Patents by Inventor Yehuda Afek
Yehuda Afek has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8909813Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.Type: GrantFiled: March 20, 2012Date of Patent: December 9, 2014Assignees: Ramot at Tel-Aviv University Ltd., Interdisciplinary Center HerzliyaInventors: Yehuda Afek, Anat Bremler-Barr, Yaron Koral
-
Publication number: 20120243551Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.Type: ApplicationFiled: March 20, 2012Publication date: September 27, 2012Applicants: INTERDISCIPLINARY CENTER HERZLIYA, RAMOT AT TEL AVIV UNIVERSITY LTD.Inventors: Yehuda Afek, Anat Bremler-Barr, Yaron Koral
-
Patent number: 7707305Abstract: Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.Type: GrantFiled: August 14, 2001Date of Patent: April 27, 2010Assignee: Cisco Technology, Inc.Inventors: Yehuda Afek, Anat Bremler-Barr, Dan Touitou
-
Patent number: 7342929Abstract: An improved network device that controls throughput of packets received thereby, e.g., to downstream devices or to downstream logic contained within the same network device. The network device comprises a scheduler that schedules one or more packets of a selected class for throughput as a function of a weight of that class and weights of one or more other classes. The weight of at least the selected class is dynamic and is a function of a history of volume of packets received by the network device in the selected class. An apparatus for protecting against overload conditions on a network, e.g., of the type caused by DDoS attacks, has a scheduler and a token bucket mechanism, e.g., as described above. Such apparatus can also include a plurality of queues into which packets of the respective classes are placed on receipt by the apparatus. Those packets are dequeued by the scheduler, e.g., in the manner described above, for transmittal to downstream devices (e.g., potential victim nodes) on the network.Type: GrantFiled: April 26, 2002Date of Patent: March 11, 2008Assignee: Cisco Technology, Inc.Inventors: Anat Bremler-Barr, Dan Touitou, Keren Horvitz, Rephael Tzadikario, Yehuda Afek
-
Patent number: 7313815Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.Type: GrantFiled: September 17, 2004Date of Patent: December 25, 2007Assignee: Cisco Technology, Inc.Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
-
Publication number: 20060212572Abstract: A method for screening packet-based communication traffic. At least a first data packet, sent over a network from a source address to a destination address, is received. A determination is made, by analyzing the first data packet, that the first data packet was generated by a worm. In response to the determination, a second data packet sent over the network from the source address is blocked.Type: ApplicationFiled: July 14, 2005Publication date: September 21, 2006Inventors: Yehuda Afek, Rafi Zadikario, Dan Touitou, Anat Bremler Bar
-
Patent number: 6907525Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.Type: GrantFiled: September 20, 2002Date of Patent: June 14, 2005Assignee: Riverhead Networks Inc.Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
-
Patent number: 6876655Abstract: A method of routing a data packet from a forwarding router to a downstream router. The data packet header includes an address that includes a bit string. The forwarding router looks up, in a forwarding database, a prefix that best matches the bit string. The forwarding router then attaches to the data packet a clue that is related to the best matching prefix, and forwards the data packet to the downstream router. The downstream router looks up, in a downstream database, and with reference to the clue, another prefix that best matches the bit string. Because the databases of neighboring routers are similar, the clue either directly determines the best matching prefix at the downstream router or provides the downstream router with a good starting point for its lookup.Type: GrantFiled: April 20, 2000Date of Patent: April 5, 2005Assignee: Ramot at Tel Aviv University Ltd.Inventors: Yehuda Afek, Anat Bremler-Barr, Sariel Har-Peled
-
Publication number: 20050044352Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.Type: ApplicationFiled: September 17, 2004Publication date: February 24, 2005Applicant: Riverhead Networks, Inc.Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
-
Patent number: 6633860Abstract: A simple and fast algorithm for multi-dimensional packet classification by solving the best matching filter problem. The substantial part of the algorithm includes the search of filters being concurrently stabbed by the packet using a KD-tree data structure. Another aspect of the present invention includes the classification of the packet according to its destination address using a second data-structure which preferably consists of a one dimensional segment tree. In a preferred embodiment of the present invention, the packet is first classified according to its protocol type, then the packet is classified according to its destination address using a one dimensional segment tree data structure, and finally, a 6 dimension KD-tree is used to find the filters being stabbed by the remaining 3 parameters of the packet. Among the filters, which comply with the packet, the filter which applies to the packet is the filter with the highest pre-determined priority.Type: GrantFiled: April 14, 2000Date of Patent: October 14, 2003Assignee: Ramot At Tel Aviv University Ltd.Inventors: Yehuda Afek, Anat Bremler, Sariel Har-Peled
-
Publication number: 20030076848Abstract: An improved network device that controls throughput of packets received thereby, e.g., to downstream devices or to downstream logic contained within the same network device. The network device comprises a scheduler that schedules one or more packets of a selected class for throughput as a function of a weight of that class and weights of one or more other classes. The weight of at least the selected class is dynamic and is a function of a history of volume of packets received by the network device in the selected class. An apparatus for protecting against overload conditions on a network, e.g., of the type caused by DDoS attacks, has a scheduler and a token bucket mechanism, e.g., as described above. Such apparatus can also include a plurality of queues into which packets of the respective classes are placed on receipt by the apparatus. Those packets are dequeued by the scheduler, e.g., in the manner described above, for transmittal to downstream devices (e.g., potential victim nodes) on the network.Type: ApplicationFiled: April 26, 2002Publication date: April 24, 2003Inventors: Anat Bremler-Barr, Dan Touitou, Keren Horvitz, Rephael Tzadikario, Yehuda Afek
-
Publication number: 20030070096Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.Type: ApplicationFiled: September 20, 2002Publication date: April 10, 2003Applicant: Riverhead Networks Inc.Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
-
Publication number: 20020083175Abstract: Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.Type: ApplicationFiled: August 14, 2001Publication date: June 27, 2002Applicant: WANWALL, INC. (a Delaware Corporation)Inventors: Yehuda Afek, Anat Bremler-Barr, Dan Touitou
-
Patent number: 5956340Abstract: A method for multiplexing the buffer space used to store messages of backlogged flows at the output port of a switch. The buffer space is partitioned among queues of variable length, with the first queue long enough to accommodate the largest expected backlog, the second queue long enough to accommodate the second-largest expected backlog, etc. Messages are dequeued from the queues for transmission in Round-Robin order. Incoming messages are enqueued in a manner that guarantees that messages of heavily backlogged flows tend to be enqueued in the longer queues, while preserving FIFO message order. If the messages are all of the same length, then the queues are partitioned into locations, of the same length as the messages, each location having an ordinal index in its queue, and the messages are enqueued so that each message of a particular flow is enqueued in a location with a different ordinal index.Type: GrantFiled: August 5, 1997Date of Patent: September 21, 1999Assignee: Ramot University Authority for Applied Research and Industrial Development Ltd.Inventors: Yehuda Afek, Yishay Mansour, Zvi Ostfeld
-
Patent number: 5748901Abstract: A constant space algorithm for rate based flow control in large computer networks. The switches in the network dynamically measure their unused link capacity, and signal sessions with higher rates to reduce their rates to that unused link capacity. Sessions with lower rates are allowed to increase their rates. This algorithm is suitable for both ATM networks and suitably modified TCP networks.Type: GrantFiled: May 21, 1996Date of Patent: May 5, 1998Assignee: Ramot University Authority Ltd.Inventors: Yehuda Afek, Yishay Mansour, Zvi Ostfeld
-
Patent number: 5430868Abstract: Memories which have new benign failure modes. The new failure modes are the omission-crash mode and the eventual-crash mode. Memories having either of these modes fail more benignly than memories having the omission failure mode, but unlike memories having the crash failure mode, memories with the novel failure modes may be used to construct gracefully-degrading fault tolerant objects. Implementations of memories with the new failure modes are disclosed, along with implementations of fault-tolerant objects made from memories with the new failure modes.Type: GrantFiled: September 23, 1993Date of Patent: July 4, 1995Assignee: AT&T Corp.Inventors: Yehuda Afek, Michael J. Merritt, Gadi Taubenfeld