Abstract: A system and method provides a broadband network node for a best effort network such as the Internet or intranets which supports the inexpensive and rapid deployment of services to the best efforts network. Separate data path and control path mechanisms allow high-speed data transfers with parallel processing flows for the data path that are controlled across data flows by the control path. Packets are classified, modified and shaped to enable the service on the network with an accountant to track packet traffic for control and billing purposes. A series of processing blades perform a modification function for each blade that processes packets according to classifications. The processing blades are modular and scalable for insertion in the broad band switch to rapidly adapt the broadband network node for new services.

Abstract: To assist a destination/intermediary node in authenticating a communications packet as originating from a certain source node, the source node hides a cryptographically generated first special value based on the packet in a header portion of the communications packet. Upon receipt of the communications packet, the destination/intermediary node cyptographically generates a second special value also based on the packet for comparison to the first special value extracted from hiding in the header portion. If the first and second special values match, the destination/intermediary node has authenticated the communications packet as originating from the source node. The foregoing may be implemented in a number of situations, but has special use in connection with the detection of packet communications vulnerability assessment probe traffic by an intrusion detection system.

Abstract: An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

Abstract: An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

Abstract: An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

Abstract: A system and method provides for the conversion of disparate physical interfaces. The system and method includes one or more serial interfaces that interface with devices having disparate serial interfaces. One or more physical modules, associated with the serial interfaces, interface with one or more components having disparate physical interfaces but that do not support serial interfaces. The physical modules are able to interface with a variety of different components having different physical interfaces. A conversion module associated with the physical modules and the serial interfaces serializes or deserializes the data transmitted between the physical modules and the serial interfaces. A plurality of queues order the data transmissions between the components and the serial interfaces to prevent data bottlenecks. A backplane may be utilized as the facility for high speed communication allowing the components having disparate physical interfaces to interface with each other and the backplane.

Abstract: A packet filtering operation implements a hierarchical technique. Received packet traffic is first filtered with a first filtering criteria. This first filtering action generates a first pass traffic portion and a fail traffic portion from the received packet traffic. The fail traffic portion is then second filtered with a second filtering criteria. This second filtering action generates a second pass traffic portion and a reject traffic portion. The first filtering criteria provide for higher throughput, lower accuracy processing while the second filtering criteria provide for lower throughput, higher accuracy processing. Dynamic adjustments may be made to the first and second filtering criteria to achieve better overall packet filtering performance. For example, load is measured and the filtering criteria adjusted to better balance load between the hierarchical filtering actions.

Abstract: A pattern matching engine supports high speed (up to at least 2.4. Gbits per second line rate speeds) parallel pattern matching operations in an unanchored fashion. The engine is preferably implemented as a hardware device. A shift register serially receives a string of data stream bytes which are partitioned into a plurality of multi-byte overlapping adjacent stream chunks. Library patterns of bytes to be searched for are similarly partitioned into multi-byte overlapping adjacent table chunks for storage in a look-up table. The plurality of multi-byte overlapping adjacent stream chunks are applied by the register in parallel to the look-up table, with a result being returned which is indicative of whether each stream chunk matches one of the look-up table stored table chunks. The results of the parallel look-up operation are then logically combined to make a match determination.

Abstract: An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

Abstract: A packet filtering operation implements a hierarchical technique. Received packet traffic is first filtered with a first filtering criteria. This first filtering action generates a first pass traffic portion and a fail traffic portion from the received packet traffic. The fail traffic portion is then second filtered with a second filtering criteria. This second filtering action generates a second pass traffic portion and a reject traffic portion. The first filtering criteria provide for higher throughput, lower accuracy processing while the second filtering criteria provide for lower throughput, higher accuracy processing. Dynamic adjustments may be made to the first and second filtering criteria to achieve better overall packet filtering performance. For example, load is measured and the filtering criteria adjusted to better balance load between the hierarchical filtering actions.

Abstract: To assist a destination/intermediary node in authenticating a communications packet as originating from a certain source node, the source node hides a cryptographically generated first special value based on the packet in a header portion of the communications packet. Upon receipt of the communications packet, the destination/intermediary node cyptographically generates a second special value also based on the packet for comparison to the first special value extracted from hiding in the header portion. If the first and second special values match, the destination/intermediary node has authenticated the communications packet as originating from the source node. The foregoing may be implemented in a number of situations, but has special use in connection with the detection of packet communications vulnerability assessment probe traffic by an intrusion detection system.

Abstract: A network discovery functionality, intrusion detector functionality and firewalling functionality are integrated together to form a network security system presenting a self-deploying and self-hardening security defense for a network.

Abstract: A system and method classifies packets with a programmably fixed network processor program and dynamically updated data structures. The network processor program selects predetermined packet field values of the packets transmitted across the network and classifies the packets by matching one or more packet field values with a data structure. New packet classifications are dynamically created by updating the data structure to associate one or more predetermined packet field values with the new packet classification. For instance, a parse tree program extracts packet header information and matches the packet header information to the data structure. A pattern tree data structure provides longest prefix matches and an ordered tree data structure provides combination matches so that classification of arbitrary Boolean combinations of extracted header fields can be formed.

Abstract: A system and method provides for the conversion of disparate physical interfaces. The system and method includes one or more serial interfaces that interface with devices having disparate serial interfaces. One or more physical modules, associated with the serial interfaces, interface with one or more components having disparate physical interfaces but that do not support serial interfaces. The physical modules are able to interface with a variety of different components having different physical interfaces. A conversion module associated with the physical modules and the serial interfaces serializes or deserializes the data transmitted between the physical modules and the serial interfaces. A plurality of queues order the data transmissions between the components and the serial interfaces to prevent data bottlenecks. A backplane may be utilized as the facility for high speed communication allowing the components having disparate physical interfaces to interface with each other and the backplane.

Abstract: Packets are classified by content across a packet flow by sequencing packets according to packet flows through a content engine. A sequencer tracks packet flows, sending and buffering out-of-order packets to have missing packets resent. A regular expression engine determines matches of regular expressions and subexpressions with regular expressions encoded as non-deterministic finite automata with field programmable gate arrays and subexpression matches computed with a hash and determined by a hash look-up table. A tag module establishes a classification tag for a packet based on the packet's content by matching the tag with the regular expression and subexpressions of the packet.

Abstract: A system and method programs network nodes of a packet-based network to provide services. A service creation tool provides an interface for defining packet processing behaviors in a domain specific programming language and package the service for deployment to the network. A service control center deploys, provisions and monitors the service on programmable nodes. Network processors associated with the programmable nodes have packet processing behaviors translated from the programming language to operation code with a network processor abstraction layer. The service control center and network nodes use a three layer architecture to represent service, execution environment and infrastructure functionality.