专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US10176322B2 Operation of a dual instruction pipe virus co-processor 有权
公开(公告)号：US10176322B2
公开(公告)日：2019-01-08
申请号：US15707080
申请日：2017-09-18
申请人： Fortinet, Inc.
发明人： Xu Zhou , Lin Huang , Michael Xie
IPC分类号： G06F21/56 , G06F21/55 , H04L29/06 , G06F9/38 , G06F21/75
摘要： Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a method for performing content scanning of content objects is provided. A content object that is to be scanned is stored by a general purpose processor to a system memory of the general purpose processor. Content scanning parameters associated with the content object are set up by the general purpose processor. Instructions from a signature memory of a co-processor that is coupled to the general purpose processor are read by the co-processor based on the content scanning parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned by the co-processor to a first instruction pipe of multiple instruction pipes of the co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory.

2. 发明申请

US20170193231A1 EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM 审中-公开
公开(公告)号：US20170193231A1
公开(公告)日：2017-07-06
申请号：US15269658
申请日：2016-09-19
申请人： Fortinet, Inc.
发明人： Xu Zhou , Lin Huang , Michael Xie
IPC分类号： G06F21/56 , G06F12/1009
CPC分类号： G06F21/568 , G06F12/1009 , G06F21/562 , G06F21/564 , G06F21/565 , G06F21/567 , G06F2212/1052 , G06F2212/152 , G06F2212/657
摘要： Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a processor maintains a page directory and a page table within a system memory for use in connection with translating virtual addresses to physical addresses. Content scanning of a content object is offloaded to a hardware accelerator coupled to the processor by storing content scanning parameters, including the content object and a type of the content object, to the memory using one or more virtual addresses and indicating to the hardware accelerator that the content object is available for content scanning. Responsive thereto, the hardware accelerator: (i) translates the virtual addresses to corresponding physical addresses based on one or more of the page directory and the page table; (ii) accesses scanning parameters based on the physical addresses; (iii) scans the content object for undesirable content by applying multiple signatures; and (iv) returns a result of the content scanning to the processor.

3. 发明申请

US20160352652A1 VIRTUAL MEMORY PROTOCOL SEGMENTATION OFFLOADING 审中-公开
标题翻译：虚拟内存协议分段卸载
公开(公告)号：US20160352652A1
公开(公告)日：2016-12-01
申请号：US15198936
申请日：2016-06-30
申请人： Fortinet, Inc.
发明人： Xu Zhou , David Chen , Lin Huang , Guansong Zhang
IPC分类号： H04L12/935 , H04L12/863 , G06F12/1081 , H04L29/06
CPC分类号： H04L49/3045 , G06F12/1081 , G06F13/1689 , G06F2212/657 , H04L47/62 , H04L47/621 , H04L69/166
摘要： Methods and systems for a more efficient transmission of network traffic are provided. According to one embodiment, presence of outbound payload data, distributed across a first and second payload buffer, within a user memory space of a network device that has been generated by a user process is determined by a bus/memory interface or a network interface unit. The payload data is fetched by performing direct virtual memory addressing of the user memory space including mapping virtual addresses of the payload buffers to corresponding physical addresses, including: (i) when the payload buffers are noncontiguous, then retrieving the outbound payload data with reference to multiple buffer descriptors having starting virtual addresses of the payload buffers and (ii) when they are contiguous, then retrieving the outbound payload data with reference to a single buffer descriptor. The outbound payload data is then segmented across one or more TCP packets.
摘要翻译：提供了更有效地传输网络流量的方法和系统。根据一个实施例，由用户进程生成的网络设备的用户存储器空间内的分布在第一和第二有效载荷缓冲器上的出站有效载荷数据的存在由总线/存储器接口或网络接口单元。通过执行用户存储器空间的直接虚拟存储器寻址来获取有效负载数据，包括将有效载荷缓冲器的虚拟地址映射到对应的物理地址，包括：（i）当有效载荷缓冲器不连续时，参考具有有效载荷缓冲区的起始虚拟地址的多个缓冲器描述符和（ii）当它们是连续的时，然后参考单个缓冲器描述符检索出站有效载荷数据。然后将出站有效载荷数据跨越一个或多个TCP数据包进行分段。

4. 发明授权

US09460287B2 Efficient data transfer in a virus co-processing system 有权
标题翻译：病毒协同处理系统中的高效数据传输
公开(公告)号：US09460287B2
公开(公告)日：2016-10-04
申请号：US14734488
申请日：2015-06-09
申请人： Fortinet, Inc.
发明人： Xu Zhou , Lin Huang , Michael Xie
IPC分类号： G06F11/00 , G06F21/56
CPC分类号： G06F21/568 , G06F12/1009 , G06F21/562 , G06F21/564 , G06F21/565 , G06F21/567 , G06F2212/1052 , G06F2212/152 , G06F2212/657
摘要： Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a processor maintains a page directory and a page table within a system memory that contain information for translating virtual addresses to physical addresses. Virus processing of a content object is offloaded to a hardware accelerator coupled to the processor by storing scanning parameters, including the content object and a type of the content object, to the memory using one or more virtual addresses and indicating to the hardware accelerator that the content object is available for processing. Responsive thereto, the hardware accelerator: (i) translates the virtual addresses to corresponding physical addresses based on the page directory and the page table; (ii) accesses the scanning parameters based on the physical addresses; (iii) scans the content object for viruses by applying multiple virus signatures; and (iv) returns a result of the scanning to the processor.
摘要翻译：电路和方法被提供用于检测，识别和/或去除不需要的内容。根据一个实施例，处理器维护页面目录和在系统存储器内的包含用于将虚拟地址转换为物理地址的信息的页表。通过使用一个或多个虚拟地址将包括内容对象和内容对象的类型的扫描参数存储到存储器中，将内容对象的病毒处理卸载到耦合到处理器的硬件加速器，并向硬件加速器指示内容对象可用于处理。响应于此，硬件加速器：（i）基于页目录和页表将虚拟地址转换为相应的物理地址; （ii）基于物理地址访问扫描参数; （iii）通过应用多个病毒签名对内容对象进行病毒扫描; 和（iv）将扫描结果返回给处理器。

5. 发明授权

US09219748B2 Virus co-processor instructions and methods for using such 有权
标题翻译：病毒协处理器的使用说明和方法
公开(公告)号：US09219748B2
公开(公告)日：2015-12-22
申请号：US14455737
申请日：2014-08-08
申请人： Fortinet, Inc.
发明人： Lin Huang , Xu Zhou , Michael Xie
IPC分类号： G06F12/16 , H04L29/06 , G06F21/56 , G06F21/71
CPC分类号： G06F21/564 , G06F21/56 , G06F21/561 , G06F21/567 , G06F21/71 , G06F2221/034 , H04L63/145
摘要： Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a method for virus processing is provided. A virus signature file that includes multiple virus signatures capable of detecting and identifying a variety of known viruses is downloaded by a general purpose processor. It is determined by the general purpose processor whether a virus co-processor is coupled to the general purpose processor. When the virus co-processor is determined to be coupled to the general purpose processor, then it is further determined by the general purpose processor which virus signatures are supported by the virus co-processor (“CP-supported virus signatures”). The CP-supported virus signatures are transferred to a memory associated with the virus co-processor. The virus co-processor is directed by the general purpose processor to perform a virus scan based on the supported virus signatures.
摘要翻译：提供了用于检测，识别和/或去除不需要的内容的电路和方法。根据一个实施例，提供了一种用于病毒处理的方法。包含能够检测和识别各种已知病毒的多个病毒签名的病毒签名文件由通用处理器下载。由通用处理器确定病毒协处理器是否耦合到通用处理器。当病毒协处理器被确定为耦合到通用处理器时，由通用处理器进一步确定病毒签名由病毒协处理器（“CP支持的病毒签名”）支持的情况。 CP支持的病毒签名被传送到与病毒协处理器相关联的存储器。病毒协处理器由通用处理器执行，以基于支持的病毒签名进行病毒扫描。

6. 发明授权

US09141798B2 Operation of a dual instruction pipe virus co-processor 有权
标题翻译：双重指挥管病毒协处理器的操作
公开(公告)号：US09141798B2
公开(公告)日：2015-09-22
申请号：US14484398
申请日：2014-09-12
申请人： Fortinet, Inc.
发明人： Xu Zhou , Lin Huang , Michael Xie
IPC分类号： G06F12/14 , G06F21/56 , G06F21/55 , H04L29/06 , G06F9/38
CPC分类号： G06F21/561 , G06F9/3867 , G06F9/3885 , G06F21/55 , G06F21/56 , G06F21/564 , G06F21/568 , G06F21/755 , G06F2221/031 , H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1433
摘要： Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object that is to be virus processed is stored by a general purpose processor to a system memory. Virus scan parameters for the content object are set up by the general purpose processor. Instructions from a virus signature memory of a virus co-processor are read by the virus co-processor based on the virus scan parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned to a first instruction pipe of multiple instruction pipes of the virus co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory.
摘要翻译：电路和方法被提供用于检测，识别和/或去除不需要的内容。根据一个实施例，待病毒处理的内容对象由通用处理器存储到系统存储器。内容对象的病毒扫描参数由通用处理器设置。基于病毒扫描参数的病毒协处理器读取来自病毒协处理器的病毒签名存储器的指令。指令包含第一指令类型的操作码和第二指令类型的操作码。将包含第一指令类型的操作码的指令分配给病毒协处理器的多个指令管道的第一指令管道，以执行。由第一指令管道执行包含第一指令类型的操作码的分配指令的指令，包括从系统存储器访问内容对象的一部分。

7. 发明授权

US09892257B2 Efficient data transfer in a virus co-processing system 有权
公开(公告)号：US09892257B2
公开(公告)日：2018-02-13
申请号：US15269658
申请日：2016-09-19
申请人： Fortinet, Inc.
发明人： Xu Zhou , Lin Huang , Michael Xie
IPC分类号： G06F7/04 , G06F21/56 , G06F12/1009
CPC分类号： G06F21/568 , G06F12/1009 , G06F21/562 , G06F21/564 , G06F21/565 , G06F21/567 , G06F2212/1052 , G06F2212/152 , G06F2212/657
摘要： Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a processor maintains a page directory and a page table within a system memory for use in connection with translating virtual addresses to physical addresses. Content scanning of a content object is offloaded to a hardware accelerator coupled to the processor by storing content scanning parameters, including the content object and a type of the content object, to the memory using one or more virtual addresses and indicating to the hardware accelerator that the content object is available for content scanning. Responsive thereto, the hardware accelerator: (i) translates the virtual addresses to corresponding physical addresses based on one or more of the page directory and the page table; (ii) accesses scanning parameters based on the physical addresses; (iii) scans the content object for undesirable content by applying multiple signatures; and (iv) returns a result of the content scanning to the processor.

8. 发明授权

US09756081B2 Context-aware pattern matching accelerator 有权
公开(公告)号：US09756081B2
公开(公告)日：2017-09-05
申请号：US15236418
申请日：2016-08-13
申请人： Fortinet, Inc.
发明人： Zhi Guo , Hongbin Lu , Xu Zhou , Lin Huang , Michael Xie
IPC分类号： H04L12/28 , H04L29/06 , H04L12/727 , H04L12/801 , G06F21/56 , G06F21/71
CPC分类号： H04L63/20 , G06F21/56 , G06F21/564 , G06F21/567 , G06F21/71 , H04L45/121 , H04L47/34 , H04L63/0227 , H04L63/0245 , H04L63/1408 , H04L63/145 , H04L69/22
摘要： Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.

9. 发明申请

US20170041348A1 CONTEXT-AWARE PATTERN MATCHING ACCELERATOR 审中-公开
标题翻译： CONTEXT-AWARE图案匹配加速器
公开(公告)号：US20170041348A1
公开(公告)日：2017-02-09
申请号：US15236418
申请日：2016-08-13
申请人： Fortinet, Inc.
发明人： Zhi Guo , Hongbin Lu , Xu Zhou , Lin Huang , Michael Xie
IPC分类号： H04L29/06 , H04L12/801
CPC分类号： H04L63/20 , G06F21/56 , G06F21/564 , G06F21/567 , G06F21/71 , H04L45/121 , H04L47/34 , H04L63/0227 , H04L63/0245 , H04L63/1408 , H04L63/145 , H04L69/22
摘要： Methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations.
摘要翻译：提供了提高上下文感知模式匹配的准确性，速度和效率的方法和系统。根据一个实施例，分组流由网络设备的CPMP硬件加速器的第一级接收。第一阶段执行预匹配过程，以识别与IPS或ADC规则相关联的字符串或过流模式匹配的候选分组。基于预匹配过程的结果的相关性来识别候选规则。候选数据包被配置以产生匹配的令牌和相应的位置。通过CPMP硬件加速器的第二级在候选分组上执行完全匹配过程，以通过执行（i）上下文感知模式匹配，（ii）上下文感知字符串中的一个或多个来确定其是否满足候选规则匹配和（iii）基于上下文信息，匹配令牌和相应位置的正则表达式匹配。

10. 发明申请

US20160300062A1 VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH 审中-公开
标题翻译：病毒加工者指令和使用方法
公开(公告)号：US20160300062A1
公开(公告)日：2016-10-13
申请号：US15190413
申请日：2016-06-23
申请人： Fortinet, Inc.
发明人： Lin Huang , Xu Zhou , Michael Xie
IPC分类号： G06F21/56 , H04L29/06
CPC分类号： G06F21/564 , G06F21/56 , G06F21/561 , G06F21/567 , G06F21/71 , G06F2221/034 , H04L63/145
摘要： Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a system includes a co-processor (CP), a first memory, a general purpose processor (GPP) and a second memory. The first memory is associated with the CP and coupled to the CP. The first memory includes a first signature compiled for execution on the CP. The GPP is coupled to the CP. The second memory is associated with the GPP and coupled to the CP and to the GPP. The second memory includes a second signature compiled for execution on the GPP. The CP is operable to retrieve the first signature stored within the first memory through an instruction cache. The CP is operable to retrieve a data segment to be scanned for undesirable content stored within the second memory through a data cache that is separate from the instruction cache.
摘要翻译：提供了用于检测，识别和/或去除不需要的内容的电路和方法。根据一个实施例，系统包括协处理器（CP），第一存储器，通用处理器（GPP）和第二存储器。第一个存储器与CP相关联并耦合到CP。第一个存储器包括编译为在CP上执行的第一个签名。 GPP耦合到CP。第二个内存与GPP相关联，并连接到CP和GPP。第二个内存包括编译为在GPP上执行的第二个签名。 CP可操作以通过指令高速缓存来检索存储在第一存储器内的第一签名。 CP可操作用于通过与指令高速缓存分开的数据高速缓存来检索要扫描的数据段以存储在第二存储器内的不需要的内容。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式