Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Network Firewalls are considered to be one of the most important security components in today's IP network architectures. Performance of firewalls has significant impact on the overall network performance. Firewalls should be able to sustain a very high throughput and ensure network services availability. In this paper, we propose an analytical dynamic multilevel early packet filtering mechanism to enhance firewall performance. The proposed mechanism uses statistical splay tree filters that utilize traffic characteristics to minimize packet filtering time. The statistical splay tree filters are reordered according to the network traffic divergence upon certain threshold qualification (Chi-Square Test). That is, the proposed mechanism is able to decide whether or not there is a need to update the dynamic splay tree filters' order for filtering the next network traffic window and predict the best order pattern. Furthermore, the importance of optimizing packet rejection and acceptance is done through the multilevel packet filtering process; where in each level, unwanted packets are rejected as early as possible. The proposed mechanism can also be considered as a device protection mechanism against denial of service (DoS) attacks targeting the default filtering rule. Early packet acceptance is done using the splay tree data structure which adapts dynamically according to network traffic flows. Consequently, repeated packets will have less memory accesses and therefore reduce the overall packets filtering time as demonstrated in the evaluation section.