Patent Grant
8566444
This invention generally relates to the application of multiple simultaneous keyword-based rules, and more particularly, to a system and methods for conversion of multiple rules to keywords that are matched in order to efficiently determine whether rules are satisfied in parallel.
With the widespread use of web-based applications and the Internet in general, concerns have been raised with the availability of server protection against malicious content sent through seemingly innocuous packets requesting access to server-based applications. Such packets may include viruses, data sniffers, or other undesirable and unauthorized requests to the application server. Some of the most serious network security threats come from attacks that target vulnerabilities in enterprise applications. In order to prevent the introduction of undesirable packets, networks implement so-called firewalls that examine incoming packets according to different rules that detect undesirable data in packets.
The application of different rules to examine incoming packets for content that has a undesirable effect is known as negative security. Negative security may be defined as a security approach that detects undesirable content (such as a virus, an attack, exploitation of a vulnerability, etc.) by maintaining a list of indicators such as patterns and signatures of the undesirable content. A rule includes a given representation of the undesirable content provided to a matching agent in order to check whether or not an item such as a packet contains the content that is represented in the list. An advantage of this approach is that if the undesirable content is known and how to find the content is known, then negative security is an easy and simple way to find undesirable content through the application of rules. The disadvantage to such an approach is that network protection is limited to existing rules and does not detect malicious packets that are written to circumvent existing rules. Network administrators therefore constantly update and add rules to detect new known threats. However, the application of multiple rules requires multiple passes over an incoming packet to check the rule, as each pass of the packet must be performed for each different rule. The use of more rules to detect new threats therefore increases computational overhead to the application of such rules for negative security.
According to one example, a method for checking data against a plurality of rules simultaneously is disclosed. A data string having keywords in the data string is received. All of the keywords in the data string are simultaneously examined against rule keywords. The rule keywords represent at least one rule of the plurality of rules. Which of the plurality of rules are satisfied by the data string is determined based on whether each keyword matches the rule keywords.
Another example is a machine readable medium having stored thereon instructions for simultaneous checking whether a data string satisfies multiple rules. The machine readable medium includes machine executable code which when executed by at least one machine, causes the machine to receive the data string having keywords in the data string. The instructions further cause the machine to simultaneously examine all of the keywords in the data string against rule keywords, the rule keywords representing at least one rule of the plurality of rules. The instructions further cause the machine to determine which of the plurality of rules are satisfied by the data string based on whether each keyword matches the rule keywords.
Another example is a network traffic appliance for coupling to a network and allowing connection by a client computer to a device. The network traffic appliance includes a network interface for receiving a data string from the client computer. A network access module includes a finite state machine coupled to the network interface. A memory stores an array of keyword data structures and an array of rules data structures, the rules data structures including rule keywords associated with a plurality of rules. The network access module receives the data string having keywords in the data string. The network access module simultaneously examines all of the keywords in the data string against rule keywords, the rule keywords representing at least one rule of the plurality of rules. The network access module further determines which of the plurality of rules are satisfied by the data string based on whether each keyword matches the rule keywords. The network access module provides access to the device if certain of the plurality of rules is satisfied by the data string.
Additional aspects will be apparent to those of ordinary skill in the art in view of the detailed description of various embodiments, which is made with reference to the drawings, a brief description of which is provided below.
While these examples are susceptible of embodiment in many different forms, there is shown in the drawings and will herein be described in detail preferred examples with the understanding that the present disclosure is to be considered as an exemplification and is not intended to limit the broad aspect to the embodiments illustrated.
Naively, rules-based access policies require multiple passes to examine data strings for undesirable content represented by each individual rule. Thus current rules based policies for server access require longer delay times to check for each individual rule decreasing data throughput.
The network traffic appliance 110 may be interposed between the network 112 and the processor or processors of the server 102 as shown in
A traffic management operating system (TMOS) 210 may be stored on the memory 202 and may be run by the controller 200. The traffic management OS 210 may have a modular structure with different modules 212 to perform various network traffic management functions. In this example, the modules 212 of the traffic management OS 210 may include a rules-based access module 214 embodying the principles discussed below to perform the negative security policy for multiple rules simultaneously. The access module 214 may also run on client computers or servers internally to allow access to the server 102 in the manner described below. It is also to be understood that the traffic management OS 210 with the access module 214 may be operated on any suitable traffic management device. An example of the access module 214 is the BIG-IP Application Security Manager (ASM) available from F5 Networks, Inc. of Seattle, Wash., which delivers comprehensive protection for Web applications and operational infrastructure.
An example of the traffic management OS 210 may be the TMOS platform available from F5 Networks, Inc. of Seattle, Wash., although other traffic management applications could be used. The traffic management OS 210 may provide functions such as performance, security, availability, and management. The traffic management OS 210 may provide shared application services such as iRules, rate shaping, resource cloaking, transaction assurance, universal persistence, caching, compression, encryption, authentication, application health monitors, and application switching, that are run by the application modules 212. The traffic management OS 210 may also provide shared network services including TCP Express™, protocol sanitization, high performance SSL, DoS and DDos protection, VLAN segmentation, line rate switching, IP packet filtering, dynamic routing, secure network address translation, port mapping, and common management framework.
Optionally, a rule may include zero or more expressions that require a complete string for the matching process such as Perl compatible regular expression engine (PCRE) expressions. Such expressions require special handling as will be explained below. As will be explained below the example network access module 214 may allow each of the incoming packets to be compared against multiple rules simultaneously in a single pass. The multiple rules may be associated with keyword and rules data structures stored in the memory 202 of the network traffic appliance 110 in
The memory 202 may store an array of keyword data structures 402, an array of rules data structures 404, an array of variable data structures 406 and a linked list of satisfied rules 408. The array of keyword data structures 402 may contain read only data structures 412 for all of the keywords and their respective properties and the rules that the keywords are associated with. The array of rules data structures 404 may hold read only data structures 414 and read/write data structures 424 that include the rules and a set of counters and flags and other properties along with a list of Perl compatible regular expression engine (PCRE) keywords that are associated with the respective rule. The array of variables 406 may contain read only data structures 416 and read/write data structure 426 including those variables that are responsible to keep track of whether the data string is clean or dirty and the true or false values and the resets that are used by the access module 214. The satisfied rules linked list 408 may contain links 418 that point to those rules that are satisfied by an examined data string and rules that are not satisfied by an examined data string. The split between read only data structures such as data structures 414 and 416 for the keywords and the rules and read/write data structures 424 and 426 may allow avoidance of corrupted values resulting from race conditions. The read only data structures may only be created in one copy for usage by all of the rules and keywords, while the read/write data structures may be created for each thread that uses them. Thread safety thus may be achieved allowing the read only data structures to be used concurrently without fear of race conditions.
Table 1 below shows an example read only data structure such as the data structure 412 for an array of keywords such as the array of keywords 402.
Table 2 below shows an example read only data structure such as the data structure 412 that may represent a single rule stored in the rules data structures array 404. The single rule is expected to be one instance per state machine such as the state machine 400 in
Table 3 below shows an example read/write data structure such as the read/write data structure 424 that may represent a single rule stored in the rules data structures array 404. The data structure in Table 3 is modified when the rule is checked in the data string.
Table 4 below shows an example read/write data structure such as the data structure 424 including the data indicating satisfied rules such as the rules data structures array 404. The read/write data structure in Table 4 holds rules data that is aligned to the array of rules with a data structure similar to that in Table 2. The data structure 418 in Table 4 also includes utility pointers to the linked list of satisfied rules 408 to be used by a satisfied rules iterator as will be explained below.
Table 5 below shows an example read only data structure such as the data structure 416 in the variables array 406 for variable values related to the implementation of the finite state machine 400 in
TABLE 6 shows an example read/write data structure such as the data structure 426 for utilities such as case sensitive manipulation, pointer to rules, visited flags for each keyword used by the finite state machine 400 in
Every keyword may be either an explicit string or a Perl compatible regular expression engine implementation (PCRE) expression in this example. Of course, this process may be implemented with exclusively explicit strings without any PRCE expressions. A keyword may have one or more properties, according to the operations performed on the keyword (existence, non-existence, relativeness, absolute, distances for all the supported options, though the design can support many more operators). A keyword may participate in zero or more rules. A keyword belongs to some predefined input buffer type (context) and more than one buffer type may be defined (e.g., request context, response context, normalized url context in request, etc.).
Every entry in the rules data structure may contain a counter for the number of distinct keywords it requires to be seen in text and a counter for the number of keywords it requires not to be seen in text. Every keyword that is identified by the finite state machine 400 constructed with the Aho-Corasick algorithm may be checked against its properties and if the properties match, all the rules that require this keyword are updated in the read/write data structures 424 of the rules array 404. This is done only once per keyword so future occurrences are not consuming work as the result is already cached in the data structures 424 of the rules array 404. A rule that is being updated with a keyword checks if this keyword is the last one needed for it to be satisfied, and if this rule is the last one, a pointer to the rule is added to the satisfied rules linked list 408.
Boolean flags exist for the keywords and the rules for their respective data structures. There may be a large number of keywords and rules to examine for each of the data strings. This may cause a linear amount of work to reset a large number of flags. One option may be to trade the linear complexity for reset with an amortized O(1) complexity with respect to the number of flags. The semantics of true and false may be changed to the following: true is a number that is being defined and incremented whenever a reset is required. False is therefore any number that is not this defined value. This allows the cost of reset to be the amount of work required to increment an integer by 1. Of course, the integers may have a maximum value so it is also required to check if an increment will cause an overflow. If an overflow is expected in the next step, a full linear reset (that is assign 0 to all flags and define true to be 1) is conducted. Since an overflow is expected for an unsigned integer every 2 to the power of 32, this scales to an amortized O(1) work value per reset.
In order to increase efficiency, counters may also be reset for each data string to be examined. Counters may exist for rules and keywords in the data structures, which are marked for the last occurrence index for every seen keyword in a string. Reset of the counters may require linear amount of work with respect to the number of counters. The resets may be held to the minimum number of resets necessary by applying a so-called lazy reset (i.e., the reset only occurs if a counter is dirty). The dirty flag per counter is a Boolean flag that is being reset using the previously explained process for true and false flags. In this manner, only counters that are actually being used are reset for the keyword and rules data structures.
The above process and implementation therefore may be used to speed the access checks for screening packets to the server 102 by checking multiple rules in one pass for a data string. This allows the ability to look up rules and not only keywords. The rules may require the existence or non-existence of one or more keywords and apply custom functionality when a keyword is seen in a data string. More complex rules may be composed via operators on different keywords. The access check may work with full text, chunked text, and streaming text and allows multiple concurrent instances serving one or more sets of rules. This process also supports rules having multiple contexts.
In this example, a certain keyword 510 may be associated with an accepting state such as the accepting state represented by the cell 508. Since the rule keyword may be found in the input data string, a matched keyword-linked list points to the different words that could be represented in the keyword array 402. The constraints of a keyword may be listed in its entry in the keywords array 402. Alternatively, the linked list may also include constraints associated with the keyword. The rules data structure the keyword points to is examined and the access module 214 determines whether constraints are satisfied and incorrect matches are pruned out. The keyword 510 in this example includes pointers to two different rules 512 (11) and 514 (23) determined from the keyword array 402. Once the keyword 510 is matched, the respective data structures of the array of rules data structures 404 are updated to indicate that the rules 512 and 514 are satisfied for the keyword 510. For example, the counters for the data structures for the rule 512 (11) and the rule 514 (23) indicating the number of keywords satisfied for each rule are incremented. If the number of satisfied keywords is reached, a check is performed whether the rule is a negative rule (i.e., if all keywords are present, the rule is not satisfied). If the counter reaches the predetermined number of keywords, the rule may be marked as satisfied and updated in the satisfied rules linked list 408.
Since PCRE expressions do not (properly) support streaming or chunked data, checking such expressions may be postponed until all the data string with the PCRE expression is available or may be linked to a linked list of satisfied rules. In this example, the keyword 522 (22) represents a rule requiring a PCRE keyword. Since the keyword 522 is a PCRE expression, the rules checking may be performed post processing, by examining satisfied rules and perform what is needed (i.e., PCRE processing). The links between keywords and rules are created off line. The keywords 522 (22), 524 (43), and 526 (55) therefore constitute a linked list of keywords for a PCRE expression that should be applied post processing and therefore are postponed for post processing.
Each of the server 102, network traffic appliance 110, and client computers 104, 106, and 108 may include a central processing unit (CPU), controller or processor, a memory, and an interface system that are coupled together by a bus or other link, although other numbers and types of each of the components and other configurations and locations for the components can be used. The processors in the server 102 or the network traffic appliance 110 may execute a program of stored instructions for one or more aspects of the methods and systems as described herein, including for rapid protection of the network via simultaneous checking according to access rules, although the processor could execute other types of programmed instructions. The memory may store these programmed instructions for one or more aspects of the methods and systems as described herein, including the method for protecting the server against denial of service attacks, although some or all of the programmed instructions could be stored and/or executed elsewhere. A variety of different types of memory storage devices, such as a random access memory (RAM) or a read only memory (ROM) in the system or a floppy disk, hard disk, CD ROM, DVD ROM, or other computer readable medium that is read from and/or written to by a magnetic, optical, or other reading and/or writing system that is coupled to the processor, may be used for the memory. The user input device may comprise a computer keyboard and a computer mouse, although other types and numbers of user input devices may be used. The display may comprise a computer display screen, such as a CRT or LCD screen by way of example only, although other types and numbers of displays could be used.
Although an example of the server 102, network traffic appliance 110, and client computers 104, 106, and 108 are described and illustrated herein in connection with
Furthermore, each of the devices of the system 100 may be conveniently implemented using one or more general purpose computer systems, microprocessors, digital signal processors, micro-controllers, application specific integrated circuits (ASIC), programmable logic devices (PLD), field programmable logic devices (FPLD), field programmable gate arrays (FPGA) and the like, programmed according to the teachings as described and illustrated herein, as will be appreciated by those skilled in the computer, software, and networking arts.
In addition, two or more computing systems or devices may be substituted for any one of the systems in the system 100. Accordingly, principles and advantages of distributed processing, such as redundancy, replication, and the like, also can be implemented, as desired, to increase the robustness and performance of the devices and systems of the system 100. The system 100 may also be implemented on a computer system or systems that extend across any network environment using any suitable interface mechanisms and communications technologies including, for example telecommunications in any suitable form (e.g., voice, modem, and the like), Public Switched Telephone Network (PSTNs), Packet Data Networks (PDNs), the Internet, intranets, a combination thereof, and the like.
The operation of the example rapid protection of the network via simultaneous checking according to access rules, shown in
If the keyword is in the correct context, the access module 214 will access the next rule (612). The access module 214 will increment the counters in the rules data structure 424 for the first rule associated with the keyword (614). The counters may include the occurrence counter representing the number of keywords matching the data string and the non-occurrence counter. If the rule has a counter value equal to the number of expected matched keywords value, the access module 214 may write the rule into the list of satisfied rules data structure 408 (618). The access module 214 may then proceed to determine whether the rule is the last rule in the rule array 404 in
If the keyword is the last keyword in the list (622), the access module 214 may store the rules that are found to be unsatisfied (618). At the end of the process, the access module 214 summarizes the satisfied rules and may determine whether the packet should be granted access to the server 102 based on the satisfied rules (620). Of course it is to be understood that negative keywords may be evaluated using an the opposite process. For negative keywords, the rule may be satisfied if the counter is not at the expected value while the rule fails if the counter is at the expected value.
In the case where the keyword is a PCRE expression, the access module 214 may determine whether the entire list of rules is satisfied for a PCRE expression when the last chunk of text is being reached. If the data string is complete in relation to the PCRE expression, the access module 214 may proceed to checking for the rules.
Having thus described the basic concepts, it will be rather apparent to those skilled in the art that the foregoing detailed disclosure is intended to be presented by way of example only, and is not limiting. Various alterations, improvements, and modifications will occur and are intended to those skilled in the art, though not expressly stated herein. For example, different non-security applications involving rules-based examinations requiring finding things in text strings may employ the described process. These may include but not be limited to content-based routing, search engines, billing systems, service level agreement enforcement, text processing, editing, parsers, and compilers. Another application may be for the detection of patterns in text, images or binaries such as the detection of market changes in financial data or news item text or content filtering such as spam filtering. The order that the measures are implemented may also be altered. These alterations, improvements, and modifications are intended to be suggested hereby, and are within the spirit and scope of the examples. Additionally, the recited order of processing elements or sequences, or the use of numbers, letters, or other designations therefore, is not intended to limit the claimed processes to any order except as may be specified in the claims. Accordingly, the invention is limited only by the following claims and equivalents thereto.
| Number | Name | Date | Kind |
|---|---|---|---|
| 3950735 | Patel | Apr 1976 | A |
| 4644532 | George et al. | Feb 1987 | A |
| 4897781 | Chang et al. | Jan 1990 | A |
| 4965772 | Daniel et al. | Oct 1990 | A |
| 5023826 | Patel | Jun 1991 | A |
| 5053953 | Patel | Oct 1991 | A |
| 5299312 | Rocco, Jr. | Mar 1994 | A |
| 5327529 | Fults et al. | Jul 1994 | A |
| 5367635 | Bauer et al. | Nov 1994 | A |
| 5371852 | Attanasio et al. | Dec 1994 | A |
| 5406502 | Haramaty et al. | Apr 1995 | A |
| 5475857 | Dally | Dec 1995 | A |
| 5517617 | Sathaye et al. | May 1996 | A |
| 5519694 | Brewer et al. | May 1996 | A |
| 5519778 | Leighton et al. | May 1996 | A |
| 5521591 | Arora et al. | May 1996 | A |
| 5528701 | Aref | Jun 1996 | A |
| 5581764 | Fitzgerald et al. | Dec 1996 | A |
| 5596742 | Agarwal et al. | Jan 1997 | A |
| 5606665 | Yang et al. | Feb 1997 | A |
| 5611049 | Pitts | Mar 1997 | A |
| 5663018 | Cummings et al. | Sep 1997 | A |
| 5752023 | Choucri et al. | May 1998 | A |
| 5761484 | Agarwal et al. | Jun 1998 | A |
| 5768423 | Aref et al. | Jun 1998 | A |
| 5774660 | Brendel et al. | Jun 1998 | A |
| 5790554 | Pitcher et al. | Aug 1998 | A |
| 5802052 | Venkataraman | Sep 1998 | A |
| 5812550 | Sohn et al. | Sep 1998 | A |
| 5825772 | Dobbins et al. | Oct 1998 | A |
| 5875296 | Shi et al. | Feb 1999 | A |
| 5892914 | Pitts | Apr 1999 | A |
| 5892932 | Kim | Apr 1999 | A |
| 5919247 | Van Hoff et al. | Jul 1999 | A |
| 5936939 | Des Jardins et al. | Aug 1999 | A |
| 5941988 | Bhagwat et al. | Aug 1999 | A |
| 5946690 | Pitts | Aug 1999 | A |
| 5949885 | Leighton | Sep 1999 | A |
| 5951694 | Choquier et al. | Sep 1999 | A |
| 5959990 | Frantz et al. | Sep 1999 | A |
| 5974460 | Maddalozzo, Jr. et al. | Oct 1999 | A |
| 5983281 | Ogle et al. | Nov 1999 | A |
| 5988847 | McLaughlin et al. | Nov 1999 | A |
| 6006260 | Barrick, Jr. et al. | Dec 1999 | A |
| 6006264 | Colby et al. | Dec 1999 | A |
| 6026452 | Pitts | Feb 2000 | A |
| 6028857 | Poor | Feb 2000 | A |
| 6051169 | Brown et al. | Apr 2000 | A |
| 6078956 | Bryant et al. | Jun 2000 | A |
| 6085234 | Pitts et al. | Jul 2000 | A |
| 6092196 | Reiche | Jul 2000 | A |
| 6108703 | Leighton et al. | Aug 2000 | A |
| 6111876 | Frantz et al. | Aug 2000 | A |
| 6128279 | O'Neil et al. | Oct 2000 | A |
| 6128657 | Okanoya et al. | Oct 2000 | A |
| 6170022 | Linville et al. | Jan 2001 | B1 |
| 6178423 | Douceur et al. | Jan 2001 | B1 |
| 6182139 | Brendel | Jan 2001 | B1 |
| 6192051 | Lipman et al. | Feb 2001 | B1 |
| 6233612 | Fruchtman et al. | May 2001 | B1 |
| 6246684 | Chapman et al. | Jun 2001 | B1 |
| 6253226 | Chidambaran et al. | Jun 2001 | B1 |
| 6253230 | Couland et al. | Jun 2001 | B1 |
| 6263368 | Martin | Jul 2001 | B1 |
| 6289012 | Harrington et al. | Sep 2001 | B1 |
| 6298380 | Coile et al. | Oct 2001 | B1 |
| 6327622 | Jindal et al. | Dec 2001 | B1 |
| 6343324 | Hubis et al. | Jan 2002 | B1 |
| 6347339 | Morris et al. | Feb 2002 | B1 |
| 6360270 | Cherkasova et al. | Mar 2002 | B1 |
| 6374300 | Masters | Apr 2002 | B2 |
| 6396833 | Zhang et al. | May 2002 | B1 |
| 6411986 | Susai et al. | Jun 2002 | B1 |
| 6434081 | Johnson et al. | Aug 2002 | B1 |
| 6484261 | Wiegel | Nov 2002 | B1 |
| 6490624 | Sampson et al. | Dec 2002 | B1 |
| 6510135 | Almulhem et al. | Jan 2003 | B1 |
| 6510458 | Berstis et al. | Jan 2003 | B1 |
| 6519643 | Foulkes et al. | Feb 2003 | B1 |
| 6601084 | Bhaskaran et al. | Jul 2003 | B1 |
| 6636503 | Shiran et al. | Oct 2003 | B1 |
| 6636894 | Short et al. | Oct 2003 | B1 |
| 6650640 | Muller et al. | Nov 2003 | B1 |
| 6650641 | Albert et al. | Nov 2003 | B1 |
| 6654701 | Hatley | Nov 2003 | B2 |
| 6691165 | Bruck et al. | Feb 2004 | B1 |
| 6708187 | Shanumgam et al. | Mar 2004 | B1 |
| 6742045 | Jordan et al. | May 2004 | B1 |
| 6751663 | Farrell et al. | Jun 2004 | B1 |
| 6754228 | Ludwig | Jun 2004 | B1 |
| 6760775 | Anerousis et al. | Jul 2004 | B1 |
| 6772219 | Shobatake | Aug 2004 | B1 |
| 6779039 | Bommareddy et al. | Aug 2004 | B1 |
| 6781986 | Sabaa et al. | Aug 2004 | B1 |
| 6798777 | Ferguson et al. | Sep 2004 | B1 |
| 6816901 | Sitaraman et al. | Nov 2004 | B1 |
| 6829238 | Tokuyo et al. | Dec 2004 | B2 |
| 6868082 | Allen, Jr. et al. | Mar 2005 | B1 |
| 6876629 | Beshai et al. | Apr 2005 | B2 |
| 6876654 | Hegde | Apr 2005 | B1 |
| 6888836 | Cherkasova | May 2005 | B1 |
| 6928082 | Liu et al. | Aug 2005 | B2 |
| 6950434 | Viswanath et al. | Sep 2005 | B1 |
| 6954780 | Susai et al. | Oct 2005 | B2 |
| 6957272 | Tallegas et al. | Oct 2005 | B2 |
| 6975592 | Seddigh et al. | Dec 2005 | B1 |
| 6987763 | Rochberger et al. | Jan 2006 | B2 |
| 7007092 | Peiffer | Feb 2006 | B2 |
| 7113993 | Cappiello et al. | Sep 2006 | B1 |
| 7139792 | Mishra et al. | Nov 2006 | B1 |
| 7228422 | Morioka et al. | Jun 2007 | B2 |
| 7308703 | Wright et al. | Dec 2007 | B2 |
| 7321926 | Zhang et al. | Jan 2008 | B1 |
| 7333999 | Njemanze | Feb 2008 | B1 |
| 7343413 | Gilde et al. | Mar 2008 | B2 |
| 7349391 | Ben-Dor et al. | Mar 2008 | B2 |
| 7454480 | Labio et al. | Nov 2008 | B2 |
| 7490162 | Masters | Feb 2009 | B1 |
| 7500269 | Huotari et al. | Mar 2009 | B2 |
| 7526541 | Roese et al. | Apr 2009 | B2 |
| 7558197 | Sindhu et al. | Jul 2009 | B1 |
| 7624424 | Morita et al. | Nov 2009 | B2 |
| 7680915 | Still et al. | Mar 2010 | B2 |
| 8130650 | Allen, Jr. et al. | Mar 2012 | B2 |
| 20010023442 | Masters | Sep 2001 | A1 |
| 20020161913 | Gonzalez et al. | Oct 2002 | A1 |
| 20020198993 | Cudd et al. | Dec 2002 | A1 |
| 20030046291 | Fascenda | Mar 2003 | A1 |
| 20030086415 | Bernhard et al. | May 2003 | A1 |
| 20030108052 | Inoue et al. | Jun 2003 | A1 |
| 20030145062 | Sharma et al. | Jul 2003 | A1 |
| 20030225485 | Fritz et al. | Dec 2003 | A1 |
| 20040267920 | Hydrie et al. | Dec 2004 | A1 |
| 20040268358 | Darling et al. | Dec 2004 | A1 |
| 20050004887 | Igakura et al. | Jan 2005 | A1 |
| 20050052440 | Kim et al. | Mar 2005 | A1 |
| 20050055435 | Gbadegesin et al. | Mar 2005 | A1 |
| 20050122977 | Lieberman | Jun 2005 | A1 |
| 20050154837 | Keohane et al. | Jul 2005 | A1 |
| 20050187866 | Lee | Aug 2005 | A1 |
| 20060059267 | Cugi et al. | Mar 2006 | A1 |
| 20060156416 | Huotari et al. | Jul 2006 | A1 |
| 20060161577 | Kulkarni et al. | Jul 2006 | A1 |
| 20060171365 | Borella | Aug 2006 | A1 |
| 20060233106 | Achlioptas et al. | Oct 2006 | A1 |
| 20060242300 | Yumoto et al. | Oct 2006 | A1 |
| 20070016662 | Desai et al. | Jan 2007 | A1 |
| 20070064661 | Sood et al. | Mar 2007 | A1 |
| 20070083646 | Miller et al. | Apr 2007 | A1 |
| 20070107048 | Halls et al. | May 2007 | A1 |
| 20070118879 | Yeun | May 2007 | A1 |
| 20070297551 | Choi | Dec 2007 | A1 |
| 20080034136 | Ulenas | Feb 2008 | A1 |
| 20080133518 | Kapoor et al. | Jun 2008 | A1 |
| 20080134311 | Medvinsky et al. | Jun 2008 | A1 |
| 20080148340 | Powell et al. | Jun 2008 | A1 |
| 20080201599 | Ferraiolo et al. | Aug 2008 | A1 |
| 20080256224 | Kaji et al. | Oct 2008 | A1 |
| 20080301760 | Lim | Dec 2008 | A1 |
| 20090049230 | Pandya | Feb 2009 | A1 |
| 20090126525 | Pietsch et al. | May 2009 | A1 |
| 20090138749 | Moll et al. | May 2009 | A1 |
| 20090141891 | Boyen et al. | Jun 2009 | A1 |
| 20090228956 | He et al. | Sep 2009 | A1 |
| 20090287935 | Aull et al. | Nov 2009 | A1 |
| 20100122091 | Huang et al. | May 2010 | A1 |
| 20100150154 | Viger et al. | Jun 2010 | A1 |
| 20100251330 | Kroeselberg et al. | Sep 2010 | A1 |
| 20100325277 | Muthiah et al. | Dec 2010 | A1 |
| 20110047620 | Mahaffey et al. | Feb 2011 | A1 |
| 20110173295 | Bakke et al. | Jul 2011 | A1 |
| 20110321122 | Mwangi et al. | Dec 2011 | A1 |
| Number | Date | Country |
|---|---|---|
| 0744850 | Nov 1996 | EP |
| WO 9114326 | Sep 1991 | WO |
| WO 9505712 | Feb 1995 | WO |
| WO 9709805 | Mar 1997 | WO |
| WO 9745800 | Dec 1997 | WO |
| WO 9905829 | Feb 1999 | WO |
| WO 9906913 | Feb 1999 | WO |
| WO 9910858 | Mar 1999 | WO |
| WO 9939373 | Aug 1999 | WO |
| WO 9964967 | Dec 1999 | WO |
| WO 0004422 | Jan 2000 | WO |
| WO 0004458 | Jan 2000 | WO |
| Entry |
|---|
| F5 Networks Inc., “Configuration Guide for Local Traffic Management,” F5 Networks Inc., Jan. 2006, version 9.2.2, 406 pgs. |
| “A Process for Selective Routing of Servlet Content to Transcoding Modules,” Research Disclosure 422124, Jun. 1999, pp. 889-890, IBM Corporation. |
| F5 Networks, Inc., “BIG-IP Controller with Exclusive OneConnect Content Switching Feature Provides a Breakthrough System for Maximizing Server and Network Performance,” Press Release, May 8, 2001, 2 pages, Las Vegas, Nevada. |
| Crescendo Networks, “Application Layer Processing (ALP),” 2003-2009, pp. 168-186, Chapter 9, CN-5000E/5500E, Foxit Software Company. |
| Fielding et al., “Hypertext Transfer Protocol—HTTP/1.1,” Network Working Group, RFC: 2068, Jan. 1997, pp. 1-162. |
| Fielding et al., “Hypertext Transfer Protocol—HTTP/1.1,” Network Working Group, RFC: 2616, Jun. 1999, pp. 1-176, The Internet Society. |
| Floyd et al., “Random Early Detection Gateways for Congestion Avoidance,” Aug. 1993, pp. 1-22, IEEE/ACM Transactions on Networking, California. |
| Macvittie, Lori, “Message-Based Load Balancing,” Technical Brief, Jan. 2010, pp. 1-9, F5 Networks, Inc. |
| Hochmuth, Phil, “F5, CacheFlow pump up content-delivery lines,” Network World Fusion, May 4, 2001, 1 page, Las Vegas, Nevada. |
| Schaefer, Ken, “IIS and Kerberos Part 5—Protocol Transition, Constrained Delegation, S4U2S and S4U2P,” Jul. 18, 2007, 21 pages, http://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/19/8460.aspx. |
| “Servlet/Applet/HTML Authentication Process With Single Sign-On,” Research Disclosure 429128, Jan. 2000, pp. 163-164, IBM Corporation. |
| “Traffic Surges; Surge Queue; Netscaler Defense,” 2005, PowerPoint Presentation, slides 1-12, Citrix Systems, Inc. |
| Williams et al., “The Ultimate Windows Server 2003 System Administrator's Guide: Forwarding Authentication,” 2003, 2 pages, Figure 10.7, Addison-Wesley Professional, Boston, Massachusetts. |
| “Windows Server 2003 Kerberos Extensions,” Microsoft TechNet, 2003 (Updated Jul. 31, 2004), http://technet.microsoft.com/en-us/library/cc738207, Microsoft Corporation. |
