Beruflich Dokumente
Kultur Dokumente
Vu Duy Nhat
Post-graduate Department
Military Technical Academy
Ha Noi, Viet Nam
manhhungk12@mta.edu.vn
early
packet
I. INTRODUCTION
Today with the strong development of computer
networks, the proliferation of different types of network
services, the number of users is increasing, with advanced
technology; the transmission of data over the network is very
large. A firewall is a security device for computer networks
are located at the connection point between a network's
internal units (LAN) with large external network (WAN), its
function is controlling all accesses from outside to inside and
vice versa. With the location and function the firewall
becomes "bottlenecks" slowing down the process of
exchanging information between the LAN to the WAN, thus
improving the handling capacity of the firewall is an objective
requirement.
c
97814799-5430-8/14/$31.00
2014
IEEE
module
B. Some early packet rejection techniques
1) Field Value Set Cover (FVSC)
This technique analyzes the set of firewall rules to
create a small rule practice that can remove up to undesirable
packets before transferring to the original rules [1]. The basic
idea of this technique is that if a packet does not match any of
the common values of all rules "accept" the packets that are
eligible to immediately reject without worry the rejected of the
wrong. This means the rule early packet rejection can be
created by combining the common values present in all policy
rules. For example, if all rules "accept" uses a destination IP
address or a port, all packets that do not contain the same
values can be eliminated without further examination. An
example of a early rejection rule can be in the form: RR = (DP
80) (SP 1500) (DIP 15.16.17.18) (P UDP).
This technique will be limited in the number of rules
generated and it depends on the percentage of packets being
rejected early compared to the total number of packet been
rejected. The number of early packet rejection rule
proportional to the number of rules in the firewall policies and
the dispersion of the values in each field of early packet
rejection rule. Especially, the using of approximation
algorithms to generate the early packet rejection rules, when
the firewall rule set changed, the ability to update this change
in early packet rejection rule set is not possible.
2) Self Adjusting Binary Search on prefix lengths (SABSPL)
This technique uses the properties of the Self
Adjusting Binary Search (SABS) to optimize the type of early
unwanted packets on the firewall. The model is given in [2]
consists of a set of self adjusting filters that each filter using
the binary search on prefix length [3] base on SABS tree
model used to improve search time mean value [4], [5], [7].
The idea of early packet rejection on this technique
is: if a packet does not match any prefix length in search of a
tree filter, it will be automatically rejected. Conversely, if you
find a node containing a list of n F1 rules, the inspection
process will be implemented with the next filter, if the filter
next stop node set includes m F2 then check F1 and F2 have
the same common rule, if there is not then the packet is
rejected immediately without further examination.
An improvement of this technique is combined with
consideration of the nature of the data to reduce the average
number of filters that each packet has to go through [6]. The
difference of technique [6] to [2] are: packet filtering process
has been carried out on all cases, however filters are arranged
3
4
4
[
4
4
,
4
4
4
theorem is proved).
1
1, inferred
1]. (the
COM
COM
COM
COM
(1), with n is the total number of rules.
D. Construction the early packet rejection rules and early
packet rejection on B-tree
Our proposed early packet rejection technique based on
source IP address and destination IP address using B-Tree is
done with 3 major phases:
Phase 1: Construction B-Tree.
We build COM prefix of each rule. The COM prefix is
converted into segments and gradually inserted into the tree
corresponding to the key segment values are compared with
each other by definition 2.
Phase 2: Early packet rejection.
Do a search on the tree to early reject the packet.
Phase 3: Updated tree.
Insert, delete rules.
1. Phase 1: Construction B-Tree.
Step 1: Create a root node for B-Tree with key value is the
interval [0, MAX] (If the length of the source IP address, IP
destination is 32 bits, then MAX= 264 ...).
Step 2: Building COM prefix of corresponding rules and
converted into the segment [a, b].
Step 3: Insert the segment [a, b] into the tree.
Check segment [a, b] in the tree, assuming current node
Ni containing the interval [s, f], consider the following cases:
If s < a and f > b then split the interval [s, f] into two
segments [s-1, a] and [b, f +1]. Delete segment [s, f]
on B-tree, then insert two segments [s, a-1] and [b, f
+1] into B-tree.
Else If s a and f b then delete segment [s, f] from
B-tree.
Else If s < a and a < f < b then delete segment [s, f],
then insert the [s, a-1] into B-tree.
Else If f > b and b > s > a then delete segment [s, f],
then insert the [b +1, f] into B-tree.
Else If (s > b or a > f) and Ni is not leaf then go down
the corresponding branch on the B-tree.
Else insert segment [s, f] into Ni.
Step 4: Go to step 3 until all firewall rules is inserted into
B-Tree.
2. Phase 2: Early packet Rejection.
When a packet arrives, we shall calculate the COM from
the source IP address and destination IP address, the COM is
Firewall 2
3216
2895220
1995034
1995034
1800000
16,2200
9,4200
Firewall 3
882
3273840
3027159
3027159
Firewall 4
2000000
18,0500
10,4900
4449
3754690
2510232
2510232
Firewall 5
2200000
19,8100
11,5200
626
3280211
3105021
3105021
2400000
21,9000
12,8500
2600000
23,4800
13,6900
2800000
25,2500
14,6900
3000000
27,0500
15,7100
3280211
29,5700
17,1200
6.5
6.4
6.3
6.2
B-tree (degree=2)
6.1
B-tree (degree=3)
35
Classification time
Classification time(second)
30
25
20
FVSC
Our proposed technique on
B-tree (degree=3)
15
10
05
00
B-tree (degree=4)
5.9
Number of incoming packets
Fig. 5. Compare with FVSC technique
Number of rules
IV. CONCLUSION
Time to classification
FVSC
Own technique
(B-Tree degree 3)
1000000
9,1200
5,3400
1200000
10,8300
6,2900
1400000
12,6400
7,3300
1600000
14,4400
8,3900
REFERENCES
H. Hamed, A. El-Atawy, E. Al-Shaer. Adaptive Statistical
Optimization Techniques for Firewall Packet Filtering. In
Proceeding of IEEE INFOCOM, pp. 1-12, 2006.
[2] N. Neji, A. Bouhououla. Dynamic Scheme for Packet
Classification Using Splay trees. Information Assurance and
Security, pp. 1-9, 2009.
[1]
[7]
[8]
[9]
[10]
[11]