Splay trees based early packet rejection mechanism against DoS traffic targeting firewall default security rule

Zouheir Trabelsi, Safaa Zeidan

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    5 Citations (Scopus)

    Abstract

    As the size of the firewall security policies grows; the discarded packets by the default security rule affect significantly the system performance and become increasingly harmful in terms of filtering processing time. In this paper, we propose a mechanism to improve firewall performance through the early rejection of Denial of Service (DoS) traffic targeting the default security rule. To do that, the mechanism optimizes the order of the security policy filtering fields, using a traffic statistical scheme which is based on multilevel filtering modules, splay trees and hash tables. The proposed scheme can easily reject unwanted traffic in early stages as well as accept repeated packets with less memory accesses, and thus less overall packets matching time. The numerical results obtained by simulation demonstrated that the proposed mechanism reduced significantly the filtering processing time of DoS traffic targeting the firewall default security rule, compared to the related Self Adjusting Binary Search on Prefix Length (SA-BSPL) technique.

    Original languageEnglish
    Title of host publication2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
    DOIs
    Publication statusPublished - Dec 1 2011
    Event2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011 - Iguacu Falls, Brazil
    Duration: Nov 29 2011Dec 2 2011

    Publication series

    Name2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011

    Other

    Other2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
    Country/TerritoryBrazil
    CityIguacu Falls
    Period11/29/1112/2/11

    Keywords

    • Binary Search on Prefix Length
    • Default security rule
    • Early packet rejection
    • Firewall security policy
    • Hash Table
    • Packet classification
    • Splay Tree

    ASJC Scopus subject areas

    • Computer Science Applications
    • Information Systems

    Fingerprint

    Dive into the research topics of 'Splay trees based early packet rejection mechanism against DoS traffic targeting firewall default security rule'. Together they form a unique fingerprint.

    Cite this