Abstract: Software and methods are disclosed for reducing the computational cost involved in network packet filtering The technology provides user level network packet filtering without incurring a context switch and minimizes the copying of data during packet filtering. The technology reduces or eliminates the need for expensive operating system data locks when performing network packet filtering.

Abstract: The states associated with a programmable state machine are reordered to compress the storage of transitions which define the state machine. To reorder the states, a score is computed and assigned to each of the states. Next, the states are sorted according to their computed scores. In some embodiments, to compute the score for each current state based on the received input symbol, the number of times that the input symbol causes transition to similar states is added. The sum of the scores in each row of the table is representative of the score for the associated current state associated with that row. The states are sorted according to their score and a new state transition table is generated in accordance with the reordered states.

Abstract: An accelerated network security system includes, in part, a network security engine and a processing module configured to perform network security functions. The network security engine includes an input module configured to receive input data and generate an intermediate data in response, a core engine configured to perform security function operations on the first intermediate data to generate a first output data, and an output module configured to receive the first output data and generate a processed output data in response. The processing module includes a multitude of processing cores configured to operate concurrently, a memory configured to store processing core instructions and processing core data associated with the multitude of processing cores, and a processing controller configured to periodically allocate to each processing core one or more discrete blocks of processing time. The number of processing core data is greater than the number of processing cores.

Abstract: A multicore network security system includes scheduler modules, one or more security modules and post-processing modules. Each security module may be a processing core or itself a network security system. A scheduler module routes input data to the security modules, which perform network security functions, then routes processed data to one or more post-processing modules. The post-processing modules post-process this processed data and route it back to scheduler modules. If further processing is required, the processed data is routed to the security modules; otherwise the processed data is output from the scheduler modules. Each processing core may operate independently from other processing cores, enabling parallel and simultaneous execution of network security functions.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

Abstract: An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

Abstract: A method for upgrading one or more security applications, e.g., anti-spam, anti-virus, intrusion detection/prevention. The method includes deriving a second hardware logic from a security knowledge base. The method includes operating a computing system including a security device. The computer system is coupled to the one or more computer networks, e.g., local area networks, wide area networks, Internet. The security device has one or more security logic processors, which include one or more respective first hardware logic. The method transfers an FPGA image representative of at least the second hardware logic through the computer network to one or more first memory devices. The method includes temporarily halting one or more of the security logic processors at a predetermined portion of the stream of information according to a specific embodiment.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: A programmable finite state machine (FSM) includes, in part, a first address calculation logic block, a first lookup table, a second address calculation logic block, and a second lookup table. The first address calculation logic block generates an address for the first lookup table based on the received input symbol and the current state. The data stored in first look-up table at the generated address is used by the second address calculation logic block to compute an address for the second lookup table. Data stored in the second lookup table is the next state to which the FSM transitions. The programmable FSMs uses redundant information of the transition table to compress these transitions and thus requires a smaller memory while maintaining a high data throughput. The data in the first and second lookup tables are coded and supplied by a compiler. The FSM operation may optionally be pipelined.

Abstract: A first security processing stage performs a first multitude of tasks and a second security processing stage performs a second multitude of tasks. The first and second multitude of tasks may include common tasks. The first security processing stage is a prefilter to the second security processing stage. The input data received as a data stream is first processed by the first security processing stage, which in response, generates one or more first processed data streams. The first processed data streams may be further processed by the second security processing stage or may bypass the second security processing stage. The first security processing stage operates at a speed greater than the speed of the second security processing stage.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: A pattern matching system includes, in part, a multitude of databases each configured to store and supply compressed data for matching to the received data. The system divides each data stream into a multitude of segments and optionally computes a data pattern from the data stream prior to the division into a multitude of segments. Segments of the data pattern are used to define an address for one or more memory tables. The memory tables are read such that the outputs of one or more memory tables are used to define the address of another memory table. If during any matching cycle, the data retrieved from any of the successively accessed memory tables include an identifier related to any or all previously accessed memory tables, a matched state is detected. A matched state contains information related to the memory location at which the match occurs as well as information related to the matched pattern, such as the match location in the input data stream.

Abstract: An accelerated network intrusion detection and prevention system includes, in part, first, second and third processing stages. The first processing stage receives incoming packets and generates, in response, first and second processed data streams using a first set of rules. The first processing stage optionally detects whether the received packets are suspected of attacking the network and places the received data packets in the first processed data stream. The second processing stage receives the first processed data stream and generates, in response, a third processed data stream using a second set of rules. The second processing stage optionally classifies the first processed data stream, that is suspected of launching a network attack, as either attacks or benign network traffic. A third processing stage receives and processes the second and third processed data streams.

Abstract: A data compressor performing the compression algorithm compresses an original uncompressed pattern database to form an associated compressed pattern database configured for fast retrieval and verification. For each data pattern, the data compressor stores a data in an address of a first memory table and that is defined by a first segment of a group of bits associated with the data pattern. The data compressor stores a second data in an address of a second memory table and that is defined by a second segment of the group of bits associated with the data pattern and further defined by the first data stored in the first memory.

Abstract: A data classification system identifies and processes malicious data that may be present in a received data stream. The system includes at least two stages, and a data flow module. The data flow module derives, from an input data stream, a first processed data stream that is transmitted to the first processing stage. The first processing stage derives, from the first processed data stream, a second processed data stream that is transmitted to the second processing stage. The first and second processing stages optionally derive meta data from the data they receive.

Abstract: A first security processing stage performs a first multitude of tasks and a second security processing stage performs a second multitude of tasks. The first and second multitude of tasks may include common tasks. The first security processing stage is a prefilter to the second security processing stage. The input data received as a data stream is first processed by the first security processing stage, which in response, generates one or more first processed data streams. The first processed data streams may be further processed by the second security processing stage or may bypass the second security processing stage. The first security processing stage operates at a speed greater than the speed of the second security processing stage.

Abstract: A classifier of electronic messages includes one or more pre-filters and a filter. Messages classified as spam or legitimate by one or more of the pre-filters bypass the filter. Messages classified as suspicious are further classified by the filter as either spam or legitimate. Messages classified as spam are routed to a spam quarantine storage area. Messages classified as legitimate are routed to a spam delivery area.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.