Rule swapping in a packet network

DC CAFC

US 9,203,806 B2
Filed: 01/11/2013
Issued: 12/01/2015
Est. Priority Date: 01/11/2013
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

receiving, by a network protection device, a first rule set and a second rule set;

preprocessing, by the network protection device, the first rule set and the second rule set to optimize performance of the network protection device for processing packets in accordance with at least one of the first rule set or the second rule set;

configuring at least two processors of the network protection device to process packets in accordance with the first rule set;

after the preprocessing and the configuring, receiving, by the network protection device, a plurality of packets;

processing, by the network protection device and in accordance with the first rule set, a portion of the plurality of packets;

signaling, each processor of the at least two processors, to process packets in accordance with the second rule set; and

configuring, each processor of the at least two processors, to responsive to the signaling to process packets in accordance with the second rule set;

cease processing of one or more packets;

cache the one or more packets;

reconfigure to process packets in accordance with the second rule set;

signal completion of reconfiguration to process packets in accordance with the second rule set; and

responsive to receiving signaling that each other processor of the at least two processors has completed reconfiguration to process packets in accordance with the second rule set, process, in accordance with the second rule set, the one or more packets.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

64 Citations

View as Search Results

24 Claims

1. A method comprising:
- receiving, by a network protection device, a first rule set and a second rule set;
  
  preprocessing, by the network protection device, the first rule set and the second rule set to optimize performance of the network protection device for processing packets in accordance with at least one of the first rule set or the second rule set;
  
  configuring at least two processors of the network protection device to process packets in accordance with the first rule set;
  
  after the preprocessing and the configuring, receiving, by the network protection device, a plurality of packets;
  
  processing, by the network protection device and in accordance with the first rule set, a portion of the plurality of packets;
  
  signaling, each processor of the at least two processors, to process packets in accordance with the second rule set; and
  
  configuring, each processor of the at least two processors, to responsive to the signaling to process packets in accordance with the second rule set;
  
  cease processing of one or more packets;
  
  cache the one or more packets;
  
  reconfigure to process packets in accordance with the second rule set;
  
  signal completion of reconfiguration to process packets in accordance with the second rule set; and
  
  responsive to receiving signaling that each other processor of the at least two processors has completed reconfiguration to process packets in accordance with the second rule set, process, in accordance with the second rule set, the one or more packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, comprising:
    - storing, by the network protection device, configuration information for processing packets in accordance with the first rule set;
      
      utilizing, by the network protection device, the configuration information to reconfigure to process packets in accordance with the first rule set; and
      
      after the utilizing, processing, by the network protection device and in accordance with the first rule set, an additional portion of the plurality of packets.
  - 3. The method of claim 1, comprising:
    - storing, by the network protection device, the first rule set and the second rule set in a memory buffer; and
      
      dynamically adjusting, by the network protection device and based on at least one of a size of the first rule set or a size of the second rule set, a size of the memory buffer.
  - 4. The method of claim 1, wherein the signaling to process packets in accordance with the second rule set is performed in response to the network protection device receiving a message invoking the second rule set.
  - 5. The method of claim 1, wherein the signaling to process packets in accordance with the second rule set is performed in response to one or more detected network conditions indicating a network attack.
  - 6. The method of claim 1, wherein the preprocessing comprises merging two or more rules included in at least one of the first rule set or the second rule set into a single rule.
  - 7. The method of claim 1, wherein the preprocessing comprises separating a rule included in at least one of the first rule set or the second rule set into two or more rules.
  - 8. The method of claim 1, wherein the preprocessing comprises reordering one or more rules included in at least one of the first rule set or the second rule set.

9. A system comprising:
- a plurality of processors; and
  
  a memory comprising instructions that when executed by at least one processor of the plurality of processors cause the system to;
  
  receive a first rule set and a second rule set;
  
  preprocess the first rule set and the second rule set to optimize performance of the system for processing packets in accordance with at least one of the first rule set or the second rule set;
  
  configure at least two processors of the plurality of processors to process packets in accordance with the first rule set;
  
  after preprocessing the first rule set and the second rule set and configuring the at least two processors to process packets in accordance with the first rule set, receive a plurality of packets;
  
  process, in accordance with the first rule set, a portion of the plurality of packets;
  
  signal, each processor of the at least two processors, to process packets in accordance with the second rule set; and
  
  configure, each processor of the at least two processors to, responsive to being signaled to process packets in accordance with the second rule set;
  
  cease processing of one or more packets;
  
  cache the one or more packets;
  
  reconfigure to process packets in accordance with the second rule set;
  
  signal completion of reconfiguration to process packets in accordance with the second rule set; and
  
  responsive to receiving signaling that each other processor of the at least two processors has completed reconfiguration to process packets in accordance with the second rule set, process, in accordance with the second rule set, the one or more packets.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to:
    - store configuration information for processing packets in accordance with the first rule set;
      
      utilize the configuration information to reconfigure to process packets in accordance with the first rule set; and
      
      after utilizing the configuration information to reconfigure to process packets in accordance with the first rule set, process, in accordance with the first rule set, an additional portion of the plurality of packets.
  - 11. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to:
    - store the first rule set and the second rule set in a memory buffer; and
      
      dynamically adjust, based on at least one of a size of the first rule set or a size of the second rule set, a size of the memory buffer.
  - 12. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to signal to process packets in accordance with the second rule set in response to the system receiving a message invoking the second rule set.
  - 13. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to signal to process packets in accordance with the second rule set in response to one or more detected network conditions indicating a network attack.
  - 14. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to, prior to configuring the at least two processors to process packets in accordance with the first rule set, merge two or more rules included in at least one of the first rule set or the second rule set into a single rule.
  - 15. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to, prior to configuring the at least two processors to process packets in accordance with the first rule set, separate a rule included in at least one of the first rule set or the second rule set into two or more rules.
  - 16. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to, prior to configuring the at least two processors to process packets in accordance with the first rule set, reorder one or more rules included in at least one of the first rule set or the second rule set.

17. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- receive a first rule set and a second rule set;
  
  preprocess the first rule set and the second rule set to optimize performance of the computing system for processing packets in accordance with at least one of the first rule set or the second rule set;
  
  configure at least two processors of the computing system to process packets in accordance with the first rule set;
  
  after preprocessing the first rule set and the second rule set and configuring the at least two processors to process packets in accordance with the first rule set, receive a plurality of packets;
  
  process, in accordance with the first rule set, a portion of the plurality of packets;
  
  signal, each processor of the at least two processors, to process packets in accordance with the second rule set; and
  
  configure, each processor of the at least two processors to, responsive to being signaled to process packets in accordance with the second rule set;
  
  cease processing of one or more packets;
  
  cache the one or more packets;
  
  reconfigure to process packets in accordance with the second rule set;
  
  signal completion of reconfiguration to process packets in accordance with the second rule set; and
  
  responsive to receiving signaling that each other processor of the at least two processors has completed reconfiguration to process packets in accordance with the second rule set, process, in accordance with the second rule set, the one or more packets.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to:
    - store configuration information for processing packets in accordance with the first rule set;
      
      utilize the configuration information to reconfigure to process packets in accordance with the first rule set; and
      
      after utilizing the configuration information to reconfigure to process packets in accordance with the first rule set, process, in accordance with the first rule set, an additional portion of the plurality of packets.
  - 19. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to:
    - store the first rule set and the second rule set in a memory buffer; and
      
      dynamically adjust, based on at least one of a size of the first rule set or a size of the second rule set, a size of the memory buffer.
  - 20. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to signal to process packets in accordance with the second rule set in response to the computing system receiving a message invoking the second rule set.
  - 21. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to signal to process packets in accordance with the second rule set in response to one or more detected network conditions indicating a network attack.
  - 22. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to, prior to configuring the at least two processors to process packets in accordance with the first rule set, merge two or more rules included in at least one of the first rule set or the second rule set into a single rule.
  - 23. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to, prior to configuring the at least two processors to process packets in accordance with the first rule set, separate a rule included in at least one of the first rule set or the second rule set into two or more rules.
  - 24. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the computing system, cause the computing system to, prior to configuring the at least two processors to process packets in accordance with the first rule set, reorder one or more rules included in at least one of the first rule set or the second rule set.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., Rogers, Steven, Moore, Sean
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US13/739,178
Publication Number

US 20140201123A1
Time in Patent Office

1,054 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06N 5/02   Knowledge representation; S...

H04L 41/16   using machine learning or a...

H04L 63/0263   Rule management

Rule swapping in a packet network

First Claim

4 Assignments

Litigations

0 Petitions

Accused Products

Abstract

64 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Rule swapping in a packet network

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links