Virtual clock: a new traffic control algorithm for packet switching networks
SIGCOMM '90 Proceedings of the ACM symposium on Communications architectures & protocols
Packet classification using tuple space search
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Building Internet firewalls (2nd ed.)
Building Internet firewalls (2nd ed.)
On self-organizing sequential search heuristics
Communications of the ACM
Introduction to Linear Optimization
Introduction to Linear Optimization
Proceedings of the 5th International IPCO Conference on Integer Programming and Combinatorial Optimization
ACLA: A framework for Access Control List (ACL) Analysis and Optimization
Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century
Packet classification in large ISPs: design and evaluation of decision tree classifiers
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A methodology for studying persistency aspects of internet flows
ACM SIGCOMM Computer Communication Review
Modeling and Management of Firewall Policies
IEEE Transactions on Network and Service Management
Algorithms for packet classification
IEEE Network: The Magazine of Global Internetworking
Specifications of a high-level conflict-free firewall policy language for multi-domain networks
Proceedings of the 12th ACM symposium on Access control models and technologies
ProgME: towards programmable network measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Statistical Analysis of Slow Portsweep
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Using argumentation logic for firewall configuration management
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Statistics & clustering based framework for efficient XACML policy evaluation
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Synthetic security policy generation via network traffic clustering
Proceedings of the 3rd ACM workshop on Artificial intelligence and security
A traffic-aware top-N firewall ruleset approximation algorithm
Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Safe and efficient strategies for updating firewall policies
TrustBus'10 Proceedings of the 7th international conference on Trust, privacy and security in digital business
ProgME: towards programmable network measurement
IEEE/ACM Transactions on Networking (TON)
SyFi: a systematic approach for estimating stateful firewall performance
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Firewall packet filtering optimization using statistical traffic awareness test
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
| Hi-index | 0.00 |
Packet filtering plays a critical role in many of the current high speed network technologies such as firewalls and IPSec devices. The optimization of firewall policies is critically important to provide high performance packet filtering particularly for high speed network security. Current packet filtering techniques exploit the characteristics of the filtering policies, but they do not consider the traffic behavior in optimizing their search data structures. This results in impractically high space complexity, which undermines the performance gain offered by these techniques. Also, these techniques offer upper bounds for the worst case search times; nevertheless, average case scenarios are not necessarily optimized. Moreover, the types of packet filtering fields used in most of these techniques are limited to IP header fields and cannot be generalized to cover transport and application layer filtering.In this paper, we present a novel technique that utilizes Internet traffic characteristics to optimize firewall filtering policies. The proposed technique timely adapts to the traffic conditions using actively calculated statistics to dynamically optimize the ordering of packet filtering rules. The rule importance in traffic matching as well as its dependency on other rules are both considered in our optimization algorithm. Through extensive evaluation experiments using simulated and real Internet traffic traces, the proposed mechanism is shown to be efficient and easy to deploy in practical firewall implementations.