Abstract: Systems and methods are provided for submitting data in a computer network. An exemplary method includes: receiving a first request to process a first data at one or more data servers; determining whether the first data includes a plurality of first set of properties; generating a second data having a plurality of second set of properties; providing a plurality of rule sets for submitting the second data; analyzing the second data to determine which of the rule sets is applicable; selecting one or more applicable rules from the rule sets; generating a plurality of third data by applying the one or more applicable rules to the second data; identifying the one or more external sources to distribute the third data; and sending the third data to the one or more external sources.

Abstract: There is provided an encryption processing method performed by an encryption processing apparatus. The encryption processing method comprises compressing data to obtain compressed data, determining, within the compressed data, a section to be encrypted and encrypting the section to obtain partially encrypted data.

Abstract: A wireless input device includes an information receiving terminal and an information outputting terminal. The information receiving terminal generates a first-portion key. The information outputting terminal receives the first-portion key and generating a second-portion key. An original information is converted into an encrypted information by the information outputting terminal according to the first-portion key, the second-portion key and an encryption algorithm. The encrypted information and the second-portion key are transmitted from the information outputting terminal to the information receiving terminal. The encrypted information is restored to the original information by the information receiving terminal according to the first-portion key, the second-portion key and an encryption algorithm.

Abstract: A system and method for generating content for an encrypted package is provided. A package may be received that includes one or more anti-tamper hash portions and encrypted data, where the encrypted data includes one or more procedural content generation instructions. A portion of the encrypted data including the one or more procedural content generation instructions may be decrypted and a data based on the execution of the one or more procedural content generation instructions and a corpus of data may be generated. The generated data may be encrypted and anti-tamper hashes may be generated based on the encrypted generated data. The generated anti-tamper hashes may be compared to the one or more anti-tamper hashes in the anti-tamper hash portion of the received package.

Abstract: A system, that when operated, creates a database arrangement in a structured manner, wherein the database arrangement stores documents from at least one source, the system including a server arrangement and the database arrangement wherein the server arrangement: retrieves the documents from the at least one source; pre-processes the documents from the at least one source, wherein a given document is pre-processed based on source of the given document; associates a document identifier with each of the documents; extract keywords from the documents; store the documents in the database arrangement corresponding to the document identifiers associated therewith; and create an index for the database arrangement, wherein the index includes document identifier listed corresponding to the extracted keywords.

Abstract: A system for transmitting data is disclosed that includes a file distribution system operating on a processor that is configured to identify one or more files for distribution to a device, forward error correction data for the one or more files, and a cryptographic key associated with the device. A Merkle tree system operating on the processor is configured to receive the forward error correction data and to generate an encrypted root hash. A data transmission system operating on the processor is configured to transmit the one or more files and the encrypted root hash to a predetermined device.

Abstract: A method of executing in-session encryption verification includes receiving a plurality of client data packets for transmission through a network; receiving one or more test data packets for verifying an encryption device; merging the client data packets and the one or more test packets into a data stream; selecting security parameters for each packet in the data stream based on a corresponding packet type; encrypting each packet in the data stream using the encryption device and the corresponding security parameters; and transmitting the data stream comprising encrypted packets through the network. The method also includes decrypting the encrypted packets at a receiving system using congruent techniques.

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

Abstract: The present invention makes it possible to reduce the volume of communication data necessary for updating the configuration of a circuit unit of a reconfigurable circuit device. In an vehicle control system 10 including an FPGA 3, the FPGA 3 includes a circuit unit including a reconfigurable circuit and a circuit SRAM that stores configuration information of the circuit unit. A transfer check unit that acquires a difference command regarding a change part of a circuit element in the circuit unit, and a data conversion unit 4 that updates the configuration information based on the difference command are provided. Further, in the vehicle control system 10, a non-volatile memory 6 that stores the configuration information to be stored in the circuit SRAM is further provided. The data conversion unit 4 may update the configuration information stored in the non-volatile memory 6 based on the difference command acquired by the transfer check unit.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may identify a communication configuration for a bearer including a first link and a second link. The UE may identify packets for transmission, and each of the packets may be associated with a sequence number. The UE may receive a first grant of first uplink resources and a second grant of second uplink resources, and the UE may determine an association of the packets to the first uplink resources or the second uplink resources based on the sequence numbers of the packets and respective completion times of decoding processes associated with the first uplink resources and the second uplink resources. The UE may transmit the packets over the first uplink resources or the second uplink resources in accordance with the determined association of the packets to the first uplink resources or the second uplink resources.

Abstract: Disclosed are systems and methods for authenticating a wireless module. A method comprises the steps of: (i) generating (1332), by the wireless module (112A), a first encryption value, and retrieving a unique identifier of the wireless module from memory; (ii) verifying (1334), by the wireless module, the generated first encryption value and retrieved unique identifier; (iii) sending (1336), by the wireless module, the retrieved unique identifier and a second encryption value to the gateway (110A); (iv) verifying (1338), by the gateway, the received unique identifier and second encryption value, wherein verifying the second encryption value authenticates the wireless module; (v) sending (1340), by the gateway, a third encryption value to the wireless module; and (vi) verifying (1342), by the wireless module, the received third encryption value, wherein verifying the third encryption value authenticates the gateway.

Abstract: A proxy system is installed on a computing device that is in the network path between the device and the Internet. The proxy system, residing on the computing device, decrypts and inspects all traffic going in and out of the computing device.

Abstract: Sender Policy Framework (SPF) is one of the most widely used methods of distinguishing electronic mail that is authorized by the purported sending domain from unauthorized mail. SPF policies are published into a domain's DNS and then looked up and evaluated by mail receivers. Due to the complexity and limitations of the SPF specification, implementation mistakes are widespread. This problem is compounded by the common practice of nesting SPF policies which introduces hidden risks, particularly exceeding DNS lookup limits. To address these issues, inline service provider designation may be configured to capture the benefits of existing techniques without their associated costs. Additionally, the domain owner may enjoy simplified SPF service provider onboarding and policy failover redundancy to protect against SPF service provider disruptions, thus improving policy availability uptime.

Abstract: Techniques are disclosed for improving user experience of multimedia streaming over computer networks. For example, a method for presenting multimedia content may generally include receiving a request to stream a media title. In response to the request, unencrypted content for the media title is streamed to a client. While streaming the unencrypted content, a digital rights management (DRM) license to access encrypted content for the media title is requested. After receiving the DRM license, the client switches from streaming the unencrypted content for the media title to streaming encrypted content for the media title. The switching from streaming the unencrypted content to streaming the encrypted content does not interrupt playback of the media title.

Abstract: Techniques for providing multi-access edge computing (MEC) services security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) by parsing Application Programming Interfaces (APIs) are disclosed. In some embodiments, a system/process/computer program product for MEC services security in mobile networks by parsing APIs in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an API message associated with a new session, wherein the mobile network includes a 5G network or a converged 5G network that includes a multi-access edge computing (MEC) service; extracting mobile network identifier information from the API message at the security platform; and determining a security policy to apply at the security platform to the new session based on the mobile network identifier information.

Abstract: A first apparatus comprises an error correction coding part that receives a message M to be transmitted to a second apparatus, performs coding using a predetermined error correction code, and outputs a codeword C; a message authentication tag generation part that receives the message M and outputs a predetermined message authentication tag T; and a transmission part that transmits the codeword C and the tag T as transmission information S to the second apparatus. The second apparatus receives a message M* to be verified and a tag T?, which are obtained from the transmission information S, and determines that the message M* to be verified has not been tampered with when a tag T* obtained from the message M* to be verified and the tag T? satisfy a predetermined identity criterion.

Abstract: A method for communication between at least two communicating entities, a first communicating entity generating at least one data message comprising a payload and an authentication heading, the method including generating a context parameter including at least one datum representing the material con-figuration of the first entity; generating a security profile in the authentication heading, which defines the conditions of encoding the payload of the message and of generating a signature by an algorithm applied at least to the payload of the message; including the signature in the generated message; inserting a stored identifier of the first communication entity into the authentication heading; and inserting the safety profile into the payload or into the authentication heading.

Abstract: A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.

Abstract: An image forming apparatus includes an operation device coupled to the image forming apparatus and configured to accept an operation to the image forming apparatus. The image forming apparatus includes a memory including a first memory area configured to store a set value to be used by the image forming apparatus or the operation device. The image forming apparatus further includes circuitry configured to: accept an operation of writing or reading the set value; determine a type of a process to be performed on the set value; and perform the process in accordance with a determination result by the circuitry, to encrypt the set value and store the encrypted set value in the first memory area of the memory, write the set value to a second memory area in the memory, or read the set value from the second memory area.

Abstract: A smart hybrid acceleration method includes receiving a handshake request from a client terminal, and determining whether the handshake request contains a self-defined resource extension field. If not, a target domain name with which the client terminal is to connect is acquired from the handshake request, and whether to use a hardware acceleration or a software acceleration is determined according to a level of the target domain name. If so, a resource level of a resource accessed by the client terminal is determined according to content in the self-defined resource extension field, and whether to use the hardware acceleration or the software acceleration is determined according to the resource level.

Abstract: To share snips of content, content access rules of a content file can be parsed to identify an accessible range of the content file and an inaccessible range of the content file. In one example, content sharing includes receiving an identifier of a recipient for a content file, parsing content access rules for the recipient, to identify an accessible range of the content file, and presenting an indicator of the accessible range and an inaccessible range of the content file for the recipient. A user can then identify a selection of a snip of the accessible range of the content file in a user interface. In some cases, a copy of the snip of the content file, a link to the snip of the content file, or both can be generated and forwarded after the selection is identified.

Abstract: Systems and methods are provided for submitting data in a computer network. An exemplary method includes: receiving a first request to process a first data at one or more data servers; determining whether the first data includes a plurality of first set of properties; generating a second data having a plurality of second set of properties; providing a plurality of rule sets for submitting the second data; analyzing the second data to determine which of the rule sets is applicable; selecting one or more applicable rules from the rule sets; generating a plurality of third data by applying the one or more applicable rules to the second data; identifying the one or more external sources to distribute the third data; and sending the third data to the one or more external sources.

Abstract: A method and video decoder system using the method are provided for identifying video frames in an encoded or encrypted video stream without performing decoding or decryption. The method includes: receiving a video data stream comprised of a plurality of transport stream (TS) packets; detecting a first video frame in the video data stream, wherein detection of the first video frame includes registering a last checked position at the start of the video data stream, examining bytes in a next TS packet to identify a predetermined pattern indicating a network abstraction layer (NAL) unit, repeating the examining step until two TS packets have been identified that include an NAL unit, wherein the last checked position is updated after each examining step, and identifying a video frame based on a position of the NAL unit identified in the two TS packets; and repeating the detecting step for a plurality of additional video frames in the video data stream.

Abstract: A computer system message generated by an application programming interface (API) or addressed to the API can be received. A first data sensitivity score for at least a first of a plurality of data elements in a payload of the computer system message and at least second data sensitivity score for at least a second of the plurality of data elements in the payload of the computer system message can be determined. Based on the first data sensitivity score and at least the second data sensitivity score, a differential security can be applied to the computer system message. Applying the differential security can include masking the first of the plurality of data elements and not masking the second of the plurality of data elements. The computer system message can be electronically communicated the to a destination to which the message is addressed.

Abstract: A method includes monitoring an enterprise system to identify cryptographic techniques utilized by one or more components of the enterprise system, the one or more components comprising at least one of physical and virtual computing resources. The method also includes generating one or more profiles characterizing usage of at least a given one of the identified cryptographic techniques by at least a given one of the one or more components of the enterprise system and determining an effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system utilizing the generated one or more profiles. The method further includes identifying one or more remedial actions for mitigating the effect of cryptographic obsolescence of the given identified cryptographic technique on the enterprise system and initiating one or more of the identified remedial actions to modify a configuration of one or more components of the enterprise system.

Abstract: An example method performed by one or more processing devices includes: generating encrypted content at a sender device using one or more first keys that are available from a key provider; and outputting the encrypted content to a recipient device over one or more channels; where the key provider enables access, following authorization, by the recipient device to one or more second keys for decrypting the encrypted content; and where an entity that enables the channel is unaffiliated with the key provider.

Abstract: An origination device (e.g., a base station) combines and encodes first user data and second user data, having similar QoS requirements, to generate a multiuser packet. In some cases, the origination device dual-encodes the multiuser packet. The multiuser packet is transmitted to one or more signal forwarding devices that each serve at least one of the users associated with the data contained in the multiuser packet. The signal forwarding device decodes the multiuser packet to obtain the first and second user data. The signal forwarding device transmits at least one portion of the multiuser packet, as single-encoded signals, to one or more appropriate destination devices (e.g., UE devices).

Abstract: Techniques for implementing fine-grained access control in an IoT (Internet of Things) deployment are provided. In one set of embodiments, a gateway of the IoT deployment can create/maintain a device proxy pertaining to an IoT device and a persona in the IoT deployment, where the device proxy includes one or more access methods for accessing the IoT device, and where the one or more access methods reflect access rights that are deemed appropriate for the persona with respect to the IoT device. An application instance of the IoT deployment can receive a request from the persona to access the IoT device. Networking equipment interconnecting the application instance with the gateway can then automatically route, via one or more SDN micro-segmentation rules, the request to the device proxy for processing via the proxy's access methods.

Abstract: Embodiments of this disclosure provide a content deployment method and a delivery controller. The content deployment method includes: receiving, by a delivery controller, a content deployment request from an application server controller, where the content deployment request includes identification information of requested content and address information of an application server storing the requested content; and sending, by the delivery controller, a first deployment cache request to a first cache server, where the first deployment cache request includes the identification information of the requested content and the address information of the application server, and the first deployment cache request is used to request the first cache server to obtain the requested content from the application server and cache the requested content. With the content deployment method and the delivery controller in the embodiments of this disclosure, content deployment under control of a content provider can be implemented.

Abstract: A network appliance stores a session identifier that uniquely identifies a network communication session between a first device and the network appliance. A first communication is received from the first device over the network communication session. The network appliance also receives from a proxy tool, a second communication that includes a header specifying the session identifier and that includes data generated by the proxy in response to the first communication. The network appliance associates the first communication with the second communication using the session identifier. An encrypted representation of the data generated by the proxy is transmitted to a second device based on the association between the first communication and the second communication.

Abstract: A network monitoring “sensor” is built on initial startup by checking the integrity of the bootstrap system and, if it passes, downloading information from which it builds the full system including an encrypted and an unencrypted portion. Later, the sensor sends hashes of files, configurations, and other local information to a data center, which compares the hashes to hashes of known-good versions. If they match, the data center returns information (e.g., a key) that the sensor can use to access the encrypted storage. If they don't, the data center returns information to help remediate the problem, a command to restore some or all of the sensor's programming and data, or a command to wipe the encrypted storage. The encrypted storage stores algorithms and other data for processing information captured from a network, plus the captured/processed data itself.

Abstract: The embodiments provide request multiplexing whereby a server receiving a first request for content clones and issues the cloned request to an origin to initiate retrieval of the content. The first request and subsequent requests for the same content are placed in a queue. The server empties a receive buffer that is populated with packets of the requested content as the packets arrive from the origin by writing the packets directly to local storage without directly distributing packets from the receive buffer to any user. The rate at which the server empties the receive buffer is therefore independent of the rate at which any user receives the packets. A first set of packets written to local storage can then be simultaneously distributed to one or more queued requests as the server continues emptying the receive buffer and writing a second set of packets to local storage.

Abstract: Disclosed are systems and methods to encrypt an image for secure image transmission and parallel decryption using resources from a networked environment. Upon reception of encrypted data from the mobile user, the data can be decrypted by transforming the data, decrypting the transformed data, and inversing the transformation. The decrypted data can be sent for storage in a cloud storage.

Abstract: A method of providing a login to website requested from a computing device, by a biometric information based authentication device which interworks with a control server, is provided. The method includes detecting a login request message transmitted from the computing device to a website server providing the website, extracting login session information from the login request message, outputting an authentication result with respect to received biometric information, and transmitting authentication information comprising the login session information and the authentication result to the control server. The login session information is transmitted from the control server to the website server to determine, by the website server, the login allowance of the website.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for processing of data in an intermediary server. Data is received from an Internet of Things (IoT) enabled device. The data includes a readable header and an encrypted payload. An opaque algorithm is selected to process the payload, based on information contained in the header of the data. The selected opaque algorithm processes the encrypted payload of the data, wherein the opaque algorithm is invisible to the intermediary server. The processing includes: decrypting the encrypted payload, applying the opaque algorithm to the decrypted payload, and encrypting the results from processing the decrypted payload by the opaque algorithm. A new readable header is added to the encrypted results. The data, including the new readable header and the encrypted results, is forwarded to a different server, based on the information in the new readable header.

Abstract: Disclosed embodiments provide techniques for accessing a document from a cloud storage system and controlling the display of sensitive data within the document based on user permissions. One or more restricted information segments are identified within a document to be stored on the cloud storage system. Restricted information segments can include anything within an electronic file for which it is desired to provide multiple levels of access. In some embodiments, the restricted information segments are automatically identified via computer-implemented natural language processing (NLP) techniques. For each restricted information segment, one or more alternative data sequences are generated. The alternative data sequences are encrypted using various keys residing on a client device associated with a user. The keys can be used to decrypt data stored within a multiple-value encrypted field structure.

Abstract: Methods and apparatus are provided for transmitting data over a network through a tunnel. In one embodiment, a method comprises obtaining data for transfer over a network from a sender to a receiver. At an operating system level, at least one packet is intercepted from the data that satisfies one or more configurable criteria. A tunnel is established from the sender to the receiver, wherein the tunnel selectively performs one or more of encryption, compression, and data deduplication of the intercepted packet. The intercepted packet is transmitted through the tunnel from the sender to the receiver. A handshake protocol optionally determines the presence of agents at the sender and receiver. The handshake protocol fails if agents are not present at both the sender and receiver, and the transfer is then carried out over a standard communication channel.

Abstract: Methods, systems, and computer readable media for implementing bandwidth limitations on specific application traffic at a proxy element are disclosed. One exemplary method includes receiving, at a proxy element, a packet flow from at least one source client, identifying encrypted packets associated with a specific application traffic type from among the packet flow, and directing the identified encrypted packets to a bandwidth limiter in the proxy element. The method further includes applying a bandwidth limitation operation to the identified encrypted packets and decrypting the identified encrypted packets if an accumulated amount of payload bytes of the identified encrypted packets complies with the parameters of the bandwidth limitation operation.

Abstract: The technology disclosed teaches protecting sensitive data in the cloud via indexable databases. The method includes identifying sensitive fields of metadata for encryption and for hashing. The method also includes hashing at least partial values in the indexable sensitive fields to non-reversible hash values, concatenating the non-reversible hash values with the metadata for the network events, and encrypting the sensitive fields of metadata. Also included is sending the metadata for the network events, with the non-reversible hash values and the encrypted sensitive fields, to a remote database server that does not have a decryption key for the encrypted sensitive fields and that indexes the non-reversible hash values for indexed retrieval against the indexable sensitive fields.

Abstract: Localized and global detection and mitigation of network attacks in a distributed platform are provided. The localized detection identifies attacks occurring at individual nodes of the distributed platform based on packet analysis conducted by each individual node. The global detection identifies attacks occurring across the distributed platform based on packet analysis conducted on traffic aggregated from across the distributed platform. Either detection involves inspecting headers of the sampled packets. Each header property is scored based on an amount of deviation from threshold values. The sum of scores identifies the header properties that form an attack signature. Attack protections are implemented against subsequently arriving packets with header properties matching the attack signature.

Abstract: A taximeter for a vehicle, comprising data interface for obtaining signal indicative of the vehicle speed and/or distance traveled, preferably a speed pulse signal, memory for storing tariff data linking taxi fare with vehicle speed, distance traveled and/or time elapsed, processing unit for dynamically determining, utilizing the obtained signal and tariff data, stroke characteristics for the current situation in terms of dynamically determined stroke value and of dynamically determined stroke interval, and updating the accrued fare after each stroke utilizing the determined stroke characteristics, and display for visualizing the accrued fare. A corresponding method is presented.

Abstract: A media distribution system and method with sample variants for normalized encryption involves encrypting a main track of a media content asset using a first encryption scheme and encrypting a sample variant track of the media content asset using a second encryption scheme, and performing at least one of: storing the encrypted main track and encrypted sample variant track of the media content asset packaged in a storage format, and transmitting the encrypted main track and the encrypted sample variant track in a distribution container format to an edge media router (EMR) device configured to repackage the media content asset into a delivery container format without reencrypting the media content asset.

Abstract: A method of configuring a forwarding element that includes several message processing stages. The method identifies a first processing stage that starts processing a first header field of a message and a second processing stage that is the last message processing stage that processes the first header field. The method configures a field of a packet header container to store the first header field from the beginning of the first message processing stage. The method identifies a second header field used in a third processing stage after the second processing stage. The method configures a set of circuitries in the data plane to initialize the container field after the end of the second processing stage. The method configures the field of the container to store the second header field of the message after the end of the second processing stage and before the start of the third processing stage.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

Abstract: Native file encryption support is integrated into an existing file system that does not provide such support, such as the FAT family of file systems, while maintaining backwards compatibility with previous implementations of these file systems.

Abstract: Data processing apparatus includes a host processor and a network interface controller (NIC), which is configured to couple the host processor to a packet data network. A memory holds a flow state table containing context information with respect to computational operations to be performed on multiple packet flows conveyed between the host processor and the network. Acceleration logic is coupled to perform the computational operations on payloads of packets in the multiple packet flows using the context information in the flow state table.

Abstract: Techniques for time-based network authentication challenges are disclosed. In some embodiments, a system, process, and/or computer program product for time-based network authentication challenges includes monitoring a session at a firewall to identify a user associated with the session, generating a timestamp for an authentication factor associated with the user after the user successfully authenticates for access to a resource based on an authentication profile, intercepting another request from the user for access to the resource at the firewall, and determining whether the timestamp for the authentication factor is expired based on the authentication profile.

Abstract: A computer-implemented method is provided herein of generating a file having a column-oriented layout and having a file header and a data block. The method includes a step of inserting length information of an encryption vector into the data block; a step of inserting the encryption vector into the data block; and a step of inserting data array of the encrypted column after referring to the encryption vector.

Abstract: Artificial intelligence, big data, and crowd sourcing techniques are utilized to efficiently and effectively determine permissions that should be granted to a party within an organization. In one example, the permissions granted to a party within an organization are determined using one or more algorithms to identify, weight, and correlate historical and current permissions to party attributes for parties within the organization and/or for similar parties in similar organizations. In one example, the activity of the party within the organization is then monitored and the permissions granted the party are automatically modified as needed to allow the party to perform their tasks in the organization as the party's responsibilities within the organization evolve.

Abstract: Examples disclosed herein relate, in one aspect, to a method for searching an array of content addressable memory (CAM) devices, where each device stores a plurality of entries. The method may obtain a search key from a processor, search a first set of CAM devices in the array to determine whether the first set of CAM devices include a matching entry corresponding to the search key; upon a determination that the first set of CAM devices does not include the matching entry, search a second set of CAM devices in the array to determine whether the second set of CAM devices include the matching entry; and upon a determination that the first set of CAM devices include the matching entry, output an address of the matching entry, without searching the second set of CAM devices.