Conflict detection and resolution in two-dimensional prefix router tables
IEEE/ACM Transactions on Networking (TON)
Packet classification using diagonal-based tuple space search
Computer Networks: The International Journal of Computer and Telecommunications Networking
Computer Networks: The International Journal of Computer and Telecommunications Networking
O(logW) multidimensional packet classification
IEEE/ACM Transactions on Networking (TON)
ClassBench: a packet classification benchmark
IEEE/ACM Transactions on Networking (TON)
Formal correctness of conflict detection for firewalls
Proceedings of the 2007 ACM workshop on Formal methods in security engineering
An inference system for detecting firewall filtering rules anomalies
Proceedings of the 2008 ACM symposium on Applied computing
Firewall policy verification and troubleshooting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Packet classification using diagonal-based tuple space search
Computer Networks: The International Journal of Computer and Telecommunications Networking
Comparison model and algorithm for distributed firewall policy
ICIC'06 Proceedings of the 2006 international conference on Intelligent computing: Part II
Safe and efficient strategies for updating firewall policies
TrustBus'10 Proceedings of the 7th international conference on Trust, privacy and security in digital business
First step towards automatic correction of firewall policy faults
LISA'10 Proceedings of the 24th international conference on Large installation system administration
Modality conflict discovery for SOA security policies
APPT'11 Proceedings of the 9th international conference on Advanced parallel processing technologies
A fast and scalable conflict detection algorithm for packet classifiers
ISPA'05 Proceedings of the Third international conference on Parallel and Distributed Processing and Applications
Firewall policy change-impact analysis
ACM Transactions on Internet Technology (TOIT)
OPODIS'04 Proceedings of the 8th international conference on Principles of Distributed Systems
SyFi: a systematic approach for estimating stateful firewall performance
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
First step towards automatic correction of firewall policy faults
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Consistency maintenance of modern security policies
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
Change-impact analysis of firewall policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Hi-index | 0.00 |
Packet filters provide roles for classifying packets based on header fields. High speed packet classification has received much study. However, the twin problems of fast updates and fast conflict detection have not received much attention. A conflict occurs when two classifiers overlap, potentially creating ambiguity for packets that match both filters. For example, if Rule 1 specifies that all packets going to CNN be rote controlled and Rule 2 specifies that all packets coming from Walmart be given high priority, the roles conflict for traffic from Walmart to CNN. There has been prior work on efficient conflict detection for two dimensional classifiers. However, the best known algorithm for conflict detection for geneml classifiers is the naive O(N2) algorithm of comparing each pair of rules for a conflict. In this paper, we describe an efficient and scalable conflict detection algorithm for the general casethat is significantly faster. For example, for a database of 20,000 roles, our algorithm is 40 times faster. than the naive implementation. Even without considering conflicts, our algorithm also provides a packet classifier with fast updates and fast lookups that can be used for stateful packet filtering.