公开(公告)号：US07882554B2

公开(公告)日：2011-02-01

申请号：US11483196

申请日：2006-07-07

Applicant: Rony Kay

Inventor： Rony Kay

IPC: G06F17/00

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/0245 ,  H04L69/12

Abstract: An apparatus is described that facilitates selective mirroring through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a port included in a set of at least one port, wherein each port in the set receives input traffic, a data processor that processes input data from the set of at least one port to generate mirrored data, based on rules with bitwise granularity across a header and a payload of the input data, and a mirror port selectable from the set of at least one port that transmits output traffic corresponding to the mirrored data. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of selective mirroring that enables flexible, advanced network security and monitoring features and network traffic analysis.

Abstract translation: 描述了根据所提供的规则和策略来促进通过网络流量处理的选择性镜像的装置。 该装置包括包括在至少一个端口的集合中的端口，其中集合中的每个端口接收输入业务;数据处理器，其基于具有按位的规则来处理来自至少一个端口的集合的输入数据以生成镜像数据 跨标题和输入数据的有效负载的粒度，以及可从发送与镜像数据相对应的输出业务的至少一个端口的集合中选择的镜像端口。 有利地，该装置提供了一种非常适合低成本，高速度，可靠地实现选择性镜像的架构框架，其实现灵活的，先进的网络安全性和监视特征以及网络流量分析。

公开(公告)号：US08665868B2

公开(公告)日：2014-03-04

申请号：US12500493

申请日：2009-07-09

Applicant: Rony Kay

Inventor： Rony Kay

IPC: H04L12/56 ,  G06F15/16

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/1466 ,  H04L69/12

Abstract: An apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that the plurality of microcode controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator. At least one of the matches is selected based on the priority indicators. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract translation: 描述了根据所提供的规则和策略通过处理网络流量来执行优先匹配的装置。 该装置包括多个微代码控制状态机，以及分配电路，其将输入数据路由到多个微代码控制状态机，使得多个微代码控制状态机将规则应用于输入数据以确定匹配并产生优先级指示符 其中每个匹配具有相关联的优先级指示符。 根据优先级指标选择至少一个匹配项。 有利地，该装置提供了一种非常适合低成本，高速度，鲁棒地实施灵活的，高级的网络安全性和监测特征以及网络流量分析的架构框架。

公开(公告)号：US08346918B2

公开(公告)日：2013-01-01

申请号：US12500527

申请日：2009-07-09

Applicant: Rony Kay

Inventor： Rony Kay

IPC: G06F15/173

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/1466 ,  H04L69/12

Abstract: An apparatus is described that performs biased and weighted sampling of network traffic to facilitate network monitoring. One embodiment of the apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines. A first individual microcode controlled state machine applies a first rule to the input data to determine first instructions associated with a first subset of the input data based on first sampling information associated with the first rule. A second individual microcode controlled state machine applies a second rule to the input data to determine second instructions associated with a second subset of the input data based on second sampling information associated with the second rule. The second sampling information differs from the first sampling information. This embodiment further includes a first circuit that generates first routing instructions for the first subset of the input data based on the first instructions, and that generates second routing instructions for the second subset of the input data based on the second instructions. This embodiment further includes a second circuit that routes the input data based on the first routing instructions and the second routing instructions. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract translation: 描述了对网络流量进行偏置和加权抽样以便于网络监控的装置。 该装置的一个实施例包括多个微代码控制状态机，以及将输入数据路由到多个微代码控制状态机的分配电路。 基于与第一规则相关联的第一采样信息，第一个体微代码控制状态机将第一规则应用于输入数据以确定与输入数据的第一子集相关联的第一指令。 第二单独微码控制状态机将第二规则应用于输入数据，以基于与第二规则相关联的第二采样信息来确定与输入数据的第二子集相关联的第二指令。 第二采样信息与第一采样信息不同。 该实施例还包括第一电路，其基于第一指令为输入数据的第一子集生成第一路由指令，并且基于第二指令为输入数据的第二子集生成第二路由指令。 该实施例还包括基于第一路由指令和第二路由指令来路由输入数据的第二电路。 有利地，该装置提供了一种非常适合低成本，高速度，鲁棒地实施灵活的，高级的网络安全性和监测特征以及网络流量分析的架构框架。

公开(公告)号：US5987240A

公开(公告)日：1999-11-16

申请号：US886031

申请日：1997-06-30

Applicant: Rony Kay

Inventor： Rony Kay

IPC: G06F17/50

CPC classification number: G06F17/5081

Abstract: A design rule checker for verifying that an integrated circuit design meets one or more geometrical constraints, the integrated circuit design being expressed as a graph data structure having at least a root node connected by a plurality of paths to one or more leaf nodes so that a single leaf node can represent multiple instances of a geometrical shape. In the preferred embodiment, the design rule checker includes: means for generating a flattened graph data structure in which each instance of the primitive geometrical shape is separately represented; means for scanning the flattened data structure to generate an error report comprising a plurality of error records representing violations of a geometrical constraint by a geometrical shape, wherein each error record includes a sortable index representing the path in the graph data structure from a root node to the geometrical shape giving rise to an error; and means for sorting the error report and for identifying the error records according to the sortable indices representing the paths through the graph data structure.

Abstract translation: 一种用于验证集成电路设计满足一个或多个几何约束的设计规则检查器，所述集成电路设计被表示为具有至少一个根节点的图形数据结构，所述根节点通过多个路径连接到一个或多个叶节点，使得 单叶节点可以表示几何形状的多个实例。 在优选实施例中，设计规则检查器包括：用于生成平面图数据结构的装置，其中分别表示原始几何形状的每个实例; 用于扫描所述扁平化数据结构以生成错误报告的装置，所述错误报告包括表示几何形状的几何约束违反的多个错误记录，其中每个错误记录包括表示图形数据结构中的从根节点到 几何形状引起误差; 以及用于对错误报告进行排序和根据表示通过图形数据结构的路径的可分类索引来识别错误记录的装置。

公开(公告)号：US08024799B2

公开(公告)日：2011-09-20

申请号：US11483265

申请日：2006-07-07

Applicant: Rony Kay

Inventor： Rony Kay

IPC: H04L12/26

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/0245 ,  H04L69/12

Abstract: An apparatus that facilitates network security for input network traffic includes microcode controlled state machines, each of which includes a computation kernel. Rules applied to a network traffic segment are distributed across the computation kernels. At least two of the computation kernels include condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in microcode to produce modification instructions. A distribution circuit routes the network traffic segment to each of the microcode controlled state machines. A circuit generates a modification command by combining the modification instructions from each of the at least two computation kernels, and performs a modification of the input network traffic based on the modification command to produce modified output network traffic that facilitates network security.

Abstract translation: 有助于输入网络流量的网络安全性的装置包括微代码控制状态机，其中每一个包括计算内核。 适用于网络流量段的规则分布在计算内核之间。 至少两个计算内核包括通过存储在相关联的控制存储器中的微代码配置的条件逻辑来评估微代码中的唯一配置规则以产生修改指令。 分配电路将网络流量段路由到每个微代码控制状态机。 电路通过组合来自所述至少两个计算内核中的每一个的修改指令来生成修改命令，并且基于修改命令来执行输入网络流量的修改以产生有助于网络安全性的修改的输出网络流量。

公开(公告)号：US07937756B2

公开(公告)日：2011-05-03

申请号：US11208022

申请日：2005-08-19

Applicant: Rony Kay

Inventor： Rony Kay

IPC: H04L12/26

CPC classification number: H04L63/1416 ,  H04L49/00 ,  H04L63/0236 ,  H04L63/0245 ,  H04L69/12

Abstract: An embodiment of an apparatus that facilitates network security and traffic monitoring for input network traffic includes a plurality of microcode controlled state machines, each of which includes a computation kernel. A plurality of rules applied to a network traffic segment are distributed across the computation kernels. Each of the computation kernels includes condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in the microcode to produce an associated output. A distribution circuit routes the network traffic segment to each of the plurality of microcode controlled state machines. An aggregation circuit generates a decision on which forwarding of the network traffic segment is based, where the decision is a logical combination of the associated output of each of the computation kernels.

Abstract translation: 有助于网络安全性和用于输入网络流量的流量监控的装置的实施例包括多个微代码控制状态机，每个微控制状态机包括计算内核。 应用于网络业务段的多个规则跨越计算内核分布。 每个计算内核包括由相关联的控制存储器中存储的微代码配置的条件逻辑，以评估微代码中的唯一配置规则以产生相关联的输出。 分配电路将网络流量段路由到多个微代码控制状态机中的每一个。 聚合电路产生基于网络业务段的转发的决定，其中该决定是每个计算内核的相关联的输出的逻辑组合。

公开(公告)号：US20100008359A1

公开(公告)日：2010-01-14

申请号：US12500493

申请日：2009-07-09

Applicant: Rony Kay

Inventor： Rony Kay

IPC: H04L12/56

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/1466 ,  H04L69/12

Abstract: An apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that the plurality of microcode controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator. At least one of the matches is selected based on the priority indicators. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract translation: 描述了根据所提供的规则和策略通过处理网络流量来执行优先匹配的装置。 该装置包括多个微代码控制状态机，以及分配电路，其将输入数据路由到多个微代码控制状态机，使得多个微代码控制状态机将规则应用于输入数据以确定匹配并产生优先级指示符 其中每个匹配具有相关联的优先级指示符。 根据优先级指标选择至少一个匹配项。 有利地，该装置提供了一种非常适合低成本，高速度，鲁棒地实施灵活的，高级的网络安全性和监测特征以及网络流量分析的架构框架。

公开(公告)号：US07603549B1

公开(公告)日：2009-10-13

申请号：US10364996

申请日：2003-02-11

Applicant: Rony Kay

Inventor： Rony Kay

IPC: H04L29/06

CPC classification number: H04L63/0485 ,  H04L63/102 ,  H04L63/164

Abstract: A cryptographic processor having an in-line (i.e., “bump-in-the-wire”) architecture processes data packets between a trusted domain and a untrusted domain, according to a predetermined security protocol. The cryptographic processor can be implemented as a stand-alone device, without requiring a change in the configuration of the host machine. Unlike a conventional hardware acceleration of a “bump-in-the-stack” implementation, which is typically implemented as a layer between the native IP layer and the network drivers in an IP protocol stack and uses a single bus interface (e.g., a PCI-X bus) for all data traffic, the cryptographic processor acts as a security gateway, providing separate interfaces for the trusted and the untrusted domains. The cryptographic processor includes pipeline stages for carrying a feedback encryption algorithm with optimal throughput.

Abstract translation: 根据预定的安全协议，具有在线（即，“在线”中）架构的密码处理器在可信域和不可信域之间处理数据分组。 密码处理器可以被实现为独立设备，而不需要主机的配置的改变。 不同于传统的硬件加速的“堆栈堆栈”实现，其通常被实现为本地IP层和IP协议栈中的网络驱动器之间的层，并且使用单个总线接口（例如，PCI -X总线），加密处理器充当安全网关，为受信任域和不可信域提供单独的接口。 密码处理器包括用于携带具有最佳吞吐量的反馈加密算法的流水线级。

公开(公告)号：US06564357B2

公开(公告)日：2003-05-13

申请号：US09820876

申请日：2001-03-30

Applicant: Rony Kay ,  Sreenath Kurupati

Inventor： Rony Kay ,  Sreenath Kurupati

IPC: G06F1750

CPC classification number: G06F17/5022

Abstract: A method and apparatus may be provided for providing performance verification/analysis of a full-chip design. This may include performing an analysis on a first block of the full-chip design. Data (such as a waveform output from a pin of the block) may be captured while performing the analysis. This captured data may be utilized when performing an analysis of the full-chip design. Features of an interconnect between the first block and a second block may be determined using the captured data.

公开(公告)号：US20100011434A1

公开(公告)日：2010-01-14

申请号：US12500519

申请日：2009-07-09

Applicant: Rony Kay

Inventor： Rony Kay

IPC: G06F15/16 ,  H04L12/26

CPC classification number: H04L63/1416 ,  H04L41/16 ,  H04L43/00 ,  H04L43/0852 ,  H04L43/0888 ,  H04L43/16 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/1466 ,  H04L69/12

Abstract: An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier. This embodiment further includes a first circuit that appends the hash identifier to the input data to produce modified input data based on the modification instructions, and that routes the modified input data in accordance with an output routing strategy. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract translation: 描述了根据所提供的规则和策略，将分类信息与网络流量相关联以便于通过处理网络流量来促进应用级处理的装置。 该装置包括多个微代码控制状态机，其中至少一个微代码状态机使用散列函数来处理至少一个输入数据字段以生成散列标识符。 该实施例还包括分配电路，其将输入数据路由到多个微码控制状态机，使得至少一个单独的微码控制状态机将规则应用于输入数据以产生至少一个输入数据字段，并且产生 基于散列标识符的修改指令。 该实施例还包括第一电路，其将散列标识符附加到输入数据，以基于修改指令产生修改的输入数据，并且根据输出路由策略路由修改的输入数据。 有利地，该装置提供了一种非常适合低成本，高速度，鲁棒地实施灵活的，高级的网络安全性和监测特征以及网络流量分析的架构框架。