Abstract: A system-on-a-chip (SoC) and corresponding method implement an intrusion detection system. The SoC comprises a plurality of hardware engines. The SoC employs the plurality of hardware engines to implement the intrusion detection system. The intrusion detection system is capable of detecting malware traffic in (i) a non-encrypted traffic stream, (ii) an encrypted traffic stream that can be decrypted by the SoC, and (iii) an encrypted traffic stream that cannot be decrypted by the SoC. The intrusion detection system performs an action responsive to detecting the malware traffic. The action is performed toward preventing malicious activity otherwise caused by the malware traffic.

Abstract: A system-on-a-chip (SoC) and corresponding method implement an intrusion detection system. The SoC comprises a traffic scanner that produces feature information associated with non-payload content of encrypted packets in a received traffic stream that cannot be decrypted by the SoC. The SoC further comprises a machine learning (ML) engine that (i) assigns a classification to the received traffic stream based on the feature information produced and (ii) based on the classification assigned, provides notification to the traffic scanner that malware traffic has been detected in the traffic stream. The traffic scanner further performs, based on the notification provided, an action toward preventing malicious activity otherwise caused by malware traffic.

Abstract: In an apparatus for receiving and forwarding data packets on a network, a network device includes a plurality of ports for coupling to the network and for transmitting packets to devices disposed in or coupled to the network. At least one processor configured to process packets received via the network processes packets by selectively forwarding processed packets to one or more of the ports. A plurality of queues are defined in a memory, each configured to store packets to be transmitted by ports in the plurality of ports. A queue manager is configured to selectively assign a subset of the plurality of queues to a subset of the plurality of ports.

Abstract: Aspects of the disclosure provide an apparatus that includes a key generator, a first memory, a second memory, and a controller. The key generator is configured to generate a first search key, and one or more second search keys in response to a pattern. The first memory is configured to compare the first search key to a plurality of entries populated in the first memory, and determine an index of a matching entry to the first search key. The second memory is configured to respectively retrieve one or more exact match indexes of the one or more second search keys from one or more exact match pattern groups populated in the second memory. The controller is configured to select a search result for the pattern from among the index output from the first memory and the one or more exact match indexes output from the second memory.

Abstract: A network device includes a packet ingress configured to receive packets from a network, and a packet processor. The packet processor is configured to identify a first packet of the received packets as a double VLAN tagged packet including a first priority field associated with a first VLAN tag and a second priority field associated with a second VLAN tag. The packet processor is also configured to assign an extended priority profile to the first packet based on one or more bits of the first priority field and one or more bits of the second priority field, the extended priority profile being among a group of possible extended priority profiles that is larger than any group of possible priority profiles associated with a single VLAN tag of the first packet. The packet processor is further configured to process the first packet according to the assigned extended priority profile.

Abstract: A network device includes a packet ingress configured to receive packets from a network, and a packet processor configured to identify a first packet of the received packets as a double VLAN tagged packet with an extended priority profile. The packet processor is also configured to determine, based on P bits distributed among M bits of a first priority field associated with a first VLAN tag and N bits of a second priority field associated with a second VLAN tag, the extended priority profile of the first packet from among a group of possible extended priority profiles that is larger than a first group of possible priority profiles associated with the first priority field and larger than a second group of possible priority profiles associated with the second priority field. The packet processor is also configured to process the first packet according to the determined extended priority profile.

Abstract: In an apparatus for receiving and forwarding data packets on a network, a network device includes a plurality of ports for coupling to the network and for transmitting packets to devices disposed in or coupled to the network. At least one processor configured to process packets received via the network processes packets by selectively forwarding processed packets to one or more of the ports. A plurality of queues are defined in a memory, each configured to store packets to be transmitted by ports in the plurality of ports. A queue manager is configured to selectively assign a subset of the plurality of queues to a subset of the plurality of ports.

Abstract: A network device includes a packet ingress configured to receive packets from a network, and a packet processor configured to identify a first packet of the received packets as a double VLAN tagged packet with an extended priority profile. The packet processor is also configured to determine, based on P bits distributed among M bits of a first priority field associated with a first VLAN tag and N bits of a second priority field associated with a second VLAN tag, the extended priority profile of the first packet from among a group of possible extended priority profiles that is larger than a first group of possible priority profiles associated with the first priority field and larger than a second group of possible priority profiles associated with the second priority field. The packet processor is also configured to process the first packet according to the determined extended priority profile.

Abstract: In an apparatus for receiving and forwarding data packets on a network, a network device includes a plurality of ports for coupling to the network and for transmitting packets to devices disposed in or coupled to the network. At least one processor configured to process packets received via the network processes packets by selectively forwarding processed packets to one or more of the ports. A plurality of queues are defined in a memory, each configured to store packets to be transmitted by ports in the plurality of ports. A queue manager is configured to selectively assign a subset of the plurality of queues to a subset of the plurality of ports.

Abstract: A network device includes a packet ingress configured to receive packets from a network, and a packet processor. The packet processor is configured to identify a first packet of the received packets as a double VLAN tagged packet including a first priority field associated with a first VLAN tag and a second priority field associated with a second VLAN tag. The packet processor is also configured to assign an extended priority profile to the first packet based on one or more bits of the first priority field and one or more bits of the second priority field, the extended priority profile being among a group of possible extended priority profiles that is larger than any group of possible priority profiles associated with a single VLAN tag of the first packet. The packet processor is further configured to process the first packet according to the assigned extended priority profile.

Abstract: Formal verification of models using concurrent model-reduction and model-checking. For example, a system for formal verification of models includes: one or more model reducers to reduce a model; one or more model checkers to check the model, wherein at least one of the model reducers is to run concurrently with at least one of the model checkers; and a model synchronizer to synchronize information between at least one of the model reducers and at least one of the model checkers.

Abstract: Formal verification of models using concurrent model-reduction and model-checking. For example, a system for formal verification of models includes: one or more model reducers to reduce a model; one or more model checkers to check the model, wherein at least one of the model reducers is to run concurrently with at least one of the model checkers; and a model synchronizer to synchronize information between at least one of the model reducers and at least one of the model checkers.

Abstract: Formal verification of models using concurrent model-reduction and model-checking. For example, a system for formal verification of models includes: one or more model reducers to reduce a model; one or more model checkers to check the model, wherein at least one of the model reducers is to run concurrently with at least one of the model checkers; and a model synchronizer to synchronize information between at least one of the model reducers and at least one of the model checkers.

Abstract: A network apparatus comprises a plurality of ports, and a forwarding engine coupled to the plurality of ports. The forwarding engine is configured to transfer data units received via at least some of the plurality of ports to one or more appropriate ports in the plurality of ports. The forwarding engine comprises a content addressable memory (CAM) device to store a plurality of data patterns organized in a plurality of groups, wherein the CAM device is configured to, responsive to input data, output in a single cycle a plurality of match indications corresponding to the plurality of groups. The forwarding engine also comprises a logic device coupled to the CAM device and configured to generate an action value based on the plurality of match indications, wherein the action value indicates an action to be taken by the forwarding engine.

Abstract: Formal verification of models using concurrent model-reduction and model-checking. For example, a system for formal verification of models includes: one or more model reducers to reduce a model; one or more model checkers to check the model, wherein at least one of the model reducers is to run concurrently with at least one of the model checkers; and a model synchronizer to synchronize information between at least one of the model reducers and at least one of the model checkers.