Firewall Packet Filtering Optimization Using Statistical Traffic Awareness Test
详细信息    查看全文
  • 作者:Zouheir Trabelsi (1) trabelsi@uaeu.ac.ae
    Liren Zhang (1) lzhang@uaeu.ac.ae
    Safaa Zeidan (1) safaa.z@uaeu.ac.ae
  • 关键词:Packet Classification – ; Rule Order – ; Rule ; fields Order – ; System Stability – ; Chi ; square Test
  • 刊名:Lecture Notes in Computer Science
  • 出版年:2012
  • 出版时间:2012
  • 年:2012
  • 卷:7618
  • 期:1
  • 页码:81-92
  • 全文大小:299.5 KB
  • 参考文献:1. Trabelsi, Z., Zhang, L., Zeidan, S.: Packet Flow Histograms to Improve Firewall Efficiency. In: ICICS (December 2011)
    2. Trabelsi, Z., Zeidan, S.: Multilevel Early Packet Filtering Technique based on Traffic Statistics and Splay Trees for Firewall Performance Improvement. In: ICC (June 2012)
    3. Lan, K., Heidemann, J.: On the correlation of internet flow characteristics. Technical Report ISI-TR-574, USC/ISI (2003)
    4. El-Atawy, A., Samak, T., Al-Shaer, E., Li, H.: Using online traffic statistical matching for optimizing packet filtering performance. In: IEEE INFOCOM 2007, pp. 866–874 (2007)
    5. Gupta, P., McKeown, N.: Algorithms for packet classification. IEEE Network 15(2), 24–32 (2001)
    6. Baboescu, F., Varghese, G.: Scalable packet classification. In: ACM SIGCOMM 2001 (2001)
    7. McAulay, A.J., Francis, P.: Fast routing table lookup using CAMs. In: IEEE INFOCOM 1993 (March 1993)
    8. Srinivasan, V., Suri, S., Varghese, G.: Packet classification using tuple space search. In: Computer ACM SIGCOMM Communication Review, pp. 135–146 (October 1999)
    9. Feldmann, A., Muthukrishnan, S.: Tradeoffs for packet classification. In: IEEE INFOCOM 2000 (March 2000)
    10. Gupta, P., McKeown, N.: Packet classification using hierarchical intelligent cuttings. In: Interconnects VII (August 1999)
    11. Cohen, E., Lund, C.: Packet classification in large isps: design and evaluation of decision tree classifiers. In: SIGMETRICS 2005: Proceedings of the 2005 ACM SIGMETRIC International Conference on Measurement and Modeling of Computer Systems, pp. 73–84. ACM Press, New York (2005)
    12. Woo, T.Y.C.: A modular approach to packet classification: Algorithms and results. In: IEEE INFOCOM 2000, pp. 1213–1222 (March 2000)
    13. Gupta, P., Prabhakar, B., Boyd, S.: Near optimal routing lookups with bounded worst case performance. In: IEEE INFOCOM 2000 (2000)
    14. Kencl, L., Schwarzer, C.: Traffic-adaptive packet filtering of denial of service attacks. In: WOWMOM 2006: The 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, Washington, DC, USA, pp. 485–489 (2006)
    15. Acharya, S., Abliz, M., Mills, B., Znati, T.F.: Optwall: a hierarchical traffic-aware firewall. In: Proceedings of 14th Annual Network & Distributed System Security Symposium (NDSS), San Diego, US (February 2007)
    16. Hamed, H., Al-shear, E.: Dynamic Rule-ordering optimization for High-speed Firewall Filtering. In: ASIACCs 2006, Tuipei, Taiwam, March 21-24 (2006)
    17. Hamed, H., El-Atawy, A., Al-Shaer, E.: On Dynamic Optimization of Packet Matching in High-Speed Firewalls. IEEE Journal on Selected Areas in Communications 24(10) (October 2006)
    18. Al-Shear, E., El-Atawy, A., Tran, T.: Adaptive Early Packet filtering for Defending firewalls against DoS Attack. In: Proceeding of IEEE INFOCOM, pp. 1–9 (2009)
    19. Waldvogel, M., Varghese, G., Turner, J., Plattner, B.: Scalable High Speed IP Routing Lookups. In: Proceedings of the ACM SIGCOMM (SIGCOMM 1997), pp. 25–36 (1997)
    20. Sleator, D., Tarjan, R.: Self Adjusting Binary Search Trees. Journal of the ACM 32(3), 652–686 (1985)
    21. Neji, N., Bouhououla, A.: Dynamic Scheme for Packet Classification Using Splay trees. Information Assurance and Security, 1–9 (2009)
    22. Hamed, H., El-Atawy, A., Al-Shaer, E.: Adaptive statistical optimization techniques for firewall packet filtering. In: IEEE INFOCOM 2006 (April 2006)
    23. Mothersole, I., Reed, M.: Optimizing Rule Order for a Packet Filtering Firewall. In: SAR-SSI (2011)
    24. Wang, W., Chen, H., Chen, J., Liu, B.: Firewall rule Ordering based on statistical Model. In: International Conference on Computer Enginnering and Technology (2009)
    25. Wang, W., Ji, R., Chen, W., Chen, B., Li, Z.: Firewall Rules Sorting Baseb on Markov Model. In: Procedings of the International Symposium on Data Privacy and E-Comerce (2007)
    26. Liu, A., Gouda, M.: Complete Redundancy Detection in Firewalls. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security 2005. LNCS, vol. 3654, pp. 193–206. Springer, Heidelberg (2005)
  • 作者单位:1. Faculty of Information Technology, UAE University, Al-Ain, UAE
  • ISSN:1611-3349
文摘
In this paper, we present a mechanism that utilizes network traffic behavior and packet filtering statistics to improve firewall performance. The proposed mechanism allows optimizing the filtering rules order and their corresponding fields order upon certain threshold qualification following the divergence of the traffic behavior. The current and previous traffic windows statistics are used to check the system stability using Chi-Square Test. The achieved gain in processing time compared to related mechanisms is due to minimizing the overhead corresponding to the frequency of updating the security policy rule/field structures.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700