TY - GEN
T1 - Splay trees based early packet rejection mechanism against DoS traffic targeting firewall default security rule
AU - Trabelsi, Zouheir
AU - Zeidan, Safaa
PY - 2011/12/1
Y1 - 2011/12/1
N2 - As the size of the firewall security policies grows; the discarded packets by the default security rule affect significantly the system performance and become increasingly harmful in terms of filtering processing time. In this paper, we propose a mechanism to improve firewall performance through the early rejection of Denial of Service (DoS) traffic targeting the default security rule. To do that, the mechanism optimizes the order of the security policy filtering fields, using a traffic statistical scheme which is based on multilevel filtering modules, splay trees and hash tables. The proposed scheme can easily reject unwanted traffic in early stages as well as accept repeated packets with less memory accesses, and thus less overall packets matching time. The numerical results obtained by simulation demonstrated that the proposed mechanism reduced significantly the filtering processing time of DoS traffic targeting the firewall default security rule, compared to the related Self Adjusting Binary Search on Prefix Length (SA-BSPL) technique.
AB - As the size of the firewall security policies grows; the discarded packets by the default security rule affect significantly the system performance and become increasingly harmful in terms of filtering processing time. In this paper, we propose a mechanism to improve firewall performance through the early rejection of Denial of Service (DoS) traffic targeting the default security rule. To do that, the mechanism optimizes the order of the security policy filtering fields, using a traffic statistical scheme which is based on multilevel filtering modules, splay trees and hash tables. The proposed scheme can easily reject unwanted traffic in early stages as well as accept repeated packets with less memory accesses, and thus less overall packets matching time. The numerical results obtained by simulation demonstrated that the proposed mechanism reduced significantly the filtering processing time of DoS traffic targeting the firewall default security rule, compared to the related Self Adjusting Binary Search on Prefix Length (SA-BSPL) technique.
KW - Binary Search on Prefix Length
KW - Default security rule
KW - Early packet rejection
KW - Firewall security policy
KW - Hash Table
KW - Packet classification
KW - Splay Tree
UR - http://www.scopus.com/inward/record.url?scp=84856471429&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84856471429&partnerID=8YFLogxK
U2 - 10.1109/WIFS.2011.6123123
DO - 10.1109/WIFS.2011.6123123
M3 - Conference contribution
AN - SCOPUS:84856471429
SN - 9781457710179
T3 - 2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
BT - 2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
T2 - 2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
Y2 - 29 November 2011 through 2 December 2011
ER -