Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement

Zouheir Trabelsi, Safaa Zeidan

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    26 Citations (Scopus)

    Abstract

    This paper presents a mechanism to improve firewall packet filtering time through optimizing the order of security policy filtering fields for early packet rejection. The proposed mechanism is based on the optimization of the filtering fields order according to traffic statistics. Furthermore, the mechanism uses multilevel packet filtering, and in each level unwanted packets are rejected as early as possible. So, the proposed mechanism can be considered also as a device protection mechanism against denial of service (DoS) attacks targeting the default policy rule. In addition, early packet acceptance is done through using the splay tree data structure which changes dynamically according to traffic flows. So, repeated packets will have less memory accesses and therefore reducing the overall packets matching time. The proposed technique aims to overcome some of the performance limitations of the previous technique, named Self Adjusting Binary Search on Prefix Length [1] (SA-BSPL). The numerical results obtained by simulations demonstrate that the proposed mechanism is able to significantly improve the firewall performance in terms of cumulative packet processing time compared to SA-BSPL technique.

    Original languageEnglish
    Title of host publication2012 IEEE International Conference on Communications, ICC 2012
    Pages1074-1078
    Number of pages5
    DOIs
    Publication statusPublished - Dec 1 2012
    Event2012 IEEE International Conference on Communications, ICC 2012 - Ottawa, ON, Canada
    Duration: Jun 10 2012Jun 15 2012

    Publication series

    NameIEEE International Conference on Communications
    ISSN (Print)1550-3607

    Other

    Other2012 IEEE International Conference on Communications, ICC 2012
    Country/TerritoryCanada
    CityOttawa, ON
    Period6/10/126/15/12

    Keywords

    • Binary Search on Prefix Length
    • Early packet Rejection
    • Hash Table
    • Packet Classification
    • Splay Tree

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Electrical and Electronic Engineering

    Fingerprint

    Dive into the research topics of 'Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement'. Together they form a unique fingerprint.

    Cite this