Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A first service mechanism in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may include caching of data, data or video compression techniques, push-based services, charging, application serving, analytics, security, data filtering, and new revenue-producing services, as well as others. This architecture allows performing new mobile network services at the edge of a mobile data network within the infrastructure of an existing mobile data network.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A first service mechanism in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may include caching of data, data or video compression techniques, push-based services, charging, application serving, analytics, security, data filtering, and new revenue-producing services, as well as others. This architecture allows performing new mobile network services at the edge of a mobile data network within the infrastructure of an existing mobile data network.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A first service mechanism in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may include caching of data, data or video compression techniques, push-based services, charging, application serving, analytics, security, data filtering, and new revenue-producing services, as well as others. This architecture allows performing new mobile network services at the edge of a mobile data network within the infrastructure of an existing mobile data network.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: Method for compressing search tree structures used in rule classification is provided. The method includes classifying packets based on filter rules, compressing a tree structure comprising multiple levels of single bit test nodes and leaf nodes, storing the compressed tree structure in a first memory structure of a storage such that the multiple levels of single bit test nodes and leaf nodes can be accessed from the first memory structure through a single memory access of the storage, collecting single bit test nodes of the tree structure that are in a lowest level of the tree structure, storing only the collected single bit test nodes within a second memory structure of the storage that is contiguous to the first memory structure, collecting leaf nodes of the tree structure, and storing only the collected leaf nodes within a third memory structure of the storage that is contiguous to second memory structure.

Abstract: A method and system for developing portable network processor applications and/or managing heterogeneous network processors in a network is disclosed. The network includes host processor(s) utilizing system configuration application(s) that are network processor independent. In one aspect, the method and system include using standardized interface(s) for each network processor, using a standardized transport layer compatible with the interface(s), and providing a generic message application layer. The generic message application layer defines generic payload(s) and message type(s) for configuration communications between the network and host processors. In another aspect, the method and system include providing packet processing shell(s) and generic protocol software that is coupled with the packet processing shell(s) through standard interface(s), network processor independent, and performs operations for packet processing.

Abstract: The present invention relates to a system for managing a plurality of multi-field classification rules. The system provides a first table that includes a plurality of entries corresponding to a plurality of rules relating to an ingress context and a second table that includes a plurality of entries corresponding to a plurality of rules relating to an egress context. The system also includes a network processor for classifying packets of information, wherein the network processor is programmed to utilize the first table and the second table to identify any rules relating to the ingress context and any one rules relating to the egress context that match a search key.

Abstract: Embodiments of the present invention provide systems, articles of manufacture and methods for a telematic parametric speed metering system. In one embodiment, a system may determine a vehicle's location and speed. Once the location has been determined, corresponding geographical zone based speed limits and/or other information may be acquired via internal memory or data transmission. The speed of the vehicle may then be compared against the speed limits for the zone. If the vehicle's speed exceeds those speed limits, one or more of a plurality of actions may be performed including (but not limited to) warning the driver via a visual or audio signal, informing an authority agency via data transmission, logging the excessive speeding condition (e.g., time, date, speed, location, driver name, etc).

Abstract: The present invention relates to a system and computer-readable medium for storing a plurality of multi-field classification rules in a computer system. Each multi-field classification rule includes a rule specification that itself includes a plurality of fields and a plurality of field definitions corresponding to the fields. The method of the present invention includes providing a virtual rule table, where the table stores a plurality of field definitions, and for each of the plurality of multi-field classification rules, compressing the rule specification by replacing at least one field definition with an associated index into the virtual rule table. The method also includes storing each of the compressed rule specifications and the virtual rule table in a shared segment of memory.

Abstract: A flow control method and system including an algorithm for deciding to transmit an arriving packet into a processing queue or to discard it, or, in the case of instructions or packets that must not be discarded, a similar method and system for deciding at a service event to transmit an instruction or packet into a processing queue or to skip the service event. The transmit probability is increased or decreased in consideration of minimum and maximum limits for each flow, aggregate limits for sets of flows, relative priority among flows, queue occupancy, and rate of change of queue occupancy. The effects include protection of flows below their minimum rates, correction of flows above their maximum rates, and, for flows between minimum and maximum rates, reduction of constituent flows of an aggregate that is above its aggregate maximum. Practice of the invention results in low queue occupancy during steady congestion.

Abstract: A process control method and system including partitioning transmit decisions and certain measurements into one logical entity (Data Plane) and partitioning algorithm computation to update transmit probabilities into a second logical entity (Control Plane), the two entities periodically communicating fresh measurements from Data Plane to Control Plane and adjusted transmit probabilities from Control Plane to Data Plane. The transmit probability may be used in transmit/discard decisions of packets or instructions exercised at every arrival of a packet or instruction. In an alternative embodiment, the transmit probability may be used in transmit/delay decisions of awaiting instructions or packets exercised at every service event.

Abstract: A method and system for developing portable network processor applications and/or managing heterogeneous network processors in a network is disclosed. The network includes host processor(s) utilizing system configuration application(s) that are network processor independent. In one aspect, the method and system include using standardized interface(s) for each network processor, using a standardized transport layer compatible with the interface(s), and providing a generic message application layer. The generic message application layer defines generic payload(s) and message type(s) for configuration communications between the network and host processors. In another aspect, the method and system include providing packet processing shell(s) and generic protocol software that is coupled with the packet processing shell(s) through standard interface(s), network processor independent, and performs operations for packet processing.

Abstract: Embodiments of the present invention provide systems, articles of manufacture and methods for a telematic parametric speed metering system. In one embodiment, a system may determine a vehicle's location and speed. Once the location has been determined, corresponding geographical zone based speed limits and/or other information may be acquired via internal memory or data transmission. The speed of the vehicle may then be compared against the speed limits for the zone. If the vehicle's speed exceeds those speed limits, one or more of a plurality of actions may be performed including (but not limited to) warning the driver via a visual or audio signal, informing an authority agency via data transmission, logging the excessive speeding condition (e.g., time, date, speed, location, driver name, etc).

Abstract: A method for developing portable network processor applications and/or managing heterogeneous network processors in a network is disclosed. The network includes host processor(s) utilizing system configuration application(s) that are network processor independent. In one aspect, the method and system include using standardized interface(s) for each network processor, using a standardized transport layer compatible with the interface(s), and providing a generic message application layer. The generic message application layer defines generic payload(s) and message type(s) for configuration communications between the network and host processors. In another aspect, the method and system include providing packet processing shell(s) and generic protocol software that is coupled with the packet processing shell(s) through standard interface(s), network processor independent, and performs operations for packet processing.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: The present invention relates to a system for storing a plurality of multi-field classification rules in a computer system. Each multi-field classification rule includes a rule specification that itself includes a plurality of fields and a plurality of field definitions corresponding to the fields.

Abstract: The present invention relates to a method for storing a plurality of multi-field classification rules in a computer system. Each multi-field classification rule includes a rule specification that itself includes a plurality of fields and a plurality of field definitions corresponding to the fields. The method of the present invention includes providing a virtual rule table, where the table stores a plurality of field definitions, and for each of the plurality of multi-field classification rules, compressing the rule specification by replacing at least one field definition with an associated index into the virtual rule table. The method also includes storing each of the compressed rule specifications and the virtual rule table in a shared segment of memory.

Abstract: The present invention relates to a system for managing a plurality of multi-field classification rules. The system provides a first table that includes a plurality of entries corresponding to a plurality of rules relating to an ingress context and a second table that includes a plurality of entries corresponding to a plurality of rules relating to an egress context. The system also includes a network processor for classifying packets of information, wherein the network processor is programmed to utilize the first table and the second table to identify any rules relating to the ingress context and any one rules relating to the egress context that match a search key.