Abstract: An accelerated network security system includes, in part, a network security engine and a processing module configured to perform network security functions. The network security engine includes an input module configured to receive input data and generate an intermediate data in response, a core engine configured to perform security function operations on the first intermediate data to generate a first output data, and an output module configured to receive the first output data and generate a processed output data in response. The processing module includes a multitude of processing cores configured to operate concurrently, a memory configured to store processing core instructions and processing core data associated with the multitude of processing cores, and a processing controller configured to periodically allocate to each processing core one or more discrete blocks of processing time. The number of processing core data is greater than the number of processing cores.

Abstract: An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

Abstract: An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

Abstract: A method for upgrading one or more security applications, e.g., anti-spam, anti-virus, intrusion detection/prevention. The method includes deriving a second hardware logic from a security knowledge base. The method includes operating a computing system including a security device. The computer system is coupled to the one or more computer networks, e.g., local area networks, wide area networks, Internet. The security device has one or more security logic processors, which include one or more respective first hardware logic. The method transfers an FPGA image representative of at least the second hardware logic through the computer network to one or more first memory devices. The method includes temporarily halting one or more of the security logic processors at a predetermined portion of the stream of information according to a specific embodiment.

Abstract: A game of chance is disclosed that looks like a multi-line gaming machine having a matrix of rows and columns of positions for displaying slot symbols or cards to a player. A player wagers to play one or more games but the actual pay lines are dynamically determined by events that occur during the course of game play, not before. In one embodiment pay lines are dynamically determined during the course of game play dependent on choices made by the player during the course of game play. The player chooses ones or all of a first, randomly dealt set of slot symbols or cards in one row of the matrix to be held and used in the game play. The symbols or cards not held are discarded and a second, final draw of slot symbols or cards is done in the matrix, including the positions in the one row where cards were discarded. Pay lines are then established through the matrix that all pass through the held cards in the one row of the matrix.

Abstract: A first security processing stage performs a first multitude of tasks and a second security processing stage performs a second multitude of tasks. The first and second multitude of tasks may include common tasks. The first security processing stage is a prefilter to the second security processing stage. The input data received as a data stream is first processed by the first security processing stage, which in response, generates one or more first processed data streams. The first processed data streams may be further processed by the second security processing stage or may bypass the second security processing stage. The first security processing stage operates at a speed greater than the speed of the second security processing stage.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: A pattern matching system includes, in part, a multitude of databases each configured to store and supply compressed data for matching to the received data. The system divides each data stream into a multitude of segments and optionally computes a data pattern from the data stream prior to the division into a multitude of segments. Segments of the data pattern are used to define an address for one or more memory tables. The memory tables are read such that the outputs of one or more memory tables are used to define the address of another memory table. If during any matching cycle, the data retrieved from any of the successively accessed memory tables include an identifier related to any or all previously accessed memory tables, a matched state is detected. A matched state contains information related to the memory location at which the match occurs as well as information related to the matched pattern, such as the match location in the input data stream.

Abstract: An accelerated network intrusion detection and prevention system includes, in part, first, second and third processing stages. The first processing stage receives incoming packets and generates, in response, first and second processed data streams using a first set of rules. The first processing stage optionally detects whether the received packets are suspected of attacking the network and places the received data packets in the first processed data stream. The second processing stage receives the first processed data stream and generates, in response, a third processed data stream using a second set of rules. The second processing stage optionally classifies the first processed data stream, that is suspected of launching a network attack, as either attacks or benign network traffic. A third processing stage receives and processes the second and third processed data streams.

Abstract: A data compressor performing the compression algorithm compresses an original uncompressed pattern database to form an associated compressed pattern database configured for fast retrieval and verification. For each data pattern, the data compressor stores a data in an address of a first memory table and that is defined by a first segment of a group of bits associated with the data pattern. The data compressor stores a second data in an address of a second memory table and that is defined by a second segment of the group of bits associated with the data pattern and further defined by the first data stored in the first memory.

Abstract: A first security processing stage performs a first multitude of tasks and a second security processing stage performs a second multitude of tasks. The first and second multitude of tasks may include common tasks. The first security processing stage is a prefilter to the second security processing stage. The input data received as a data stream is first processed by the first security processing stage, which in response, generates one or more first processed data streams. The first processed data streams may be further processed by the second security processing stage or may bypass the second security processing stage. The first security processing stage operates at a speed greater than the speed of the second security processing stage.

Abstract: A data classification system identifies and processes malicious data that may be present in a received data stream. The system includes at least two stages, and a data flow module. The data flow module derives, from an input data stream, a first processed data stream that is transmitted to the first processing stage. The first processing stage derives, from the first processed data stream, a second processed data stream that is transmitted to the second processing stage. The first and second processing stages optionally derive meta data from the data they receive.

Abstract: A classifier of electronic messages includes one or more pre-filters and a filter. Messages classified as spam or legitimate by one or more of the pre-filters bypass the filter. Messages classified as suspicious are further classified by the filter as either spam or legitimate. Messages classified as spam are routed to a spam quarantine storage area. Messages classified as legitimate are routed to a spam delivery area.

Abstract: A programmable finite state machine (FSM) includes, in part, first and second memories, and a selection circuit coupled to each of the memories. Upon receiving a (k+m)-bit word representative of the k-bit input symbol and the m-bit current state, the first memory supplies one ore more matching transition rules stored therein. The selection circuit selects the most specific of the supplied rules. The transition rules are stored in the first memory in a ranking order of generality. The second memory receives the selected transition rule and supplies the next state of the FSM. The first memory may be a ternary content addressable memory and the second memory may be a static random access memory. The contents of both the content addressable memory and the static random memory is determined by an algorithm which minimizes the number of terms required to represent the next-state transition functions.

Abstract: A method and apparatus for transforming regular expressions into a less resource intensive representation is disclosed. The method and apparatus converts a collection of regular expressions into a multi-level representation in which the memory requirements of the lowest level representation is reduced when compared with a conventional finite state automaton representation. The method and apparatus converts a collection of regular expressions into a collection of segments and a higher level representation in a way that retains the semantics of the original set of regular expressions. This transformation is performed through the use of an intermediate form. The resulting representation and collection admit an implementation which avoids the potentially costly memory requirements of a traditional implementation of the original expressions.

Abstract: Incoming data streams are processed at relatively high speed for decoding, content inspection and classification. A multitude of processing channels process multiple data streams concurrently so as to allows networking based host systems to provide the data streams—as the packets carrying these data streams are received from the network—without requiring the data streams to be buffered. Moreover, host systems processing stored content, such as email messages and computer files, can process more than one stream at once and thereby make better utilization of the host system's CPU. Processing bottlenecks are alleviated by offloading the tasks of data extraction, inspection and classification from the host CPU. A content processing system which so processes the incoming data streams, is readily extensible to accommodate and perform additional data processing algorithms. The content processing system is configurable to enable additional data processing algorithms to be performed in parallel or in series.

Abstract: An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

Abstract: A network data classifier statistically classifies received data at wire-speed by examining, in part, the payloads of packets in which such data are disposed and without having a priori knowledge of the classification of the data. The network data classifier includes a feature extractor that extract features from the packets it receives. Such features include, for example, textual or binary patterns within the data or profiling of the network traffic. The network data classifier further includes a statistical classifier that classifies the received data into one or more pre-defined categories using the numerical values representing the features extracted by the feature extractor. The statistical classifier may generate a probability distribution function for each of a multitude of classes for the received data. The data so classified are subsequently be processed by a policy engine. Depending on the policies, different categories may be treated differently.

Abstract: A programmable finite state machine (FSM) includes, in part, a first address calculation logic block, a first lookup table, a second address calculation logic block, and a second lookup table. The first address calculation logic block generates an address for the first lookup table based on the received input symbol and the current state. The data stored in first look-up table at the generated address is used by the second address calculation logic block to compute an address for the second lookup table. Data stored in the second lookup table is the next state to which the FSM transitions. The programmable FSMs uses redundant information of the transition table to compress these transitions and thus requires a smaller memory while maintaining a high data throughput. The data in the first and second lookup tables are coded and supplied by a compiler. The FSM operation may optionally be pipelined.