Multi-level packet screening with dynamically selected filtering criteria
First Claim
1. A packet filtering device, comprising:
- a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; and
a second filter, by-passed by the first pass traffic portion, applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion;
wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic.
10 Assignments
0 Petitions
Accused Products
Abstract
A packet filtering operation implements a hierarchical technique. Received packet traffic is first filtered with a first filtering criteria. This first filtering action generates a first pass traffic portion and a fail traffic portion from the received packet traffic. The fail traffic portion is then second filtered with a second filtering criteria. This second filtering action generates a second pass traffic portion and a reject traffic portion. The first filtering criteria provide for higher throughput, lower accuracy processing while the second filtering criteria provide for lower throughput, higher accuracy processing. Dynamic adjustments may be made to the first and second filtering criteria to achieve better overall packet filtering performance. For example, load is measured and the filtering criteria adjusted to better balance load between the hierarchical filtering actions.
-
Citations
75 Claims
-
1. A packet filtering device, comprising:
-
a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; and a second filter, by-passed by the first pass traffic portion, applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A packet filtering device, comprising:
-
a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion, a fail traffic portion and a first reject traffic portion; and a second filter, by-passed by the first pass traffic portion and the first reject traffic portion, applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a second reject traffic portion. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A packet filtering device, comprising:
-
a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; and a load detector operable to dynamically select the first and second filtering criteria during first and second filter operation on the packet traffic based on measured load. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 74)
-
-
30. A packet filtering device, comprising:
-
a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; and a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; wherein the first and second filtering criteria are dynamically selected during first and second filter operation to filter packet traffic. - View Dependent Claims (38, 40, 42, 43, 44)
-
-
31. A packet filtering device, comprising:
-
a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; and a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and a load balancer operable to adjust the relative throughputs and accuracies of the first and second filtering criteria to balance load therebetween. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
39. A packet filtering device, comprising:
-
a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; and a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and a functionality operable to adjust a complexity of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies so as to better balance load between the first and second filters.
-
-
41. A packet filtering device, comprising:
-
a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion and a second filter, by-passed by the first pass traffic portion, applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and a functionality operable to adjust a comprehensiveness of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies so to better balance load between the first and second filters.
-
-
45. A method for hierarchical filtering of packet traffic, comprising the steps of:
-
first filtering the packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion; second filtering the fail traffic portion, but not the first pass traffic portion, with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion; and dynamically selecting the first and second filtering criteria during first and second filtering to filter packet traffic. - View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 57, 58, 59, 60, 61, 62, 75)
-
-
55. A method for hierarchical filtering of packet traffic, comprising the steps of:
-
first filtering the packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion; second filtering the fail traffic portion, but not the first pass traffic portion, with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion wherein; the step of first filtering includes the step of applying higher throughput, lower accuracy filtering criteria against the packet traffic and the step of second filtering includes the step of applying lower throughput, higher accuracy filtering criteria against the fail traffic portion and further including the step of balancing load between the first and second filtering steps by adjusting the relative throughputs and accuracies of the first and second filtering criteria. - View Dependent Claims (56)
-
-
63. A packet filtering device, comprising:
-
a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; a load detector operable to detect an imbalance in load between the first and second filters and dynamically change the first and second filtering criteria during operation of the first and second filters in filtering packet traffic based on measured load to better balance load between the first and second filters. - View Dependent Claims (64)
-
-
65. A packet filtering device, comprising:
-
a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; a second filter applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and a functionality operable to adjust a complexity of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies, wherein the functionality makes the complexity adjustments to better balance load between the first and second filters.
-
-
66. A packet filtering device, comprising:
-
a first filter applying higher throughput, lower accuracy filtering criteria against packet traffic to generate a first pass traffic portion and a suspicious traffic portion; a second filter applying a lower throughput, higher accuracy filtering criteria against the suspicious traffic portion to generate a second pass traffic portion and a reject traffic portion; and a functionality operable to adjust a comprehensiveness of the filtering criteria applied by the first and second filters to alter the relative throughputs and accuracies, wherein the functionality makes the comprehensiveness adjustments to better balance load between the first and second filters.
-
-
67. A packet filtering device, comprising:
-
a first filter including a first plurality of filter modules, each filter module having associated first filtering criteria; a second filter including a second plurality of filter modules, each filter module having associated second filtering criteria; and a generator module operating to select at least one of the first plurality of filter modules and at least one of the second plurality of filter modules; the associated first filtering criteria of the selected first plurality of filter modules being applied against packet traffic to generate a first pass traffic portion and a fail traffic portion; and the associated second filtering criteria of the selected second plurality of filter modules being applied against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; and wherein the generator module operates to dynamically select the first and second plurality of filtering modules during first and second filter operation in filtering packet traffic based on measured load at each filter so as to balance load between the first and second filters.
-
-
68. A packet filtering device, comprising:
-
a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion and a fail traffic portion; and a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a reject traffic portion; wherein the first and second filtering criteria are dynamically selected during operation of the first and second filters in filtering packet traffic. - View Dependent Claims (69)
-
-
70. A packet filtering device, comprising:
-
a first filter applying a first filtering criteria against packet traffic to generate a first pass traffic portion, a fail traffic portion and a first reject traffic portion; and a second filter applying a second filtering criteria against the fail traffic portion to generate a second pass traffic portion and a second reject traffic portion; wherein the first and second filtering criteria are dynamically selected during operation of the first and second filters in filtering packet traffic. - View Dependent Claims (71)
-
-
72. A method for hierarchical filtering of packet traffic, comprising the steps of:
-
first filtering the packet traffic with a first filtering criteria to generate a first pass traffic portion and a fail traffic portion; and second filtering the fail traffic portion with a second filtering criteria to generate a second pass traffic portion and a reject traffic portion; wherein the first and second filtering criteria are dynamically selected during implementation of the steps of first and second filtering of the packet traffic. - View Dependent Claims (73)
-
Specification