Download presentation
Presentation is loading. Please wait.
Published byLars-Göran Pettersson Modified over 5 years ago
1
Adaptive Statistical Optimization Techniques for Firewall Packet Filtering (Infocom ’06)
Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer School of Computer Science, DePaul University, Chicago, USA
2
Packet filtering (classification)
Background Packet filtering (classification) Most of the related works use deterministic techniques Also, no special consideration for optimizing packet rejection (really rejection) Internet traffic properties: “skewness” in traffic distribution the “skewness” is relatively stable
3
Contribution A novel algorithm for maximizing early rejection of unwanted flows without impacting other flows significantly A new packet filtering optimization technique that uses adaptive statistical search trees utilize important traffic characteristics Minimize the average packet matching time
4
Early Traffic Rejection
Goal: to select the minimum number of early rejection rules that has the maximum discarding effect represents the set of all possible represents a selection of such that a A’ can be used to form a Rejection Rule (RR)
5
Early Traffic Rejection: Dynamic rule selection
The number of rejection rules: leads to: The effect of adding a specific RR at run time
6
Early Traffic Rejection: Algorithms
7
Locality of matching properties in firewall filtering
Packet flow properties
8
Locality of matching properties in firewall filtering
Packet field properties skewness factor only a small portion of the field values used by majority of the traffic
9
Statistical matching tree
binary search tree worst case search time lg(n) statistical search tree insert values of higher occurrence probability at higher tree levels
10
Matching tree construction
time complexity: space complexity:
11
Cascaded-tree matching Parallel-tree matching
Policy matching Cascaded-tree matching Parallel-tree matching lookup is performed against each field separately the matched rule is found by getting the intersection between each field’s matching
12
Tree reconstruction and updates
Performance triggered updates optimization efficacy is the height of the destination leaf of packet , is the gain over binary search for packet Periodic mandatory updates to avoid extended periods of mediocre performance that is just above the rebuilding threshold a new matching tree is constructed
13
Performance Evaluation
Evaluation of early rejection
14
Performance Evaluation: adaptive statistical filtering
effectiveness for individual filtering fields
15
Performance Evaluation: adaptive statistical filtering
effectiveness for individual filtering fields
16
Performance Evaluation: adaptive statistical filtering
effectiveness for filtering policy
17
Performance Evaluation: adaptive statistical filtering
effectiveness for filtering policy
18
Performance Evaluation: adaptive statistical filtering
effectiveness for filtering policy
19
Performance Evaluation: adaptive statistical filtering
adaptive tree updates only 2-5 times in an hour when and
20
增加提前deny的规则,增加的个数和模式有公式限制
Yaxuan’s comments 增加提前deny的规则,增加的个数和模式有公式限制 给binary search引入了概率分布进行优化。概率统计按照HSM的最小segment为统计单位,不同于我们的Bclass统计,也不是rule hit rate。这种统计方式我认为是更好的方式 作者的数学抽象能力值得学习,能从一个相对简单的想法中抽出formula 1-8 ,实属不易。另外,在binary tree的构建上也用了大量篇幅证明,给出相当充分的论证。 无论是否引入statistics,如果只用binary tree,worst case下的性能只能是f*log(N),即4域1K规则需要40次左右的memory accesses,性能要慢于hsm的30和rfc的10。 按照对segment的详尽预计空间消耗应该和hsm接近。
21
Thanks!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.