Abstract
In this paper, we present a mechanism that utilizes network traffic behavior and packet filtering statistics to improve firewall performance. The proposed mechanism allows optimizing the filtering rules order and their corresponding fields order upon certain threshold qualification following the divergence of the traffic behavior. The current and previous traffic windows statistics are used to check the system stability using Chi-Square Test. The achieved gain in processing time compared to related mechanisms is due to minimizing the overhead corresponding to the frequency of updating the security policy rule/field structures.
Chapter PDF
Similar content being viewed by others
References
Trabelsi, Z., Zhang, L., Zeidan, S.: Packet Flow Histograms to Improve Firewall Efficiency. In: ICICS (December 2011)
Trabelsi, Z., Zeidan, S.: Multilevel Early Packet Filtering Technique based on Traffic Statistics and Splay Trees for Firewall Performance Improvement. In: ICC (June 2012)
Lan, K., Heidemann, J.: On the correlation of internet flow characteristics. Technical Report ISI-TR-574, USC/ISI (2003)
El-Atawy, A., Samak, T., Al-Shaer, E., Li, H.: Using online traffic statistical matching for optimizing packet filtering performance. In: IEEE INFOCOM 2007, pp. 866–874 (2007)
Gupta, P., McKeown, N.: Algorithms for packet classification. IEEE Network 15(2), 24–32 (2001)
Baboescu, F., Varghese, G.: Scalable packet classification. In: ACM SIGCOMM 2001 (2001)
McAulay, A.J., Francis, P.: Fast routing table lookup using CAMs. In: IEEE INFOCOM 1993 (March 1993)
Srinivasan, V., Suri, S., Varghese, G.: Packet classification using tuple space search. In: Computer ACM SIGCOMM Communication Review, pp. 135–146 (October 1999)
Feldmann, A., Muthukrishnan, S.: Tradeoffs for packet classification. In: IEEE INFOCOM 2000 (March 2000)
Gupta, P., McKeown, N.: Packet classification using hierarchical intelligent cuttings. In: Interconnects VII (August 1999)
Cohen, E., Lund, C.: Packet classification in large isps: design and evaluation of decision tree classifiers. In: SIGMETRICS 2005: Proceedings of the 2005 ACM SIGMETRIC International Conference on Measurement and Modeling of Computer Systems, pp. 73–84. ACM Press, New York (2005)
Woo, T.Y.C.: A modular approach to packet classification: Algorithms and results. In: IEEE INFOCOM 2000, pp. 1213–1222 (March 2000)
Gupta, P., Prabhakar, B., Boyd, S.: Near optimal routing lookups with bounded worst case performance. In: IEEE INFOCOM 2000 (2000)
Kencl, L., Schwarzer, C.: Traffic-adaptive packet filtering of denial of service attacks. In: WOWMOM 2006: The 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, Washington, DC, USA, pp. 485–489 (2006)
Acharya, S., Abliz, M., Mills, B., Znati, T.F.: Optwall: a hierarchical traffic-aware firewall. In: Proceedings of 14th Annual Network & Distributed System Security Symposium (NDSS), San Diego, US (February 2007)
Hamed, H., Al-shear, E.: Dynamic Rule-ordering optimization for High-speed Firewall Filtering. In: ASIACCs 2006, Tuipei, Taiwam, March 21-24 (2006)
Hamed, H., El-Atawy, A., Al-Shaer, E.: On Dynamic Optimization of Packet Matching in High-Speed Firewalls. IEEE Journal on Selected Areas in Communications 24(10) (October 2006)
Al-Shear, E., El-Atawy, A., Tran, T.: Adaptive Early Packet filtering for Defending firewalls against DoS Attack. In: Proceeding of IEEE INFOCOM, pp. 1–9 (2009)
Waldvogel, M., Varghese, G., Turner, J., Plattner, B.: Scalable High Speed IP Routing Lookups. In: Proceedings of the ACM SIGCOMM (SIGCOMM 1997), pp. 25–36 (1997)
Sleator, D., Tarjan, R.: Self Adjusting Binary Search Trees. Journal of the ACM 32(3), 652–686 (1985)
Neji, N., Bouhououla, A.: Dynamic Scheme for Packet Classification Using Splay trees. Information Assurance and Security, 1–9 (2009)
Hamed, H., El-Atawy, A., Al-Shaer, E.: Adaptive statistical optimization techniques for firewall packet filtering. In: IEEE INFOCOM 2006 (April 2006)
Mothersole, I., Reed, M.: Optimizing Rule Order for a Packet Filtering Firewall. In: SAR-SSI (2011)
Wang, W., Chen, H., Chen, J., Liu, B.: Firewall rule Ordering based on statistical Model. In: International Conference on Computer Enginnering and Technology (2009)
Wang, W., Ji, R., Chen, W., Chen, B., Li, Z.: Firewall Rules Sorting Baseb on Markov Model. In: Procedings of the International Symposium on Data Privacy and E-Comerce (2007)
Liu, A., Gouda, M.: Complete Redundancy Detection in Firewalls. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security 2005. LNCS, vol. 3654, pp. 193–206. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Trabelsi, Z., Zhang, L., Zeidan, S. (2012). Firewall Packet Filtering Optimization Using Statistical Traffic Awareness Test. In: Chim, T.W., Yuen, T.H. (eds) Information and Communications Security. ICICS 2012. Lecture Notes in Computer Science, vol 7618. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34129-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-34129-8_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34128-1
Online ISBN: 978-3-642-34129-8
eBook Packages: Computer ScienceComputer Science (R0)