Abstract: Systems and methods are disclosed for application identification and dynamic signature generation for managing network communication systems. Communication sessions and related packet flows are monitored within a network communication system. Application level information is extracted from session packets by unpacking one or more communication protocols associated with the network packets to obtain application level information encapsulated within the network packets. The extracted application level information is compared to a database of known application signatures in order to identify known applications. For unknown applications, the application level information is used to generate new dynamic application signatures. The application level information can also be used to identify and access external network-accessible resources to obtain additional identification information for the unknown application.

Abstract: Methods and systems are provided for using keyword preprocessing, Boyer-Moore analysis, and hybrids thereof, in intrusion-prevention systems. In one embodiment, a state-transition table representative of a data pattern is provided. The table has a plurality of states, each having egress events that define transitions to other states. The data pattern is parsed to identify character strings. A subject is received for evaluation, and preprocessed to find any instances of those character strings. A keyword table is populated with the character strings found during preprocessing. While using the table to evaluate the subject, a first state having a first one of the character strings as an egress event is transitioned into. The keyword table is checked for the first character string, and, responsive to finding the first character string in the keyword table, a transition is taken from the first state to the second state.

Abstract: Packets in an intrusion prevention system are inspected by a deep packet inspection engine. A packet may be queued for transmission onto an output queue and transmitted over a network while deep packet inspection is still being performed on the packet. Such simultaneous inspection processing and transmission may be implemented using two ownership bits for the packet, one to indicate “ownership to process” and one to indicate “ownership to send,” instead of the single ownership bit that is used in conventional systems. Furthermore, the packet may be inspected, queued onto the output queue, and transmitted without making a copy of the packet within the deep packet inspection engine. These techniques enable the inspection latency, and therefore the overall transmission latency, of packets to decrease, thereby improving the overall performance of the intrusion prevent system.

Abstract: A computer-implemented method of accessing data comprises resetting the value of a register of a first processing core of a multi-core processor, copying the bits of a compressed pointer into the lowest order bits of the register, left shifting the register a predetermined number of bits, and executing on the first processing core a first instruction referencing memory at a virtual address specified by the register.

Abstract: Systems and methods are disclosed for application identification and dynamic signature generation for managing network communication systems. Communication sessions and related packet flows are monitored within a network communication system. Application level information is extracted from session packets by unpacking one or more communication protocols associated with the network packets to obtain application level information encapsulated within the network packets. The extracted application level information is compared to a database of known application signatures in order to identify known applications. For unknown applications, the application level information is used to generate new dynamic application signatures. The application level information can also be used to identify and access external network-accessible resources to obtain additional identification information for the unknown application.

Abstract: A computer-implemented method of storing data for fast lookup comprises forming a first and a second array of pointers, forming a record to store, the record comprising fields for, a first list pointer, a second list pointer, which is not the first field in the record, a first key, and a second key. The method further comprises determining a first index based at least in part the first key, setting the value of the pointer at the first index in the first array to the location of the first pointer field of the record, determining a second index based at least in part the second key, and setting the value of the pointer at the second index in the second array to the location of the second pointer field of the record.

Abstract: Deep packet inspection is performed on packets in a network intrusion prevention system. A processing priority may be assigned to a packet based on characteristics such as the protocol type of the packet. Higher-priority packets may be processed before lower-priority packets or otherwise given preferential processing treatment. Deep packet inspection may be performed on the packet, and the processing priority of the packet may be changed based on the amount of time required to complete inspection of the packet. For example, the processing priority of the packet may be lowered if inspection of the packet takes longer than a predetermined time threshold. Furthermore, inspection of such packets may be suspended and either terminated or resumed at a subsequent time.

Abstract: A computer-implemented method of storing data for fast lookup comprises forming a first and a second array of pointers, forming a record to store, the record comprising fields for, a first list pointer, a second list pointer, which is not the first field in the record, a first key, and a second key. The method further comprises determining a first index based at least in part the first key, setting the value of the pointer at the first index in the first array to the location of the first pointer field of the record, determining a second index based at least in part the second key, and setting the value of the pointer at the second index in the second array to the location of the second pointer field of the record.

Abstract: A method of accessing data in a shared-memory, parallel-processing computing system, comprises, on a first processing unit, receiving a reference for a data structure stored in a memory and a first value of a generation attribute associated with the data structure, waiting to receive an exclusive lock on the data structure, obtaining an exclusive lock on the data structure, receiving a second value of a second generation attribute associated with the data structure; and accessing the data structure only if the first generation attribute value and the second generation attribute value are identical.

Abstract: A computer-implemented method of accessing data comprises resetting the value of a register of a first processing core of a multi-core processor, copying the bits of a compressed pointer into the lowest order bits of the register, left shifting the register a predetermined number of bits, and executing on the first processing core a first instruction referencing memory at a virtual address specified by the register.

Abstract: Traffic flow rate limits are enforced in an Intrusion Prevention System (IPS) having a plurality of deep packet inspection (DPI) engines by using a floating token bucket scheme. The IPS includes a plurality of rate limiters which are associated with different classes (e.g., protocols) of traffic. A floating token bucket is associated with each rate limiter. The token bucket associated with a rate limiter is passed from DPI engine to DPI engine. Only the DPI engine currently in possession of the token bucket for a particular rate limiter is allowed to process traffic of the class associated with that rate limiter. A DPI engine is only allowed to process traffic associated with a token bucket in its possession if that token bucket is not empty. Use of such floating token buckets enforces rate limits for each traffic class across the multiple DPI engine.

Abstract: A system and method classifies packets with a programmably fixed network processor program and dynamically updated data structures. The network processor program selects predetermined packet field values of the packets transmitted across the network and classifies the packets by matching one or more packet field values with a data structure. New packet classifications are dynamically created by updating the data structure to associate one or more predetermined packet field values with the new packet classification. For instance, a parse tree program extracts packet header information and matches the packet header information to the data structure. A pattern tree data structure provides longest prefix matches and an ordered tree data structure provides combination matches so that classification of arbitrary Boolean combinations of extracted header fields can be formed.

Abstract: A system and method classifies packets with a programmably fixed network processor program and dynamically updated data structures. The network processor program selects predetermined packet field values of the packets transmitted across the network and classifies the packets by matching one or more packet field values with a data structure. New packet classifications are dynamically created by updating the data structure to associate one or more predetermined packet field values with the new packet classification. For instance, a parse tree program extracts packet header information and matches the packet header information to the data structure. A pattern tree data structure provides longest prefix matches and an ordered tree data structure provides combination matches so that classification of arbitrary Boolean combinations of extracted header fields can be formed.