Table of Contents Author Guidelines Submit a Manuscript
Journal of Computer Networks and Communications
Volume 2015, Article ID 872326, 17 pages
Research Article

Adaptive Conflict-Free Optimization of Rule Sets for Network Security Packet Filtering Devices

1Department of Information Engineering, Electronics and Telecommunications (DIET), University of Roma “Sapienza”, Via Eudossiana 18, 00184 Rome, Italy
2Ipanema Technologies, Via Roberto Lepetit 8/10, 20124 Milan, Italy
3Digi International GmbH, Lise-Meitner-Straße 9, 85737 Ismaning, Germany
4Altran Italia S.p.A., Via Tiburtina 1232, 00131 Rome, Italy

Received 1 June 2014; Revised 17 December 2014; Accepted 22 December 2014

Academic Editor: Tin-Yu Wu

Copyright © 2015 Andrea Baiocchi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices.