System and method for selecting memory locations for overwrite

Abstract

A method and information technology system are provided that enable a one-pass automated selection of memory locations of a table to be made available for storing new data may be applied to clear memory space of the table as the table approaches an overload condition. A fraction of the memory locations of the table to be made available for overwriting is established. The memory locations store a formatted record, and a parameter of the records stored in the memory locations is chosen for use in processing the table. In one example, a time parametric value of the records is chosen, and the memory locations holding records having time values older than a G value are released for overwriting, where G is a variable that is iteratively calculated. The records are analyzed serially in pluralities or blocks and the G value is examined after each block is processed for recalculation in order to more closely achieve the removal of the established fraction of records from the remaining unexamined blocks. In various versions, the records may be stored in the table according to an order or alternatively in a random or randomized sequence.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

These, and further features of the invention, may be better understood with reference to the accompanying specification and drawings depicting the preferred embodiment, in which:

FIG. A presents the outcomes of deleting information by means of comparison with a quality factor;

FIG. B is a flow chart of the application and modification of the quality factor of FIG. A;

FIG. C is a flow chart of the use and modification of the quality factor of FIG. A during an initialization period;

FIG. D is a flow chart of the use and modification of the quality of factor of FIG. A after the initialization period of FIG. C has ended;

FIG. 1 is a schematic of a computational engine, or first system, coupled with an electronic communications network;

FIG. 2A illustrates a flow table record stored in the first system of FIG. 1;

FIG. 2B illustrates a source flow table record stored in the first system of FIG. 1;

FIG. 2C illustrates a destination flow table record stored in the first system of FIG. 1;

FIG. 3 is a diagram of the table maintained in the first system of FIG. 1 and storing a plurality of records of at least one format selected from FIGS. 2A through 2D;

FIG. 4 is a flowchart of a first preferred embodiment of the Method of the Present Invention, or first method, that may be executed by means of the first system of FIG. 1;

FIG. 5 is a flowchart of a second preferred embodiment of the Method of the Present Invention, or second method, that may be executed by means of the first system of FIG. 1;

FIGS. 6A and 6B comprise the initialization process of the second method of FIG. 5; and

FIGS. 7A and 7B comprise the main cycle of the second method of FIG. 5.

Claims

1. In an information technology system, the information technology system having a memory storing a table of information organized in blocks of N formatted records, each formatted record stored in one of a plurality of addressable memory locations, the method comprising: a. Selecting for overwrite the memory locations of a first block storing records that have a first parametric value less than a value G;b. Determining a fraction FR equal to number of memory locations selected for overwrite in step a divided by N;c. Comparing FR to a value C, where C is the fraction of memory locations desired to be made available for overwriting; andd. Recalculating G to more probably select for overwrite C memory locations of a second block.

2. The method of claim 1, wherein the method is applied when the table approaches an overload condition.

3. The method of claim 1, wherein the table is a hash table.

4. The method of claim 1, wherein the table is a flow table of electronic communications traffic.

5. The method of claim 1, wherein the formatted records comprise state tables of a firewall.

6. The method of claim 1 wherein, wherein the formatted records are state tables of an intrusion detection system.

7. The method of claim 1 wherein, wherein the formatted records are state tables of an intrusion prevention system.

8. The method of claim 1, wherein each formatted record contains information related to activity associated with a particular source address.

9. The method of claim 1, wherein each formatted record contains information related to communications behavior associated with a particular destination address.

10. The method of claim 1, wherein the parametric value is derived from at least one record value selected from the group of record values consisting of a time record value, an event priority record value, a destination address record value, and a source address record value.

11. The method of claim 1, wherein the G is recalculated in step d by dividing G by a number larger than 1 when FR is greater than C, and multiplying G by a number larger than 1 when FR is less than C.

12. The method of claim 1, wherein G is calculated to be equal to (G_HIGH+G_LOW)/2, wherein G_HIGH is greater than G_LOW, the step d comprising the elements of: d.1. If FR calculated in step b is greater than C, and G is less than G_HIGH, than making G_HIGH equal to G;d.2 If FR of step b. is less than C, and G is greater than G_LOW, making G_LOW equal to G; andd.3 Recalculating G to be equal to (G_HIGH+G_LOW)/M after executing elements d.1 and d.2 of step d, wherein M is a number greater than one.

13. The method of claim 1, wherein each record comprises a plurality of record values, and the first parametric value is derived from at least one record value.

14. The method of claim 13, wherein the parametric value is derived from at least one record value selected from the group of record values consisting of a time record value, an event priority record value, a destination address record value, and a source address record value.

15. The method of claim 1, wherein each record comprises at least one record value, and the first parametric value is derived from at least one record value and an external value, the external value accessible to the information technology system. (NOTE: the external value is possibly an environmental value relating to the environment or state of the information technology system or an associated communications network.)

16. A computer-readable medium on which are stored a plurality of computer-executable instructions for performing steps (a)-(d), as recited in claim 1.

17. In an information technology system, the information technology system having a memory storing a table of information comprising a plurality of formatted records, each formatted record stored in one of a plurality of addressable memory locations, the method comprising: a. Selecting a plurality of N records, the N records being selected substantively from non-contiguous memory location addresses;b. Selecting for overwrite the memory locations of each of the records selected in step a that have a first parametric value less than a value G;c. Determining a fraction FR equal to number of memory locations selected for overwrite in step a divided by N;d. Comparing FR to a value C, where C is the fraction of memory locations desired to be made available for overwriting; ande. Recalculating G to more probably select C memory locations for overwrite of a second plurality of N records.

18. The method of claim 17, wherein the method is applied when the table approaches an overload condition.

19. The method of claim 17, wherein the G is recalculated in step d by dividing G by 2 when FR is greater than C, and doubling G when FR is less than C.

20. The method of claim 17, wherein G is calculated prior to step a to be equal to (G_HIGH+G_LOW)/2, wherein G_HIGH is greater than G_LOW, the steps of: e. If FR calculated in step c is greater than C, and G is less than G_HIGH, than making G_HIGH equal to G;f. If FR of step c. is less than C, and G is greater than G_LOW, making G LOW equal to G; andg. In step e, recalculating G to be equal to (G_HIGH+G_LOW)/M after executing steps h and i, wherein M is a number greater than one.

21. A computer-readable medium on which are stored a plurality of computer-executable instructions for performing steps (a)-(e), as recited in claim 17.

22. In an information technology system, the information technology system having a memory storing a table of information comprising formatted records, each formatted record stored in one of a plurality of addressable memory locations, the method comprising: a. Initiating an evaluation cycle of records stored in the table for deletion from the table;b. Setting a G value;c. Setting a G_HIGH value to a maximum value;d. Setting a G_LOW value to a minimum valuee. Selecting for evaluation the memory locations of a first plurality of N memory locations, each memory location configured for erasabley storing a record;f. Deleting each record of the first plurality of N memory locations that have a first parametric value less than the value G;g. Determining a fraction FR equal to number of memory locations selected for overwrite in step a divided by N;h. Comparing FR to a value C, where C is the fraction of memory locations desired to be made available for overwriting; andi. If FR is greater than C, and G is less than G_HIGH, then setting G_HIGH equal to G;j. If FR is less than C, and G is higher than G_LOW, then setting G_LOW equal to G;k. If G_LOW is greater than the minimum value, and G_HIGH is less than the maximum value, setting G equal to one half the sum of G_LOW and G_HIGH, and proceeding to step n;l. If G_LOW is equal to the minimum value or G_HIGH is equal to the maximum value, and FR is greater than C, than setting G equal to one half of G;m. If G_LOW is equal to the minimum value or G_HIGH is equal to the maximum value, and FR is less than C, than setting G equal to twice G; andn. Selecting a following plurality of N memory locations and performing steps f through n until all memory locations of the table have been evaluated in the instant evaluation cycle then ending the evaluation cycle.