Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement

Trabelsi, Zouheir; Zeidan, Safaa

doi:10.1109/icc.2012.6364218

Cited by 25 publications

(21 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, in this paper we emphasize on these important optimization points that haven't been considered in previous works. This paper significantly extends our preliminary work described in (Trabelsi and Zeidan, 2012), in which the filter fields were ranked according to their packet rejection probabilities. In (Trabelsi and Zeidan, 2012), a brief analysis and preliminary results were presented using special types of generated traffic (high non-matching traffic and high matching traffic).…”

Section: Related Workmentioning

confidence: 97%

“…On the other hand, for the high matching traffic the slight difference was due to the small packet rejection percentage. Moreover, the work in (Trabelsi and Zeidan, 2012) presented only abstract overviews without including any technical details. The math model mainly used ChieSquare Test to rank the filters according to their previous non-matching frequencies (rejection frequencies).…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Trabelsi¹,

Zeidan²,

Masud³

et al. 2015

Computers & Security

Self Cite

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 97%

Section: Related Workmentioning

confidence: 99%

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Trabelsi¹,

Zeidan²,

Masud³

et al. 2015

Computers & Security

Self Cite

View full text Add to dashboard Cite

“…An improvement of this technique is combined with consideration of the nature of the data to reduce the average number of filters that each packet has to go through [6]. The difference of technique [6] to [2] are: packet filtering process has been carried out on all cases, however filters are arranged in descending order staring from the field with the highest rejection statistics.…”

Section: ) Self Adjusting Binary Search On Prefix Lengths (Sa-bspl)mentioning

confidence: 99%

“…The difference of technique [6] to [2] are: packet filtering process has been carried out on all cases, however filters are arranged in descending order staring from the field with the highest rejection statistics. For example, according to the type of the packet rate due to invalid source IP address, destination IP, source port, destination port, respectively: 30%, 40%, 10%, 20%, the actual order current filtering will be done in this order: destination IP, source IP, destination port, source port.…”

Section: ) Self Adjusting Binary Search On Prefix Lengths (Sa-bspl)mentioning

confidence: 99%

B-tree based two-dimensional early packet rejection technique against DoS traffic targeting firewall default security rule

Hùng

Nhat²

2014

The 2014 Seventh IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA)

View full text Add to dashboard Cite

Regarding to the current computer networks, firewall is vital equipment for ensuring the security of entire systems. With the role of controlling all connected to a network, firewall is the only connection between network need to be protected with outside networks. Improving the speed of classifying and processing packets on firewall shall be highly improved to avoid overload of the firewall in the particular case. In order to implement this, the ideal has been used, based on the characteristics of the filter or the characteristics of the data flow through the firewall in order to minimize the manipulation of a packet in the process of classification, which is the early packet rejection. Some early packet rejection techniques in packet firewall systems have been proposed, such as Field Value Set Cover -FVSC, Self Adjusting Binary Search on Prefix Length -SA-BSPL, Statistical Splaying Filters with Binary Search on Prefix Length -SSF-BSPL. In this paper we carry out the analysis of the main strengths and weakness of the above techniques and propose new two-dimensional early packet rejection technique based on the B-Tree. The proposed technique is compared with other techniques experimentally.

show abstract

“…Therefore, they used the B+ tree data structure with RSA accumulators for the authentication scheme, which requires lower computational costs for membership queries in a dynamic data set. Trabelsi & Zeidan (2012) provided in 2012 a mechanism to improve the filtering time of firewall packets by optimizing the comparison order of the matched security-rule fields to decide on the early rejection of incoming packets. Their proposed mechanism was based on changing the order of filtering fields according to traffic statistics.…”

Section: Introductionmentioning

confidence: 99%

Comparison of the performance of skip lists and splay trees in classification of internet packets

Khezrian

Abbasi

2019

PeerJ Computer Science

View full text Add to dashboard Cite

Due to the increasing number of Internet users and the volume of information exchanged by software applications, Internet packet traffic has increased significantly, which has highlighted the need to accelerate the processing required in network systems. Packet classification is one of the solutions implemented in network systems. The most important issue is to use an approach that can classify packets at the speed of the network and show optimum performance in terms of memory usage. In this study, we evaluated the performance in packet classification of two of the most important data structures used in decision trees, i.e. the skip list and splay tree. Our criteria for performance were the time of packet classification, the number of memory accesses, and memory usage of each event. These criteria were tested by the ACL and IPC rules with different numbers of rules as well as by different packet numbers. The results of the evaluation showed that the performance of skip lists is higher than that of splay trees. By increasing the number of classifying rules, both the difference in the speed of packet classification and the superiority of the performance of the skip list over that of the splay tree become more significant. The skip list also maintains its superiority over the splay tree in lower memory usage. The results of the experiments confirm the scalability of this method in comparison to the splay tree method.

show abstract

Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement

Cited by 25 publications

References 18 publications

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

B-tree based two-dimensional early packet rejection technique against DoS traffic targeting firewall default security rule

Comparison of the performance of skip lists and splay trees in classification of internet packets

Contact Info

Product

Resources

About