Adaptive Statistical Optimization Techniques for Firewall Packet Filtering (Infocom ’06) Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer School of Computer Science, DePaul University, Chicago, USA
Packet filtering (classification) Background Packet filtering (classification) Most of the related works use deterministic techniques Also, no special consideration for optimizing packet rejection (really rejection) Internet traffic properties: “skewness” in traffic distribution the “skewness” is relatively stable
Contribution A novel algorithm for maximizing early rejection of unwanted flows without impacting other flows significantly A new packet filtering optimization technique that uses adaptive statistical search trees utilize important traffic characteristics Minimize the average packet matching time
Early Traffic Rejection Goal: to select the minimum number of early rejection rules that has the maximum discarding effect represents the set of all possible represents a selection of such that a A’ can be used to form a Rejection Rule (RR)
Early Traffic Rejection: Dynamic rule selection The number of rejection rules: leads to: The effect of adding a specific RR at run time
Early Traffic Rejection: Algorithms
Locality of matching properties in firewall filtering Packet flow properties
Locality of matching properties in firewall filtering Packet field properties skewness factor only a small portion of the field values used by majority of the traffic
Statistical matching tree binary search tree worst case search time lg(n) statistical search tree insert values of higher occurrence probability at higher tree levels
Matching tree construction time complexity: space complexity:
Cascaded-tree matching Parallel-tree matching Policy matching Cascaded-tree matching Parallel-tree matching lookup is performed against each field separately the matched rule is found by getting the intersection between each field’s matching
Tree reconstruction and updates Performance triggered updates optimization efficacy is the height of the destination leaf of packet , is the gain over binary search for packet Periodic mandatory updates to avoid extended periods of mediocre performance that is just above the rebuilding threshold a new matching tree is constructed
Performance Evaluation Evaluation of early rejection
Performance Evaluation: adaptive statistical filtering effectiveness for individual filtering fields
Performance Evaluation: adaptive statistical filtering effectiveness for individual filtering fields
Performance Evaluation: adaptive statistical filtering effectiveness for filtering policy
Performance Evaluation: adaptive statistical filtering effectiveness for filtering policy
Performance Evaluation: adaptive statistical filtering effectiveness for filtering policy
Performance Evaluation: adaptive statistical filtering adaptive tree updates only 2-5 times in an hour when and
增加提前deny的规则,增加的个数和模式有公式限制 Yaxuan’s comments 增加提前deny的规则,增加的个数和模式有公式限制 给binary search引入了概率分布进行优化。概率统计按照HSM的最小segment为统计单位,不同于我们的Bclass统计,也不是rule hit rate。这种统计方式我认为是更好的方式 作者的数学抽象能力值得学习,能从一个相对简单的想法中抽出formula 1-8 ,实属不易。另外,在binary tree的构建上也用了大量篇幅证明,给出相当充分的论证。 无论是否引入statistics,如果只用binary tree,worst case下的性能只能是f*log(N),即4域1K规则需要40次左右的memory accesses,性能要慢于hsm的30和rfc的10。 按照对segment的详尽预计空间消耗应该和hsm接近。
Thanks!