Abstract: A method and apparatus is described for identifying content in a packet. The method may obtain data sample from the packet where the data sample is in a predetermined window at an initial offset point in the packet. For each offset point, a first stage of processing on the data sample may be performed to identify if the data sample corresponds to potentially relevant reference string. A more focused second stage of processing may then be carried out on the data sample to identify if the data sample corresponds to potentially relevant reference string. Thereafter, an even more focused third stage of processing may be carried out on the data sample to obtain a third stage result. If the data sample passes all three stages of processing, a predefined action is identified which is associated with a reference string corresponding to the data sample.

Abstract: A method and apparatus for detecting malicious attacks is described. The method may comprise obtaining routing information from a packet communicated via a network and maintaining a count of packets associated with a device associated with the routing information. For example, the routing information may a source or destination IP address, a port number, or any other routing information. The device may be classified as a potentially malicious device when the count exceeds a threshold. The count may be incremented when the TCP SYN flag is set and the TCP ACK flag is not set. An embodiment comprises obtaining a source hash of the source IP address and a destination hash of the destination IP address. Thereafter, the source hash and the destination hash may be mapped to multi stage filters. The device associated with the packet may then be selectively categorizing as a suspicious device.

Abstract: A method and apparatus is described to process packets in a network. The method may comprise receiving the packet and determining a length K of the packet. If the length of the packet is less than a reference length M then no analysis may be performed on the packet. However, if the packet length K is not less than M, the method may determine if the packet length K is at least greater than a reference window size WRef. When the packet length is greater than WRef then a window size W for the processing of the packets is set equal to WRef; and the packet length is less than WRef then a window size W for the processing of the packets is set equal to the packet size K. Thereafter, the packet is processed using the window size W.

Abstract: A combined hash table/bucket trie technique facilitates fast, deterministic, memory-efficient exact match look-ups on extremely large tables. A limited number of hash keys which collide on the same location can be stored in the hash table. If further keys collide on the same location, a bucket trie is formed, the colliding keys are stored in the trie, and trie traversal information is stored in the hash table. Regardless of the number of buckets in the trie, an input key need only be compared with the keys in one bucket to detect a stored key identical to the input key or conclude that no stored key is identical to the input key.

Abstract: Detecting attacks against computer systems by automatically detecting signatures based on predetermined characteristics of the intrusion. One aspect looks for commonalities among a number of different network messages, and establishes an intrusion signature based on those commonalities. Data reduction techniques, such as a hash function, are used to minimize the amount of resources which are necessary to establish the commonalities. In an embodiment, signatures are created based on the data reduction hash technique. Frequent signatures are found by reducing the signatures using that hash technique. Each of the frequent signatures is analyzed for content, and content which is spreading is flagged as being a possible attack. Additional checks can also be carried out to look for code within the signal, to look for spam, backdoors, or program code.

Abstract: A network device for interconnecting computer networks, the device including a bridge having a plurality of ports through which network communications pass to and from the bridge, the bridge also including a first interface enabling a user to partition the plurality of bridge ports into a plurality of groups, wherein each group represents a different virtual network, wherein the bridge treats all ports within a given group as part of the virtual network corresponding to that group and the bridge isolates the virtual networks from each other, whereby any communications received at a first port of the bridge are directly sent by the bridge to another bridge port only if the other bridge port and the first bridge port are part of the same group.

Abstract: A new process called “crossproducting” allows level 4 switching to be performed at gigabit speeds. In crossproducting, a database of routing filters or rules is “sliced” into columns corresponding to fields. Each column represents a set of prefixes or ranges. Given a data packet P, a best matching prefix or narrowest enclosing range lookup is performed separately for each packet field. The results of the lookups on individual fields are concatenated to quickly determine the earliest matching rule. The search can be optimized further through such techniques as removing default entries, creating multiple crossproduct tables, caching crossproducts, and early stopping, the latter optimization being made possible by recognizing that it is not necessary in all cases to search all columns for a match. The inventive devices and methods are applicable to various types of networks, including, but not limited to, the Internet and related types of networks, and telephone switching networks.

Abstract: Fast, scalable methods and devices are provided for layer four switching in a router as might be found in the Internet. In a first method, a grid of tries, which are binary branching trees, is constructed from the set of routing filters. The grid includes a dest-trie and a number of source tries. To avoid memory blowup, each filter is stored in exactly one trie. The tries are traversed to find the lowest cost routing. Switch pointers are used to improve the search cost. In an extension of this method, hash tables may be constructed that point to grid-of-tries structures. The hash tables may be used to handle combinations of port fields and protocol fields. Another method is based on hashing, in which searches for lowest cost matching filters take place in bit length tuple space. Rectangle searching with precomputation and markers are used to eliminate a whole column of tuple space when a match occurs, and to eliminate the rest of a row when no match is found.

Abstract: A method and apparatus for an exponentially faster technique than is presently utilized in routers for looking-up destination addresses and matching them to a prefix in order to determine an output data link for routing of the data message to a destination. The basic algorithm includes arranging the prefix and corresponding output data link information in sub-databases arranged by prefix length and then using a multi-step prefix length binary search algorithm to sort through the sub-databases to determine a best matching prefix for routing of the data packet. Various refinements of the basic algorithm are disclosed to further enhance the search time including adding markers representative of sub-database entries having a longer prefix length and also various searching methodologies to minimize the number of searching steps including rope searching in various formats.

Abstract: Aspects of the invention include a method of conducting a reduced length search along a search path. A node which would otherwise occur between a previous and a following node in the search path is eliminated, and information is stored as to whether, had said eliminated node been present, the search would have proceeded to the following node. During the search, a search argument is compared with the stored information, and the search effectively progresses from the previous node directly to the following node if the comparison is positive. In preferred embodiments, some nodes provide result values for the search, and a node is eliminated only if its presence would not affect the result value for the search. In another aspect, the invention features a method of conducting a two mode search of reduced length. For a first mode of the search, nodes along a search path are provided, at least some of the nodes including one or more pointers pointing to other nodes.

Abstract: Many network protocols, including the Internet, have addresses that are structured hierarchically. The hierarchy is expressed by an address prefix P that represents all addresses in the given hierarchical level that starts with prefix P. The hierarchy is not strict and can be overridden by more inclusive hierarchies. This is achieved by having network routers find the longest prefix that matches a destination address in a message.The disclosed invention describes a method and apparatus for implementing controlled expansion: for expanding a set of prefixes into an equivalent (possibly larger) set of prefixes that have a smaller set of prefix lengths. The new set of prefixes can then be looked up significantly faster using any technique whose speed improves by reducing the number of prefix lengths. Our invention also incorporates fast techniques to insert and delete new prefixes, and a technique of pointer hoisting to halve the memory READs needed for trie search.

Abstract: A network device for interconnecting computer networks, the device including a bridge having a plurality of ports through which network communications pass to and from the bridge, the bridge also including a first interface enabling a user to partition the plurality of bridge ports into a plurality of groups, wherein each group represents a different virtual network, wherein the bridge treats all ports within a given group as part of the virtual network corresponding to that group and the bridge isolates said virtual networks from each other, whereby any communications received at a first port of the bridge are directly sent by the bridge to another bridge port only if the other bridge port and the first bridge port are part of the same group.

Abstract: A network interconnection device having a router connected by a plurality of links to at least one multiport switch is presented. Each of the plurality of links is connected between one port of the router and one port of the multiport switch such that each link represents a separate path between the router and the multiport switch over which data packets may be transferred. Sets of links are defined as hunt groups, which contain multiple instances of a given resource. Each port has a forwarding engine. When a packet arrives at a router port, the forwarding engine checks if the packet destination port belongs to the same hunt group as the packet sending port. If the destination port and the packet sending port belong to the same group, the packet is sent back through the same port through which it arrived without having to pass through the router backplane, thus transferring the packet efficiently.

Abstract: A mechanism for operating a configurable switch to dynamically (i) route each of the data packets in an ordered string from a particular switch input port through a selected member output port of a hunt group; and (ii) route data packets which need not be transmitted in order from the input ports to available member output ports of the hunt group, as the members become available. A controller assigns each input port a service number, and directs member output ports to handle requests for ordered data packet transmissions from input ports with particular service numbers, such that the ordered transfers from an input port are handled by a single member of each group. The input port broadcasts, through the switch, a request to send ordered data packets through a particular hunt group and includes its service number in the request. The group member assigned to handle ordered transfers from the input port responds by identifying itself.

Abstract: Aspects of the invention include a method of conducting a reduced length search along a search path. A node which would otherwise occur between a previous and a following node in the search path is eliminated, and information is stored as to whether, had said eliminated node been present, the search would have proceeded to the following node. During the search, a search argument is compared with the stored information, and the search effectively progresses from the previous node directly to the following node if the comparison is positive. In preferred embodiments, some nodes provide result values for the search, and a node is eliminated only if its presence would not affect the result value for the search. In another aspect, the invention features a method of conducting a two mode search of reduced length. For a first mode of the search, nodes along a search path are provided, at least some of the nodes including one or more pointers pointing to other nodes.

Abstract: A flow control system is disclosed, for a transmitting node and a receiving node. The transmitting node and the receiving node are linked together through multiple connections or virtual circuits over a communications link. A flow control circuit in the transmitting node limits the amount of bandwidth used over each individual connection, and over all of the connections combined. In an example embodiment, a global counter is used to maintain the total amount of bandwidth consumed overall during a predetermined time period, and a global limit register limits the maximum amount of bandwidth allowed consumed by any single connection during the time period. When the global counter exceeds an upper threshold value, the global limit register is set to a minimum value representing the minimum amount of bandwidth guaranteed to each connection during the time period.

Abstract: A packet data communication network employs a local switch, router or bridge device functioning to transfer packets between segments of a larger network. When packets enter this device, an address translation is performed to generate local source and destination addresses which are much shorter than the globally-unique addresses contained in the packet as dictated by the protocol. These local addresses are inserted in a header that is added to the packet, in addition to any header already contained in the packet. This added header travels with the packet through the local switch, router or bridge device, but then is stripped off before the packet is sent out onto another network segment. The added header may also contain other information, such as a local name for the source and destination segment (link), as well as status information that is locally useful, but not part of the packet protocol and not necessary for transmission with the packet throughout the network.

Abstract: An integrated communications link in a communications network that is provided with apparatus which allows dynamic allocability of bandwidth among a plurality of channels. At least three different types of information can be carried on these channels, and the bandwidth of these channels are dynamic so that it can be changed according to a determinable scheme. The link also sends error control information with a message that informs the receiver how the bandwidth is to be allocated, this error control information providing an extremely high level of assurance that the receiver of the information will know how the received information is to be allocated.

Abstract: A method of providing loop free and shortest path routing of data packets in a network having a plurality of switches, routing messages for communicating network topology information between the switches, a plurality of links connecting the switches and a plurality of channels connecting the switches to the links. The loop free routing of data packets is achieved through modifications to known link state packet (LSP) routing protocols and permits each switch to inform adjacent switches in the network of the information in the switch's database used to compute forwarding tables. A switch uses a received LSP to compute a forwarding table and informs neighboring switches on attached links of the routing change. The switch discards any subsequent data packets whose path would be affected by the changed routing information.

Abstract: A packet data communication network employs sequence numbers in message packets to identify the packets transmitted for a message, so that the order of packets can be checked, and so that the occurrence of lost or duplicated packets can be detected. A method of keeping track of these sequence numbers is provided. Any number below or above a bounded sequence number acceptance window is ignored (not accepted). Bit maps are established for the range of numbers within the bounded window, each bit representing a sequence number and the bit maps indexed by sequence number. One bit map is a received packet map, used to keep track of which sequence numbers have been received and thus to filter duplicate sequence numbers. An end-of-message bit map is used to record the positions of packets having end-of-message flags, and this is used with the received packet map to determine whether all packets of a message have been received, so that an end-of-message trigger can be generated.