Table of Contents Author Guidelines Submit a Manuscript
Journal of Computer Networks and Communications
Volume 2015, Article ID 872326, 17 pages
http://dx.doi.org/10.1155/2015/872326
Research Article

Adaptive Conflict-Free Optimization of Rule Sets for Network Security Packet Filtering Devices

1Department of Information Engineering, Electronics and Telecommunications (DIET), University of Roma “Sapienza”, Via Eudossiana 18, 00184 Rome, Italy
2Ipanema Technologies, Via Roberto Lepetit 8/10, 20124 Milan, Italy
3Digi International GmbH, Lise-Meitner-Straße 9, 85737 Ismaning, Germany
4Altran Italia S.p.A., Via Tiburtina 1232, 00131 Rome, Italy

Received 1 June 2014; Revised 17 December 2014; Accepted 22 December 2014

Academic Editor: Tin-Yu Wu

Copyright © 2015 Andrea Baiocchi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. S. Acharya, J. Wang, Z. Ge, T. Znati, and A. Greenberg, “Simulation study of firewalls to aid improved performance,” in Proceedings of the 39th Annual Simulation Symposium, pp. 18–25, Huntsville, Ala, USA, April 2006. View at Publisher · View at Google Scholar · View at Scopus
  2. S. Acharya, J. Wang, Z. Ge, T. F. Znati, and A. Greenberg, “Traffic-aware firewall optimization strategies,” in Proceedings of the IEEE International Conference on Communications (ICC '06), pp. 2225–2230, Istanbul, Turkey, July 2006. View at Publisher · View at Google Scholar · View at Scopus
  3. S. Acharya, M. Abliz, B. Mills, and T. Znati, “Optwall: a hierarchical traffic-aware firewall,” in Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS '07), San Diego, Calif, USA, February 2007.
  4. L. Zhao, Y. Inoue, and H. Yamamoto, “Delay reduction for linear-search based packet filters,” in Proceedings of the International Technical Conference on Circuits/Systems, Computers and Communication (ITC-CSCC '04), Matsushima, Japan, July 2004.
  5. H. Named and E. Al-Shaer, “Dynamic rule-ordering optimization for high-speed firewall filtering,” in Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS '06), pp. 332–342, Taipei, Taiwan, March 2006. View at Publisher · View at Google Scholar · View at Scopus
  6. K. Golnabi, R. K. Min, L. Khan, and E. Al-Shaer, “Analysis of firewall policy rules using data mining techniques,” in Proceedings of the 10th IEEE/IFIP Network Operations and Management Symposium (NOMS '06), pp. 305–315, Vancouver, Canada, April 2006. View at Publisher · View at Google Scholar · View at Scopus
  7. A. Hari, S. Suri, and G. Parulkar, “Detecting and resolving packet filter conflicts,” in Proceedings of the 19th Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE INFOCOM '00), pp. 1203–1212, Tel Aviv, Israel, March 2000. View at Scopus
  8. E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, “Conflict classification and analysis of distributed firewall policies,” IEEE Journal on Selected Areas in Communications, vol. 23, no. 10, pp. 2069–2083, 2005. View at Publisher · View at Google Scholar · View at Scopus
  9. E. Al-Shaer and H. Hamed, “Firewall policy advisor for anomaly detection and rule editing,” in Proceedings of IEEE/IFIP Integrated Management Conference (IM '03), Colorado Springs, Colo, USA, March 2003.
  10. S. Ferraresi, S. Pesic, L. Trazza, and A. Baiocchi, “Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway,” in Proceedings of the IEEE International Conference on Communications (ICC '07), pp. 1304–1310, Glasgow, Scotland, June 2007. View at Publisher · View at Google Scholar · View at Scopus
  11. S. Ferraresi, E. Francocci, A. Quaglini, and F. Picasso, “Security policies tuning among IP devices,” in Knowledge-Based Intelligent Information and Engineering Systems, vol. 4693 of Lecture Notes in Computer Science, pp. 149–158, Springer, Berlin, Germany, 2007. View at Publisher · View at Google Scholar
  12. B. Moore, E. Ellesson, J. Strassner, and A. Westerinen, “Policy core information model version 1 specification,” Tech. Rep. RFC-3060, 2013. View at Google Scholar
  13. A. Westerinen, J. Schnizlein, J. Strassner et al., “Terminology for policy-based management,” Tech. Rep. RFC-3198, 2001. View at Google Scholar
  14. C. Basile and A. Lioy, “Towards an algebraic approach to solve policy conflicts,” in Proceedings of the Workshop on Logical Foundations of an Adaptive Security Infrastructure (WOLFASI '04), Turku, Finland, July 2004.
  15. Q. Duan and E. Al-Shaer, “Traffic-aware dynamic firewall policy management: techniques and applications,” IEEE Communications Magazine, vol. 51, no. 7, pp. 73–79, 2013. View at Publisher · View at Google Scholar · View at Scopus
  16. A. Tapdiya and E. W. Fulp, “Towards optimal firewall rule ordering utilizing directed acyclical graphs,” in Proceedings of the 18th International Conference on Computer Communications and Networks (ICCCN '09), pp. 1–6, San Francisco, Calif, USA, August 2009. View at Publisher · View at Google Scholar · View at Scopus
  17. Y.-K. Chang, C.-C. Su, Y.-C. Lin, and S.-Y. Hsieh, “Efficient gray-code-based range encoding schemes for packet classification in TCAM,” IEEE/ACM Transactions on Networking, vol. 21, no. 4, pp. 1201–1214, 2013. View at Publisher · View at Google Scholar · View at Scopus
  18. H. Lim, N. Lee, G. Jin, J. Lee, Y. Choi, and C. Yim, “Boundary cutting for packet classification,” IEEE/ACM Transactions on Networking, vol. 22, no. 2, pp. 443–456, 2014. View at Publisher · View at Google Scholar · View at Scopus
  19. Z. Wu, M. Xie, and H. Wang, “Design and implementation of a fast dynamic packet filter,” IEEE/ACM Transactions on Networking, vol. 19, no. 5, pp. 1405–1419, 2011. View at Publisher · View at Google Scholar · View at Scopus
  20. H. Lim, Y. Choe, M. Shim, and J. Lee, “A quad-trie conditionally merged with a decision tree for packet classification,” IEEE Communications Letters, vol. 18, no. 4, pp. 676–679, 2014. View at Publisher · View at Google Scholar · View at Scopus
  21. L. Abeni, N. Bonelli, and G. Procissi, “Randomized packet filtering through specialized partitioning of rulesets,” IEEE Communications Letters, vol. 17, no. 12, pp. 2380–2383, 2013. View at Publisher · View at Google Scholar · View at Scopus
  22. G. Misherghi, L. Yuan, Z. Su, C.-N. Chuah, and H. Chen, “A general framework for benchmarking firewall optimization techniques,” IEEE Transactions on Network and Service Management, vol. 5, no. 4, pp. 227–238, 2008. View at Publisher · View at Google Scholar · View at Scopus
  23. H. Hamed, A. El-Atawy, and E. Al-Shaer, “On dynamic optimization of packet matching in high-speed firewalls,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1817–1830, 2006. View at Publisher · View at Google Scholar · View at Scopus
  24. A. El-Atawy, T. Samak, E. Al-Shaer, and L. Hong, “Using online traffic statistical matching for optimizing packet filtering performance,” in Proceedings of the 26th IEEE International Conference on Computer Communications (INFOCOM '07), pp. 866–874, Anchorage, Alaska, USA, May 2007. View at Publisher · View at Google Scholar · View at Scopus
  25. A. El-Atawy and E. Al-Shaer, “Adaptive early packet filtering for defending firewalls against DoS attacks,” in Proceedings of the 28th IEEE Conference on Computer Communications (INFOCOM '09), pp. 2437–2445, Rio de Janeiro, Brazil, April 2009. View at Publisher · View at Google Scholar · View at Scopus
  26. A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '03), Karlsruhe, Germany, August 2003. View at Publisher · View at Google Scholar
  27. “Information processing systems, open systems interconnection basic reference model, part 2: security architecture,” Tech. Rep. ISO 7498-2, 1989.
  28. D. Moore, G. M. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” University of California at San Diego—CAIDA, 2001, http://www.caida.org/publications/papers/2001/BackScatter/.
  29. C.-H. Shen and T.-Y. Chung, “PFC: a new high-performance packet filter cache,” in Proceedings of the International Computer Symposium, Taipei, Taiwan, December 2004.
  30. W. Jiang and V. K. Prasanna, “Large-scale wire-speed packet classification on FPGAs,” in Proceedings of the ACM/SIGDA International Symposium on Field Programmable Gate Arrays (FPGA '09), pp. 219–228, Monterey, Calif, USA, February 2009.
  31. Y. Qi, J. Fong, W. Jiang, B. Xu, J. Li, and V. Prasanna, “Multi-dimensional packet classification on FPGA: 100 Gbps and beyond,” in Proceedings of the International Conference on Field-Programmable Technology (FPT '10), pp. 241–248, Beijing, China, December 2010. View at Publisher · View at Google Scholar · View at Scopus
  32. V. Pus, J. Blaho, and J. Korenek, “Memory optimizations for packet classification algorithms in FPGA,” in Proceedings of the 13th IEEE International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS '10), pp. 297–300, April 2010. View at Publisher · View at Google Scholar · View at Scopus
  33. W.-G. Wang, T. Zhang, Y.-F. Zheng, and Y. Yang, “Realization of FPGA-based packet classification in embedded system,” in Proceedings of the IEEE Intrumentation and Measurement Technology Conference (I2MTC '09), pp. 943–942, Singapore, May 2009. View at Publisher · View at Google Scholar · View at Scopus
  34. A. Begel, S. McCanne, and S. L. Graham, “BPF+: exploiting global data-flow optimization in a generalized packet filter architecture,” in Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM '99), pp. 123–134, Cambridge, Mass, USA, August-September 1999. View at Publisher · View at Google Scholar
  35. P. Rolando, R. Sisto, and F. Risso, “SPAF: stateless FSA-based packet filters,” IEEE/ACM Transactions on Networking, vol. 19, no. 1, pp. 14–27, 2011. View at Publisher · View at Google Scholar · View at Scopus
  36. C. Lonvick, “The BSD syslog protocol,” Tech. Rep. RFC-3164, 2001. View at Google Scholar
  37. D. New and M. Rose, “Reliable delivery for syslog,” Tech. Rep. RFC-3195, 2001. View at Google Scholar
  38. A. Rizzi, M. Panella, and F. M. F. Mascioli, “Adaptive resolution min-max classifiers,” IEEE Transactions on Neural Networks, vol. 13, no. 2, pp. 402–414, 2002. View at Publisher · View at Google Scholar · View at Scopus
  39. W. Wang, H. Chen, J. Chen, and B. Liu, “Firewall rule ordering based on statistical model,” in Proceedings of the International Conference on Computer Engineering and Technology (ICCET '09), pp. 185–188, Singapore. View at Publisher · View at Google Scholar · View at Scopus
  40. A. Botta, A. Dainotti, and A. Pescapé, “Do you trust your software-based traffic generator?” IEEE Communications Magazine, vol. 48, no. 9, pp. 158–165, 2010. View at Publisher · View at Google Scholar · View at Scopus
  41. J. Mirkovic, A. Hussain, B. Wilson et al., “Towards user centric metrics for denial-of-service measurement,” in Proceedings of the Workshop on Experimental Computer Science, June 2007.
  42. J. Mirkovic, A. Hussain, S. Fahmy, P. Reiher, and R. K. Thomas, “Accurately measuring denial of service in simulation and testbed experiments,” IEEE Transactions on Dependable and Secure Computing, vol. 6, no. 2, pp. 81–95, 2009. View at Publisher · View at Google Scholar · View at Scopus
  43. J. Mirkovic, P. Reiher, C. Papadopoulos et al., “Testing a collaborative DDoS defense in a red team/blue team exercise,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 57, no. 8, pp. 1098–1112, 2008. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus