Patents by Inventor Xu Zhou
Xu Zhou has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20170318031Abstract: Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network interface controller (NIC) of a network security device for each of multiple I/O device queues. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the NIC. The packet is parsed to identify boundaries of portions of the packet and is queued onto an I/O device queue. The packet is then transferred from the I/O device queue to a host memory of the network security device and the specified portions are concurrently copied to the cache of the corresponding CPU based on the control setting associated with the I/O device queue.Type: ApplicationFiled: July 17, 2017Publication date: November 2, 2017Applicant: Fortinet, Inc.Inventors: Xu Zhou, Hongbin Lu
-
Patent number: 9773113Abstract: Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object that is to be virus processed is stored by a general purpose processor to a system memory. Virus scan parameters for the content object are set up by the general purpose processor. Instructions from a virus signature memory of a virus co-processor are read by the virus co-processor based on the virus scan parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned to a first instruction pipe of multiple instruction pipes of the virus co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory.Type: GrantFiled: July 28, 2015Date of Patent: September 26, 2017Assignee: Fortinet, Inc.Inventors: Xu Zhou, Lin Huang, Michael Xie
-
Publication number: 20170255549Abstract: Methods and systems for implementing improved partitioning and virtualization in a multi-host environment are provided. According to one embodiment, multiple devices, including CPUs and peripherals, coupled with a system via an interconnect matrix/bus are associated with a shared memory logically partitioned into multiple domains. A first domain is associated with a first set of the devices and a second domain is associated with a second set of the devices. A single shared virtual map module (VMM), maps a memory access request to an appropriate partitioned domain of the memory to which the originating device has been assigned based on an identifier associated with the device and further based on they type of memory access. The VMM causes a memory controller to perform memory access on behalf of the device by outputting a physical address based on the identified domain and the virtual address specified by the request.Type: ApplicationFiled: May 19, 2017Publication date: September 7, 2017Applicant: Fortinet, Inc.Inventors: Xu Zhou, Zengli Duan, Ziyu Huang
-
Patent number: 9756081Abstract: Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.Type: GrantFiled: August 13, 2016Date of Patent: September 5, 2017Assignee: Fortinet, Inc.Inventors: Zhi Guo, Hongbin Lu, Xu Zhou, Lin Huang, Michael Xie
-
Patent number: 9727451Abstract: Methods and systems for implementing improved partitioning and virtualization in a multi-host environment are provided. According to one embodiment, multiple devices, including CPUs and peripherals, coupled with a system via an interconnect matrix/bus are associated with a shared memory logically partitioned into multiple domains. A first domain is associated with a first set of the devices and a second domain is associated with a second set of the devices. A single shared virtual map module (VMM), maps a memory access request to an appropriate partitioned domain of the memory to which the originating device has been assigned based on an identifier associated with the device and further based on they type of memory access. The VMM causes a memory controller to perform memory access on behalf of the device by outputting a physical address based on the identified domain and the virtual address specified by the request.Type: GrantFiled: March 28, 2014Date of Patent: August 8, 2017Assignee: Fortinet, Inc.Inventors: Xu Zhou, Zengli Duan, Ziyu Huang
-
Patent number: 9712544Abstract: Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network interface controller (NIC) of a network security device for each of multiple I/O device queues. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the NIC. The packet is parsed to identify boundaries of portions of the packet and is queued onto an I/O device queue. The packet is then transferred from the I/O device queue to a host memory of the network security device and the specified portions are concurrently copied to the cache of the corresponding CPU based on the control setting associated with the I/O device queue.Type: GrantFiled: February 16, 2017Date of Patent: July 18, 2017Assignee: Fortinet, Inc.Inventors: Xu Zhou, Hongbin Lu
-
Publication number: 20170193231Abstract: Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a processor maintains a page directory and a page table within a system memory for use in connection with translating virtual addresses to physical addresses. Content scanning of a content object is offloaded to a hardware accelerator coupled to the processor by storing content scanning parameters, including the content object and a type of the content object, to the memory using one or more virtual addresses and indicating to the hardware accelerator that the content object is available for content scanning.Type: ApplicationFiled: September 19, 2016Publication date: July 6, 2017Applicant: Fortinet, Inc.Inventors: Xu Zhou, Lin Huang, Michael Xie
-
Publication number: 20170180315Abstract: Systems and methods for limiting the rate of packet transmission from a NIC to a host CPU are provided. According to one embodiment, data packets are received from a network by the NIC. The NIC is coupled to a host central processing unit (CPU) of a network security device through a bus. A status of the host CPU is monitored by the NIC. A rate limiting mode indicator is set by the NIC based on the status. When the rate limiting mode indicator indicates rate limiting is inactive, then the received data packets are delivered or make available to the host CPU for processing. When the rate limiting mode indicator indicates rate limiting is active, then rate limiting is performing by temporarily stopping or slowing the delivery or making available of the received data packets to the host CPU for processing.Type: ApplicationFiled: March 9, 2017Publication date: June 22, 2017Applicant: Fortinet, Inc.Inventors: Zhiwei Dai, Xu Zhou
-
Patent number: 9679138Abstract: Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a system includes a co-processor (CP), a first memory, a general purpose processor (GPP) and a second memory. The first memory is associated with the CP and coupled to the CP. The first memory includes a first signature compiled for execution on the CP. The GPP is coupled to the CP. The second memory is associated with the GPP and coupled to the CP and to the GPP. The second memory includes a second signature compiled for execution on the GPP. The CP is operable to retrieve the first signature stored within the first memory through an instruction cache. The CP is operable to retrieve a data segment to be scanned for undesirable content stored within the second memory through a data cache that is separate from the instruction cache.Type: GrantFiled: June 23, 2016Date of Patent: June 13, 2017Assignee: Fortinet, Inc.Inventors: Lin Huang, Xu Zhou, Michael Xie
-
Publication number: 20170163662Abstract: Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network interface controller (NIC) of a network security device for each of multiple I/O device queues. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the NIC. The packet is parsed to identify boundaries of portions of the packet and is queued onto an I/O device queue. The packet is then transferred from the I/O device queue to a host memory of the network security device and the specified portions are concurrently copied to the cache of the corresponding CPU based on the control setting associated with the I/O device queue.Type: ApplicationFiled: February 16, 2017Publication date: June 8, 2017Applicant: Fortinet, Inc.Inventors: Xu Zhou, Hongbin Lu
-
Patent number: 9652417Abstract: Systems and methods for limiting the rate of packet transmission from a NIC to a host CPU are provided. According to one embodiment, data packets are received from a network by the NIC. The NIC is coupled to a host central processing unit (CPU) of a network appliance through a bus system. A status of the host CPU is monitored by the NIC. A rate limiting mode indicator is set by the NIC based on the status. When the rate limiting mode indicator indicates rate limiting is inactive, then the received data packets are transmitted from the NIC to the host CPU for processing. When the rate limiting mode indicator indicates rate limiting is active, then rate limiting is performing by temporarily stopping or slowing transmission of the received data packets from the NIC to the host CPU for processing.Type: GrantFiled: May 19, 2014Date of Patent: May 16, 2017Assignee: Fortinet, Inc.Inventors: Zhiwei Dai, Xu Zhou
-
Publication number: 20170106363Abstract: The present disclosure relates to a method for metering a liquid into a wet chemistry analytical device wherein a specified volume of individual liquids is placed in a metering unit consisting of a metering container and at least one dose measuring device. During the filling of the metering container with the respective liquid, after the activation of the dose measuring device, an additional volume of the liquid is drawn into the metering tube beyond the position of the dose measuring device, wherein during this procedure and afterwards the status of the dose measuring device is checked, and a conclusion is drawn from this regarding the presence of an air bubble-free liquid in the metering tube.Type: ApplicationFiled: October 12, 2016Publication date: April 20, 2017Inventors: Xu Zhou, Justyna Homa, Thomas Schipolowski, Thilo Krätschmer
-
Patent number: 9584621Abstract: Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network I/O device of a network security device for each of multiple I/O device queues based on network security functionality performed by corresponding CPUs of a host processor. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the network I/O device. Information associated with the packet is queued onto an I/O device queue. The information is then transferred from the I/O device queue to a host memory of the network security device. Based on the control settings for the I/O device queue only those portions of the information corresponding to the one or more specified portions are copied to the cache of the corresponding CPU.Type: GrantFiled: July 28, 2016Date of Patent: February 28, 2017Assignee: Fortinet, Inc.Inventors: Xu Zhou, Hongbin Lu
-
Publication number: 20170041348Abstract: Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.Type: ApplicationFiled: August 13, 2016Publication date: February 9, 2017Applicant: Fortinet, Inc.Inventors: Zhi Guo, Hongbin Lu, Xu Zhou, Lin Huang, Michael Xie
-
Publication number: 20160352652Abstract: Methods and systems for a more efficient transmission of network traffic are provided. According to one embodiment, presence of outbound payload data, distributed across a first and second payload buffer, within a user memory space of a network device that has been generated by a user process is determined by a bus/memory interface or a network interface unit. The payload data is fetched by performing direct virtual memory addressing of the user memory space including mapping virtual addresses of the payload buffers to corresponding physical addresses, including: (i) when the payload buffers are noncontiguous, then retrieving the outbound payload data with reference to multiple buffer descriptors having starting virtual addresses of the payload buffers and (ii) when they are contiguous, then retrieving the outbound payload data with reference to a single buffer descriptor. The outbound payload data is then segmented across one or more TCP packets.Type: ApplicationFiled: June 30, 2016Publication date: December 1, 2016Applicant: Fortinet, Inc.Inventors: Xu Zhou, David Chen, Lin Huang, Guansong Zhang
-
Publication number: 20160337468Abstract: Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network I/O device of a network security device for each of multiple I/O device queues based on network security functionality performed by corresponding CPUs of a host processor. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the network I/O device. Information associated with the packet is queued onto an I/O device queue. The information is then transferred from the I/O device queue to a host memory of the network security device. Based on the control settings for the I/O device queue only those portions of the information corresponding to the one or more specified portions are copied to the cache of the corresponding CPU.Type: ApplicationFiled: July 28, 2016Publication date: November 17, 2016Applicant: Fortinet, Inc.Inventors: Xu Zhou, Hongbin Lu
-
Patent number: 9491143Abstract: Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.Type: GrantFiled: July 3, 2015Date of Patent: November 8, 2016Assignee: Fortinet, Inc.Inventors: Zhi Guo, Hongbin Lu, Xu Zhou, Lin Huang, Michael Xie
-
Publication number: 20160300062Abstract: Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a system includes a co-processor (CP), a first memory, a general purpose processor (GPP) and a second memory. The first memory is associated with the CP and coupled to the CP. The first memory includes a first signature compiled for execution on the CP. The GPP is coupled to the CP. The second memory is associated with the GPP and coupled to the CP and to the GPP. The second memory includes a second signature compiled for execution on the GPP. The CP is operable to retrieve the first signature stored within the first memory through an instruction cache. The CP is operable to retrieve a data segment to be scanned for undesirable content stored within the second memory through a data cache that is separate from the instruction cache.Type: ApplicationFiled: June 23, 2016Publication date: October 13, 2016Applicant: Fortinet, Inc.Inventors: Lin Huang, Xu Zhou, Michael Xie
-
Patent number: 9460287Abstract: Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a processor maintains a page directory and a page table within a system memory that contain information for translating virtual addresses to physical addresses. Virus processing of a content object is offloaded to a hardware accelerator coupled to the processor by storing scanning parameters, including the content object and a type of the content object, to the memory using one or more virtual addresses and indicating to the hardware accelerator that the content object is available for processing. Responsive thereto, the hardware accelerator: (i) translates the virtual addresses to corresponding physical addresses based on the page directory and the page table; (ii) accesses the scanning parameters based on the physical addresses; (iii) scans the content object for viruses by applying multiple virus signatures; and (iv) returns a result of the scanning to the processor.Type: GrantFiled: June 9, 2015Date of Patent: October 4, 2016Assignee: Fortinet, Inc.Inventors: Xu Zhou, Lin Huang, Michael Xie
-
Publication number: 20160230247Abstract: A non quenched and tempered steel and manufacturing process thereof. The process comprises a cooling step after the finish rolling step; and the process utilizes alternate intense cooling and moderate cooling. The intense cooling can ensure the surface temperature of the steel to decrease rapidly; and the moderate cooling allows the core temperature of the steel to dissipate gradually to the surface; a further intense cooling is carried out to allow rapid heat dissipation. The intense cooling and the moderate cooling can be carried out alternately several times according to practical requirement. A water cooling mode combining intense cooling and moderate cooling allows the core temperature and the surface temperature of the steel to become the same within a short time, and thus ensures the uniformity of the mechanical properties of the steel and improves the production efficiency.Type: ApplicationFiled: December 3, 2013Publication date: August 11, 2016Inventors: Donglin LIU, Xu ZHOU, Yifeng XU, Zhiwei ZHOU, Jie YU