereof are stored in a data storage on the same local network or near to the local network including the client.

Abstract: Self-discovering transaction accelerators improve communications between a client and a server. A client directs a message to a server. A client-side transaction accelerator intercepts the message, terminates the connection with the client, and accelerates the request by replacing segments of data with references. The accelerated request is forwarded to a server-side transaction accelerator through a new connection. The server-side transaction accelerator reconstructs the message by replacing the reference with segment data in a persistent segment store accessible to the server-side transaction accelerator. The reconstructed request is then provided to the server. Accelerations may occur in any direction of communication. Persistent segment stores can be pre-populated with segment data from other transaction accelerators and anticipated transactions.

Abstract: Association information is used to build association trees to associate base pages and embedded objects at a proxy. An association tree has a root node containing a URL for a base page, and zero or more leaf nodes each containing a URL for an embedded object. In most cases, an association tree will maintain the invariant that all leaves contain distinct URLs. However, it is also possible to have an association tree in which the same URL appears in multiple nodes. An association tree may optionally contain one or more internal nodes, each of which contains a URL that is an embedded object for some other base page, but which may also be fetched as a base page itself. Given a number of association trees and a base-page URL, a prefetch system finds the root or interior node corresponding to that URL (if any) and traverses the tree from that node, prefetching URLs until the URL of the last leaf node is prefetched.

Abstract: Virtual storage arrays consolidate data storage from branch locations at data centers. The virtual storage array appears to storage clients as a local data storage; however, the virtual storage array data is actually stored at a data center. To overcome the bandwidth and latency limitations of wide area networks between branch locations and the data center, systems and methods predict, prefetch, and cache at the branch location storage blocks that are likely to be requested in the future by storage clients. When this prediction is successful, storage block requests are fulfilled from branch locations' storage block caches. Predictions may leverage an understanding of the semantics and structure of the high-level data structures associated with the storage blocks. Prefetching agents on storage clients monitor storage requests to determine the associations between requested storage blocks and the corresponding high-level data structures as well as other attributes useful for prediction.

Abstract: A method and apparatus are provided for distributing or redistributing licenses from a failed or unavailable license controller to one or more backup license controllers. Each controller has an initial count of licenses it can serve or allocate to clients desiring access to licensed electronic content. Each controller maintains a set of data that identifies the initial license counts and that also identifies backup relationships between controllers. Each such relationship for a given controller identifies which controllers will inherit licenses if the given controller becomes unavailable, and how many (e.g., a percentage) of the given controller's license that will be inherited. A redistribution plan for a given controller may have multiple levels, wherein a subsequent level may be applied only if all controllers designated as backups in the preceding level are also unavailable.

Abstract: WAN optimization devices and content delivery networks together optimize network traffic on both private networks and public WANs such as the internet. A WAN optimization device intercepts and optimizes network traffic from clients within a private network. The WAN optimization device communicates this first optimized network traffic to the nearest edge computer in the content delivery network via a public WAN, such as the internet. This edge computer further optimizes the network traffic and communicates the doubly optimized network traffic via the content delivery network to a second edge computer nearest to the network traffic destination. The second edge computer converts the doubly optimized network traffic back to its original format and communicates the reconstructed network traffic from the second edge computer to the destination via a public WAN.

Abstract: A method for configuring service curves for managing the output port of a networking device includes the following steps. A multitude of traffic classes is defined, each traffic class being characterized by a bandwidth and a delay priority. A multitude of traffic service curves is computed, each of the plurality of traffic service curves is associated with a different one of the multitude of traffic classes. At least one of the multitude of traffic classes service curves is characterized by a shifted two-piece linear function shifted such that the service curve limits service to during a nonzero time period prior to the start of the two-piece linear function.

Abstract: In a coding system, input data within a system is encoded. The input data might include sequences of symbols that repeat in the input data or occur in other input data encoded in the system. The encoding includes determining a target segment size, determining a window size, identifying a fingerprint within a window of symbols at an offset in the input data, determining whether the offset is to be designated as a cut point and segmenting the input data as indicated by the set of cut points. For each segment so identified, the encoder determines whether the segment is to be a referenced segment or an unreferenced segment, replacing the segment data of each referenced segment with a reference label and storing a reference binding in a persistent segment store for each referenced segment, if needed.

Abstract: Virtual storage arrays consolidate branch data storage at data centers connected via wide area networks. Virtual storage arrays appear to storage clients as local data storage, but actually store data at the data center. Virtual storage arrays may prioritize storage client and prefetching requests for communication over the WAN and/or SAN based on their associated clients, servers, storage clients, and/or applications. A virtual storage array may transfer large data sets from a data center to a branch location while providing branch location users with immediate access to the data set stored at the data center. Virtual storage arrays may be migrated by disabling a virtual storage array interface at a first branch location and then configuring another branch virtual storage array interface at a second branch location to provide its storage clients with access to storage array data stored at the data center.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: In a network that includes intermediary nodes, such as WAN accelerators, that transform messages between nodes, an end-to-end path of the messages is determined. The determined end-to-end path is used in subsequent analysis of message traces, to identify timing and other factors related to the performance of the network relative to the propagation of these messages, including the propagation of the transformed messages. A variety of techniques are presented for determining the path of the messages, depending upon the characteristics of the collected trace data. Upon determining the message path, the traces are synchronized in time and correlations between the connections along the path are determined, including causal relationships. In a preferred embodiment, a user identifies an application process between or among particular nodes of a network, and the system provides a variety of formats for viewing statistics related to the performance of the application on the network.

Abstract: An application monitoring system autonomously selects routines for performance monitoring based on characteristics of the content of the routines. These characteristics are preferably related to aspects of routines that are likely candidates for performance improvement, such as repetitive loops, event waits, synchronized blocks, and on. Routines that appear to be relatively un-improvable are excluded from initial monitoring, and routines that are subsequently determined to be relatively un-improvable, based on performance analysis and/or user feedback, are excluded from future monitoring. The determination of each routine's candidacy for monitoring is maintained over time, so that each subsequent monitoring session need not repeat the determinations. Changed routines are routinely re-monitored and/or re-assessed to affirm or modify the routine's candidacy for subsequent monitoring.

Abstract: A contextual and semantic analysis of network entities facilitates a mapping and comparison of the entities between network models. The system includes a plurality of refine handler and match handler pairs that use rules that are specific to the type of network entities being analyzed. The refine handler analyzes the network model to identify the entities for which its rules apply, and the match handler processes these identified entities to establish a pairing between corresponding entities in each model. A sequence of refine-match processes are applied to the network models, typically in accordance with a hierarchy of rules until each entity is identified as a matched, added, or removed entity. A difference handler processes the identified pairings to provide a difference analysis that facilitates a meaningful interpretation of the configuration changes, and a user interface provides an interactive environment to view the differences from different perspectives.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: A method is provided for establishing a split-terminated secure communication connection between a client and a server. A first network intermediary intercepts a secure communication connection request directed from the client to the server. A second intermediary having a digital certificate in the name of the server (and a corresponding private key) acts in place of the server to establish a first secure communication session with the client, during which it receives a secret from the client for generating the session key. The second intermediary supplies the secret and/or the session key to the first intermediary, which allows the first intermediary to establish follow-on secure communication sessions in which the secret is reused. The second intermediary may also supply the first intermediary with a copy of its certificate so that it can respond to new secure communication requests and, yet further, may also supply a copy of the private key.