Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer

Slides:



Advertisements
Similar presentations
Gregory Shklover, Ben Emanuel Intel Corporation MATAM, Haifa 31015, Israel Simultaneous Clock and Data Gate Sizing Algorithm with Common Global Objective.
Advertisements

Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.
Internet Routers
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
Nanxi Kang Princeton University
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Fast Algorithms For Hierarchical Range Histogram Constructions
Augmenting Data Structures Advanced Algorithms & Data Structures Lecture Theme 07 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
IP Routing Lookups Scalable High Speed IP Routing Lookups.
Randomized Algorithms Randomized Algorithms CS648 Lecture 15 Randomized Incremental Construction (building the background) Lecture 15 Randomized Incremental.
ClassBench: A Packet Classification Benchmark
A Dynamic Binary Hash Scheme for IPv6 Lookup Q. Sun 1, X. Huang 1, X. Zhou 1, and Y. Ma 1,2 1. School of Computer Science and Technology 2. Beijing Key.
CS Data Structures Chapter 10 Search Structures (Selected Topics)
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.
1 Performance Improvement of Two-Dimensional Packet Classification by Filter Rephrasing Department of Computer Science and Information Engineering National.
Optimal binary search trees
Detection and Resolution of Anomalies in Firewall Policy Rules
By Ravi Shankar Dubasi Sivani Kavuri A Popularity-Based Prediction Model for Web Prefetching.
Digital Camera and Computer Vision Laboratory Department of Computer Science and Information Engineering National Taiwan University, Taipei, Taiwan, R.O.C.
1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.
Cost-Performance Tradeoffs in MPLS and IP Routing Selma Yilmaz Ibrahim Matta Boston University.
High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.
Efficient Scheduling of Heterogeneous Continuous Queries Mohamed A. Sharaf Panos K. Chrysanthis Alexandros Labrinidis Kirk Pruhs Advanced Data Management.
Presented by Group 2: Presented by Group 2: Shan Gao ( ) Shan Gao ( ) Dayang Yu ( ) Dayang Yu ( ) Jiayu Zhou ( ) Jiayu Zhou.
Chapter 13 Genetic Algorithms. 2 Data Mining Techniques So Far… Chapter 5 – Statistics Chapter 6 – Decision Trees Chapter 7 – Neural Networks Chapter.
PARALLEL TABLE LOOKUP FOR NEXT GENERATION INTERNET
Digital Camera and Computer Vision Laboratory Department of Computer Science and Information Engineering National Taiwan University, Taipei, Taiwan, R.O.C.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
CS Data Structures Chapter 10 Search Structures.
Packet Classification on Multiple Fields 참고 논문 : Pankaj Gupta and Nick McKeown SigComm 1999.
High-Speed Packet Classification Using Binary Search on Length Authors: Hyesook Lim and Ju Hyoung Mun Presenter: Yi-Sheng, Lin ( 林意勝 ) Date: Jan. 14, 2008.
SECURITY POLICY ANALYZER FINAL MEETING Industrial Project (234313) Fall 2013 Supervisors: Yevgeny Fabrikant Students: Regev Brody, Yuval Adelstein COMPUTER.
A Study of Balanced Search Trees: Brainstorming a New Balanced Search Tree Anthony Kim, 2005 Computer Systems Research.
Recent Results in Combined Coding for Word-Based PPM Radu Rădescu George Liculescu Polytechnic University of Bucharest Faculty of Electronics, Telecommunications.
1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,
Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University
IPv6-Oriented 4 OC768 Packet Classification with Deriving-Merging Partition and Field- Variable Encoding Scheme Mr. Xin Zhang Undergrad. in Tsinghua University,
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Cross-Product Packet Classification in GNIFS based on Non-overlapping Areas and Equivalence Class Author: Mohua Zhang, Ge Li Publisher: AISS 2012 Presenter:
Firewall in the Internet Security By Dou Wang, Ying Chen, Jiaying Shi School of Computer Science University of Windsor November 2007.
CS 740: Advanced Computer Networks IP Lookup and classification Supplemental material 02/05/2007.
R-Trees: A Dynamic Index Structure For Spatial Searching Antonin Guttman.
Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.
Packet Classification Using Dynamically Generated Decision Trees
Author: Weirong Jiang and Viktor K. Prasanna Publisher: The 18th International Conference on Computer Communications and Networks (ICCCN 2009) Presenter:
Dynamic Algorithms with Worst-case Performance for Packet Classification Pankaj Gupta and Nick McKeown Stanford University {pankaj,
IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo a, Jose G. Delgado-Frias Publisher: Journal of Systems.
A Fast and Scalable IPv6 Packet Classification Author: Xiaoju Zhou, Xiaohong Huang, Qiong Sun, Wei Yang, Yan Ma Publisher: Network Infrastructure and Digital.
1 Space-Efficient TCAM-based Classification Using Gray Coding Authors: Anat Bremler-Barr and Danny Hendler Publisher: IEEE INFOCOM 2007 Present: Chen-Yu.
Hierarchical packet classification using a Bloom filter and rule-priority tries Source : Computer Communications Authors : A. G. Alagu Priya 、 Hyesook.
Meeting 8: Features for Object Classification Ullman et al.
1 Overview of Query Evaluation Chapter Outline  Query Optimization Overview  Algorithm for Relational Operations.
Packet Classification Using Multi- Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: 2013 IEEE 37th Annual Computer Software.
By: Yaron Levy Supervisors: Dr. Shlomo Greenberg Mr. Hagai David.
William Stallings Data and Computer Communications
Clustering (1) Clustering Similarity measure Hierarchical clustering
IP Routers – internal view
Computer Data Security & Privacy
RE-Tree: An Efficient Index Structure for Regular Expressions
Introduction to Networking
Computer Science and Engineering, University of California, Riverside
Computer Science and Engineering, University of California, Riverside
Publisher : TRANSACTIONS ON NETWORKING Author : Haoyu Song, Jonathan S
Using decision trees to improve signature-based intrusion detection
Hash Functions for Network Applications (II)
Packet Classification Using Binary Content Addressable Memory
Presentation transcript:

Adaptive Statistical Optimization Techniques for Firewall Packet Filtering (Infocom ’06) Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer School of Computer Science, DePaul University, Chicago, USA

Packet filtering (classification) Background Packet filtering (classification) Most of the related works use deterministic techniques Also, no special consideration for optimizing packet rejection (really rejection) Internet traffic properties: “skewness” in traffic distribution the “skewness” is relatively stable

Contribution A novel algorithm for maximizing early rejection of unwanted flows without impacting other flows significantly A new packet filtering optimization technique that uses adaptive statistical search trees utilize important traffic characteristics Minimize the average packet matching time

Early Traffic Rejection Goal: to select the minimum number of early rejection rules that has the maximum discarding effect represents the set of all possible represents a selection of such that a A’ can be used to form a Rejection Rule (RR)

Early Traffic Rejection: Dynamic rule selection The number of rejection rules: leads to: The effect of adding a specific RR at run time

Early Traffic Rejection: Algorithms

Locality of matching properties in firewall filtering Packet flow properties

Locality of matching properties in firewall filtering Packet field properties skewness factor only a small portion of the field values used by majority of the traffic

Statistical matching tree binary search tree worst case search time lg(n) statistical search tree insert values of higher occurrence probability at higher tree levels

Matching tree construction time complexity: space complexity:

Cascaded-tree matching Parallel-tree matching Policy matching Cascaded-tree matching Parallel-tree matching lookup is performed against each field separately the matched rule is found by getting the intersection between each field’s matching

Tree reconstruction and updates Performance triggered updates optimization efficacy is the height of the destination leaf of packet , is the gain over binary search for packet Periodic mandatory updates to avoid extended periods of mediocre performance that is just above the rebuilding threshold a new matching tree is constructed

Performance Evaluation Evaluation of early rejection

Performance Evaluation: adaptive statistical filtering effectiveness for individual filtering fields

Performance Evaluation: adaptive statistical filtering effectiveness for individual filtering fields

Performance Evaluation: adaptive statistical filtering effectiveness for filtering policy

Performance Evaluation: adaptive statistical filtering effectiveness for filtering policy

Performance Evaluation: adaptive statistical filtering effectiveness for filtering policy

Performance Evaluation: adaptive statistical filtering adaptive tree updates only 2-5 times in an hour when and

增加提前deny的规则,增加的个数和模式有公式限制 Yaxuan’s comments 增加提前deny的规则,增加的个数和模式有公式限制 给binary search引入了概率分布进行优化。概率统计按照HSM的最小segment为统计单位,不同于我们的Bclass统计,也不是rule hit rate。这种统计方式我认为是更好的方式 作者的数学抽象能力值得学习,能从一个相对简单的想法中抽出formula 1-8 ,实属不易。另外,在binary tree的构建上也用了大量篇幅证明,给出相当充分的论证。 无论是否引入statistics,如果只用binary tree,worst case下的性能只能是f*log(N),即4域1K规则需要40次左右的memory accesses,性能要慢于hsm的30和rfc的10。 按照对segment的详尽预计空间消耗应该和hsm接近。

Thanks!