TY - GEN
T1 - Adaptive statistical optimization techniques for firewall packet filtering
AU - Hamed, Hazem
AU - El-Atawy, Adel
AU - Al-Shaer, Ehab
PY - 2006
Y1 - 2006
N2 - Packet filtering plays a critical role in the performance of many network devices such as firewalls, IPSec gateways, DiffServ and QoS routers. A tremendous amount of research was proposed to optimize packet filters. However, most of the related works use deterministic techniques and do not exploit the traffic characteristics in their optimization schemes. In addition, most packet classifiers give no specific consideration for optimizing packet rejection, which is important for many filtering devices like firewalls. Our contribution in this paper is twofold. First, we present a novel algorithm for maximizing early rejection of unwanted flows without impacting other flows significantly. Second, we present a new packet filtering optimization technique that uses adaptive statistical search trees to utilize important traffic characteristics and minimize the average packet matching time. The proposed techniques timely adapt to changes in the traffic conditions by performing simple calculations for optimizing the search data structure. Our techniques are practically attractive because they exhibit simple-to-implement and easy-to-deploy algorithms. Our extensive evaluation study using Internet traces shows that the proposed techniques can significantly minimize the packet filtering time with reasonable memory space requirements.
AB - Packet filtering plays a critical role in the performance of many network devices such as firewalls, IPSec gateways, DiffServ and QoS routers. A tremendous amount of research was proposed to optimize packet filters. However, most of the related works use deterministic techniques and do not exploit the traffic characteristics in their optimization schemes. In addition, most packet classifiers give no specific consideration for optimizing packet rejection, which is important for many filtering devices like firewalls. Our contribution in this paper is twofold. First, we present a novel algorithm for maximizing early rejection of unwanted flows without impacting other flows significantly. Second, we present a new packet filtering optimization technique that uses adaptive statistical search trees to utilize important traffic characteristics and minimize the average packet matching time. The proposed techniques timely adapt to changes in the traffic conditions by performing simple calculations for optimizing the search data structure. Our techniques are practically attractive because they exhibit simple-to-implement and easy-to-deploy algorithms. Our extensive evaluation study using Internet traces shows that the proposed techniques can significantly minimize the packet filtering time with reasonable memory space requirements.
UR - https://www.scopus.com/pages/publications/39049096178
U2 - 10.1109/INFOCOM.2006.129
DO - 10.1109/INFOCOM.2006.129
M3 - Conference contribution
AN - SCOPUS:39049096178
SN - 1424402212
SN - 9781424402212
T3 - Proceedings - IEEE INFOCOM
BT - Proceedings - INFOCOM 2006
ER -