Patents by Inventor Yehuda Afek

Yehuda Afek has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 8909813
    Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.
    Type: Grant
    Filed: March 20, 2012
    Date of Patent: December 9, 2014
    Assignees: Ramot at Tel-Aviv University Ltd., Interdisciplinary Center Herzliya
    Inventors: Yehuda Afek, Anat Bremler-Barr, Yaron Koral
  • Publication number: 20120243551
    Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.
    Type: Application
    Filed: March 20, 2012
    Publication date: September 27, 2012
    Applicants: INTERDISCIPLINARY CENTER HERZLIYA, RAMOT AT TEL AVIV UNIVERSITY LTD.
    Inventors: Yehuda Afek, Anat Bremler-Barr, Yaron Koral
  • Patent number: 7707305
    Abstract: Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.
    Type: Grant
    Filed: August 14, 2001
    Date of Patent: April 27, 2010
    Assignee: Cisco Technology, Inc.
    Inventors: Yehuda Afek, Anat Bremler-Barr, Dan Touitou
  • Patent number: 7342929
    Abstract: An improved network device that controls throughput of packets received thereby, e.g., to downstream devices or to downstream logic contained within the same network device. The network device comprises a scheduler that schedules one or more packets of a selected class for throughput as a function of a weight of that class and weights of one or more other classes. The weight of at least the selected class is dynamic and is a function of a history of volume of packets received by the network device in the selected class. An apparatus for protecting against overload conditions on a network, e.g., of the type caused by DDoS attacks, has a scheduler and a token bucket mechanism, e.g., as described above. Such apparatus can also include a plurality of queues into which packets of the respective classes are placed on receipt by the apparatus. Those packets are dequeued by the scheduler, e.g., in the manner described above, for transmittal to downstream devices (e.g., potential victim nodes) on the network.
    Type: Grant
    Filed: April 26, 2002
    Date of Patent: March 11, 2008
    Assignee: Cisco Technology, Inc.
    Inventors: Anat Bremler-Barr, Dan Touitou, Keren Horvitz, Rephael Tzadikario, Yehuda Afek
  • Patent number: 7313815
    Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.
    Type: Grant
    Filed: September 17, 2004
    Date of Patent: December 25, 2007
    Assignee: Cisco Technology, Inc.
    Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
  • Publication number: 20060212572
    Abstract: A method for screening packet-based communication traffic. At least a first data packet, sent over a network from a source address to a destination address, is received. A determination is made, by analyzing the first data packet, that the first data packet was generated by a worm. In response to the determination, a second data packet sent over the network from the source address is blocked.
    Type: Application
    Filed: July 14, 2005
    Publication date: September 21, 2006
    Inventors: Yehuda Afek, Rafi Zadikario, Dan Touitou, Anat Bremler Bar
  • Patent number: 6907525
    Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.
    Type: Grant
    Filed: September 20, 2002
    Date of Patent: June 14, 2005
    Assignee: Riverhead Networks Inc.
    Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
  • Patent number: 6876655
    Abstract: A method of routing a data packet from a forwarding router to a downstream router. The data packet header includes an address that includes a bit string. The forwarding router looks up, in a forwarding database, a prefix that best matches the bit string. The forwarding router then attaches to the data packet a clue that is related to the best matching prefix, and forwards the data packet to the downstream router. The downstream router looks up, in a downstream database, and with reference to the clue, another prefix that best matches the bit string. Because the databases of neighboring routers are similar, the clue either directly determines the best matching prefix at the downstream router or provides the downstream router with a good starting point for its lookup.
    Type: Grant
    Filed: April 20, 2000
    Date of Patent: April 5, 2005
    Assignee: Ramot at Tel Aviv University Ltd.
    Inventors: Yehuda Afek, Anat Bremler-Barr, Sariel Har-Peled
  • Publication number: 20050044352
    Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.
    Type: Application
    Filed: September 17, 2004
    Publication date: February 24, 2005
    Applicant: Riverhead Networks, Inc.
    Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
  • Patent number: 6633860
    Abstract: A simple and fast algorithm for multi-dimensional packet classification by solving the best matching filter problem. The substantial part of the algorithm includes the search of filters being concurrently stabbed by the packet using a KD-tree data structure. Another aspect of the present invention includes the classification of the packet according to its destination address using a second data-structure which preferably consists of a one dimensional segment tree. In a preferred embodiment of the present invention, the packet is first classified according to its protocol type, then the packet is classified according to its destination address using a one dimensional segment tree data structure, and finally, a 6 dimension KD-tree is used to find the filters being stabbed by the remaining 3 parameters of the packet. Among the filters, which comply with the packet, the filter which applies to the packet is the filter with the highest pre-determined priority.
    Type: Grant
    Filed: April 14, 2000
    Date of Patent: October 14, 2003
    Assignee: Ramot At Tel Aviv University Ltd.
    Inventors: Yehuda Afek, Anat Bremler, Sariel Har-Peled
  • Publication number: 20030076848
    Abstract: An improved network device that controls throughput of packets received thereby, e.g., to downstream devices or to downstream logic contained within the same network device. The network device comprises a scheduler that schedules one or more packets of a selected class for throughput as a function of a weight of that class and weights of one or more other classes. The weight of at least the selected class is dynamic and is a function of a history of volume of packets received by the network device in the selected class. An apparatus for protecting against overload conditions on a network, e.g., of the type caused by DDoS attacks, has a scheduler and a token bucket mechanism, e.g., as described above. Such apparatus can also include a plurality of queues into which packets of the respective classes are placed on receipt by the apparatus. Those packets are dequeued by the scheduler, e.g., in the manner described above, for transmittal to downstream devices (e.g., potential victim nodes) on the network.
    Type: Application
    Filed: April 26, 2002
    Publication date: April 24, 2003
    Inventors: Anat Bremler-Barr, Dan Touitou, Keren Horvitz, Rephael Tzadikario, Yehuda Afek
  • Publication number: 20030070096
    Abstract: A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.
    Type: Application
    Filed: September 20, 2002
    Publication date: April 10, 2003
    Applicant: Riverhead Networks Inc.
    Inventors: Guy Pazi, Dan Touitou, Alon Golan, Yehuda Afek
  • Publication number: 20020083175
    Abstract: Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.
    Type: Application
    Filed: August 14, 2001
    Publication date: June 27, 2002
    Applicant: WANWALL, INC. (a Delaware Corporation)
    Inventors: Yehuda Afek, Anat Bremler-Barr, Dan Touitou
  • Patent number: 5956340
    Abstract: A method for multiplexing the buffer space used to store messages of backlogged flows at the output port of a switch. The buffer space is partitioned among queues of variable length, with the first queue long enough to accommodate the largest expected backlog, the second queue long enough to accommodate the second-largest expected backlog, etc. Messages are dequeued from the queues for transmission in Round-Robin order. Incoming messages are enqueued in a manner that guarantees that messages of heavily backlogged flows tend to be enqueued in the longer queues, while preserving FIFO message order. If the messages are all of the same length, then the queues are partitioned into locations, of the same length as the messages, each location having an ordinal index in its queue, and the messages are enqueued so that each message of a particular flow is enqueued in a location with a different ordinal index.
    Type: Grant
    Filed: August 5, 1997
    Date of Patent: September 21, 1999
    Assignee: Ramot University Authority for Applied Research and Industrial Development Ltd.
    Inventors: Yehuda Afek, Yishay Mansour, Zvi Ostfeld
  • Patent number: 5748901
    Abstract: A constant space algorithm for rate based flow control in large computer networks. The switches in the network dynamically measure their unused link capacity, and signal sessions with higher rates to reduce their rates to that unused link capacity. Sessions with lower rates are allowed to increase their rates. This algorithm is suitable for both ATM networks and suitably modified TCP networks.
    Type: Grant
    Filed: May 21, 1996
    Date of Patent: May 5, 1998
    Assignee: Ramot University Authority Ltd.
    Inventors: Yehuda Afek, Yishay Mansour, Zvi Ostfeld
  • Patent number: 5430868
    Abstract: Memories which have new benign failure modes. The new failure modes are the omission-crash mode and the eventual-crash mode. Memories having either of these modes fail more benignly than memories having the omission failure mode, but unlike memories having the crash failure mode, memories with the novel failure modes may be used to construct gracefully-degrading fault tolerant objects. Implementations of memories with the new failure modes are disclosed, along with implementations of fault-tolerant objects made from memories with the new failure modes.
    Type: Grant
    Filed: September 23, 1993
    Date of Patent: July 4, 1995
    Assignee: AT&T Corp.
    Inventors: Yehuda Afek, Michael J. Merritt, Gadi Taubenfeld