Splay trees based early packet rejection mechanism against DoS traffic targeting firewall default security rule

Zouheir Trabelsi, Safaa Zeidan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

As the size of the firewall security policies grows; the discarded packets by the default security rule affect significantly the system performance and become increasingly harmful in terms of filtering processing time. In this paper, we propose a mechanism to improve firewall performance through the early rejection of Denial of Service (DoS) traffic targeting the default security rule. To do that, the mechanism optimizes the order of the security policy filtering fields, using a traffic statistical scheme which is based on multilevel filtering modules, splay trees and hash tables. The proposed scheme can easily reject unwanted traffic in early stages as well as accept repeated packets with less memory accesses, and thus less overall packets matching time. The numerical results obtained by simulation demonstrated that the proposed mechanism reduced significantly the filtering processing time of DoS traffic targeting the firewall default security rule, compared to the related Self Adjusting Binary Search on Prefix Length (SA-BSPL) technique.

Original languageEnglish
Title of host publication2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
DOIs
Publication statusPublished - 2011
Event2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011 - Iguacu Falls, Brazil
Duration: Nov 29 2011Dec 2 2011

Publication series

Name2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011

Other

Other2011 IEEE International Workshop on Information Forensics and Security, WIFS 2011
Country/TerritoryBrazil
CityIguacu Falls
Period11/29/1112/2/11

Keywords

  • Binary Search on Prefix Length
  • Default security rule
  • Early packet rejection
  • Firewall security policy
  • Hash Table
  • Packet classification
  • Splay Tree

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems

Fingerprint

Dive into the research topics of 'Splay trees based early packet rejection mechanism against DoS traffic targeting firewall default security rule'. Together they form a unique fingerprint.

Cite this