Rule swapping in a packet network

US 10,681,009 B2
Filed: 01/16/2020
Issued: 06/09/2020
Est. Priority Date: 01/11/2013
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

preprocessing, by a network protection device, a first rule set by performing operations on the first rule set, prior to the first rule set being implemented on the network protection device, to optimize performance of the network protection device;

configuring the network protection device to process packets in accordance with the preprocessed first rule set after preprocessing the first rule set;

receiving, a plurality of packets after configuring the network protection device to process packets in accordance with the preprocessed first rule set;

processing, by the network protection device, a first portion of the plurality of packets in accordance with the preprocessed first rule set;

preprocessing, by the network protection device, a second rule set by performing operations on the second rule set, prior to the second rule set being implemented on the network protection device, to optimize performance of the network protection device;

signaling the network protection device to process packets in accordance with the second rule set; and

responsive to the signaling;

ceasing processing of one or more packets by the network protection device;

caching the one or more packets;

reconfiguring the network protection device to process packets in accordance with the preprocessed second rule set;

signaling completion of reconfiguration to process packets in accordance with the preprocessed second rule set; and

responsive to signaling the completion of the reconfiguration, processing the one or more cached packets by the network protection device in accordance with the preprocessed second rule set,wherein the operations performed on the first rule set and the second rule set include at least one of;

merging two or more rules within the first rule set or the second rule set into one rule;

separating one or more rules within the first rule set or the second rule set into two or more rules;

orreordering one or more rules within the first rule set or the second rule set.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Citations

30 Claims

1. A method comprising:
- preprocessing, by a network protection device, a first rule set by performing operations on the first rule set, prior to the first rule set being implemented on the network protection device, to optimize performance of the network protection device;
  
  configuring the network protection device to process packets in accordance with the preprocessed first rule set after preprocessing the first rule set;
  
  receiving, a plurality of packets after configuring the network protection device to process packets in accordance with the preprocessed first rule set;
  
  processing, by the network protection device, a first portion of the plurality of packets in accordance with the preprocessed first rule set;
  
  preprocessing, by the network protection device, a second rule set by performing operations on the second rule set, prior to the second rule set being implemented on the network protection device, to optimize performance of the network protection device;
  
  signaling the network protection device to process packets in accordance with the second rule set; and
  
  responsive to the signaling;
  
  ceasing processing of one or more packets by the network protection device;
  
  caching the one or more packets;
  
  reconfiguring the network protection device to process packets in accordance with the preprocessed second rule set;
  
  signaling completion of reconfiguration to process packets in accordance with the preprocessed second rule set; and
  
  responsive to signaling the completion of the reconfiguration, processing the one or more cached packets by the network protection device in accordance with the preprocessed second rule set,wherein the operations performed on the first rule set and the second rule set include at least one of;
  
  merging two or more rules within the first rule set or the second rule set into one rule;
  
  separating one or more rules within the first rule set or the second rule set into two or more rules;
  
  orreordering one or more rules within the first rule set or the second rule set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - receiving the second rule set after configuring the network protection device to process packets in accordance with the preprocessed first rule set and after processing the first portion of the plurality of packets in accordance with the preprocessed first rule set.
  - 3. The method of claim 1, wherein the first rule set is preprocessed prior to the network protection device processing any packets in accordance with the first rule set.
  - 4. The method of claim 3, wherein the second rule set is preprocessed prior to the network protection device processing any packets in accordance with the second rule set.
  - 5. The method of claim 1, further comprising:
    - storing, by the network protection device, configuration information for processing packets in accordance with the preprocessed first rule set;
      
      reconfiguring, after processing the one or more cached packets in accordance with the preprocessed second rule set, the network protection device to process packets in accordance with the preprocessed first rule set based on the stored configuration information; and
      
      processing, by the network protection device and after the reconfiguring of the network protection device to process packets in accordance with the preprocessed first rule set, a second portion of the plurality of packets in accordance with the preprocessed first rule set.
  - 6. The method of claim 1, further comprising:
    - storing, by the network protection device, the preprocessed first rule set in a memory buffer; and
      
      dynamically adjusting, by the network protection device, a size of the memory buffer based on a size of the preprocessed first rule set.
  - 7. The method of claim 6, further comprising:
    - storing, by the network protection device, the preprocessed second rule set in the memory buffer; and
      
      dynamically adjusting, by the network protection device, the size of the memory buffer based on at least one of a size of the preprocessed first rule set and a size of the preprocessed second rule set.
  - 8. The method of claim 1, wherein signaling the network protection device to process packets in accordance with the second rule set further comprises:
    - receiving, by the network protection device, a message invoking the preprocessed second rule set.
  - 9. The method of claim 1, wherein signaling the network protection device to process packets in accordance with the second rule set is based on one or more detected network conditions indicating a network attack.
  - 10. The method of claim 1, wherein processing the first portion of the plurality of packets in accordance with the preprocessed first rule set comprises:
    - forwarding the first portion of the plurality of packets associated with a first set of network addresses.
  - 11. The method of claim 1, wherein processing the first portion of the plurality of packets in accordance with the preprocessed first rule set comprises:
    - dropping the first portion of the plurality of packets associated with a first set of network addresses.
  - 12. The method of claim 1, wherein processing the first portion of the plurality of packets in accordance with the preprocessed first rule set comprises:
    - transforming the first portion of the plurality of packets.
  - 13. The method of claim 1, wherein the operations performed on the first rule set and the second rule set comprise reordering one or more rules within the first rule set or the second rule set.

14. A network protection device comprising:
- at least one processor; and
  
  memory comprising instructions that, when executed by the at least one processor, cause the network protection device to;
  
  preprocess a first rule set by performing operations on the first rule set, prior to the first rule set being implemented on the network protection device, to optimize performance of the network protection device;
  
  configure the at least one processor to process packets in accordance with the preprocessed first rule set after preprocessing the first rule set;
  
  receive a plurality of packets after configuring of the at least one processor to process packets in accordance with the preprocessed first rule set;
  
  process a first portion of the plurality of packets in accordance with the preprocessed first rule set;
  
  preprocess a second rule set by performing operations on the second rule set, prior to the second rule set being implemented on the network protection device, to optimize performance of the network protection device;
  
  signal the at least one processor to process packets in accordance with the second rule set; and
  
  responsive to the signaling;
  
  cease processing of one or more packets;
  
  cache the one or more packets;
  
  reconfigure the at least one processor to process packets in accordance with the preprocessed second rule set; and
  
  process the one or more cached packets in accordance with the preprocessed second rule setwherein the operations performed on the first rule set and the second rule set include at least one of;
  
  merging two or more rules within the first rule set or the second rule set into one rule;
  
  separating one or more rules within the first rule set or the second rule set into two or more rules;
  
  orreordering one or more rules within the first rule set or the second rule set.
- View Dependent Claims (15, 16, 17)
- - 15. The network protection device of claim 14, further comprising instructions to cause the network device to:
    - receive the second rule set after configuring the at least one processor to process packets in accordance with the preprocessed first rule set and after processing the first portion of the plurality of packets in accordance with the preprocessed first rule set.
  - 16. The network protection device of claim 14, wherein the first rule set is preprocessed prior to the network protection device processing any packets in accordance with the first rule set.
  - 17. The network protection device of claim 16, wherein the second rule set is preprocessed prior to the network protection device processing any packets in accordance with the second rule set.

18. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a computing system, cause the computing system to:
- preprocess a first rule set by performing operations on the first rule set, prior to the first rule set being implemented on a network protection device, to optimize performance of the network protection device;
  
  configure the one or more processors to process packets in accordance with the preprocessed first rule set;
  
  receive a plurality of packets after configuring of the at least one processor to process packets in accordance with the preprocessed first rule set;
  
  process a first portion of the plurality of packets in accordance with the preprocessed first rule set;
  
  preprocess a second rule set by performing operations on the second rule set, prior to the second rule set being implemented on the network protection device, to optimize performance of the network protection device;
  
  signal the one or more processors to process packets in accordance with the second rule set;
  
  cease processing of one or more packets;
  
  cache the one or more packets;
  
  reconfigure the one or more processors to process packets in accordance with the preprocessed second rule set; and
  
  process the one or more cached packets in accordance with the preprocessed second rule set,wherein the operations performed on the first rule set and the second rule set include at least one of;
  
  merging two or more rules within the first rule set or the second rule set into one rule;
  
  separating one or more rules within the first rule set or the second rule set into two or more rules;
  
  orreordering one or more rules within the first rule set or the second rule set;
  
  configure the one or more processors to process packets in accordance with the first rule set.
- View Dependent Claims (19, 20, 21)
- - 19. The one or more non-transitory computer-readable media of claim 18, further comprising instructions that cause the computing system to:
    - receive the second rule set after configuring the one or more processors to process packets in accordance with the preprocessed first rule set and after processing the first portion of the plurality of packets in accordance with the preprocessed first rule set.
  - 20. The one or more non-transitory computer-readable media of claim 18, wherein the first rule set is preprocessed prior to the network protection device processing any packets in accordance with the first rule set.
  - 21. The one or more non-transitory computer-readable media of claim 20, wherein the second rule set is preprocessed prior to the network protection device processing any packets in accordance with the second rule set.

22. A method comprising:
- preprocessing, by a network protection device, both a first rule set and a second rule set by performing operations on the first rule set and the second rule set, prior to the first rule set and the second rule set being implemented on the network protection device, to optimize performance of the network protection device, wherein the operations performed on the first rule set and the second rule set include at least one of;
  
  merging two or more rules within the first rule set or the second rule set into one rule;
  
  separating one or more rules within the first rule set or the second rule set into two or more rules;
  
  orreordering one or more rules within the first rule set or the second rule set;
  
  configuring the network protection device to process packets in accordance with the preprocessed first rule set after preprocessing the first rule set and the second rule set;
  
  receiving, a plurality of packets after configuring the network protection device to process packets in accordance with the preprocessed first rule set;
  
  processing, by the network protection device, a first portion of the plurality of packets in accordance with the preprocessed first rule set;
  
  signaling the network protection device to process packets in accordance with the second rule set; and
  
  responsive to the signaling;
  
  ceasing processing of one or more packets by the network protection device;
  
  caching the one or more packets;
  
  reconfiguring the network protection device to process packets in accordance with the preprocessed second rule set;
  
  signaling completion of reconfiguration to process packets in accordance with the preprocessed second rule set; and
  
  responsive to signaling the completion of the reconfiguration, processing the one or more cached packets by the network protection device in accordance with the preprocessed second rule set.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The method of claim 22, wherein the first rule set and the second rule set are preprocessed prior to the network protection device processing any packets in accordance with either the first rule set or the second rule set.
  - 24. The method of claim 22, further comprising:
    - storing, by the network protection device, configuration information for processing packets in accordance with the preprocessed first rule set;
      
      reconfiguring, after processing the one or more cached packets in accordance with the preprocessed second rule set, the network protection device to process packets in accordance with the preprocessed first rule set based on the stored configuration information; and
      
      processing, by the network protection device and after the reconfiguring of the network protection device to process packets in accordance with the preprocessed first rule set, a second portion of the plurality of packets in accordance with the preprocessed first rule set.
  - 25. The method of claim 22, further comprising:
    - storing, by the network protection device, at least one of the preprocessed first rule set and the preprocessed second rule set in a memory buffer; and
      
      dynamically adjusting, by the network protection device, a size of the memory buffer based on at least one of a size of the preprocessed first rule set and a size of the preprocessed second rule set.
  - 26. The method of claim 22, wherein signaling the network protection device to process packets in accordance with the second rule set further comprises:
    - receiving, by the network protection device, a message invoking the preprocessed second rule set.
  - 27. The method of claim 22, wherein signaling the network protection device to process packets in accordance with the second rule set is based on one or more detected network conditions indicating a network attack.
  - 28. The method of claim 22, wherein processing the first portion of the plurality of packets in accordance with the preprocessed first rule set comprises:
    - forwarding the first portion of the plurality of packets associated with a first set of network addresses.
  - 29. The method of claim 22, wherein processing the first portion of the plurality of packets in accordance with the preprocessed first rule set comprises:
    - dropping the first portion of the plurality of packets associated with a first set of network addresses.
  - 30. The method of claim 22, wherein processing the first portion of the plurality of packets in accordance with the preprocessed first rule set comprises:
    - transforming the first portion of the plurality of packets.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., Rogers, Steven, Moore, Sean
Primary Examiner(s)
Pyzocha, Michael

Application Number

US16/744,341
Publication Number

US 20200153795A1
Time in Patent Office

145 Days
Field of Search
US Class Current
CPC Class Codes

G06N 5/02   Knowledge representation; S...

H04L 41/16   using machine learning or a...

H04L 63/0263   Rule management

Rule swapping in a packet network

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Rule swapping in a packet network

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links