Dynamic traffic awareness statistical model for firewall performance enhancement

Our reference: COSE 711 P-authorquery-v9

AUTHOR QUERY FORM

Journal: COSE

Article Number: 711

Please e-mail or fax your responses and any corrections to:

E-mail: [email protected]

Fax: +31 2048 52789

Dear Author,

Please check your proof carefully and mark all corrections at the appropriate place in the proof (e.g., by using on-screen

annotation in the PDF file) or compile them in a separate list. Note: if you opt to annotate the file with software other than

Adobe Reader then please also highlight the appropriate place in the PDF file. To ensure fast publication of your paper please

return your corrections within 48 hours.

For correction or revision of any artwork, please consult http://www.elsevier.com/artworkinstructions.

Any queries or remarks that have arisen during the processing of your manuscript are listed below and highlighted by flags in

the proof.

Location

in article
Query / Remark: Click on the Q link to find the query’s location in text
Please insert your reply or correction at the corresponding line in the proof

Q1 The affiliation has been split into two different affiliations. Please check, and correct if necessary.

Q2 Please confirm that given names and surnames have been identified correctly.

Please check this box or indicate

your approval if you have no

corrections to make to the PDF file ,

Thank you for your assistance.

mailto:[email protected]

http://www.elsevier.com/artworkinstructions

Highlights

� Enhanced filtering mechanism for firewalls with four optimization levels is proposed.

� Rule and rule-fields reordering process allow early packet acceptance and rejection.

� Chi-square test is performed to check if the reordering process is required.

� The optimum window size guarantees minimum packet filtering time.

� The proposed mechanism provides better filtering time compared to related works.

Available online at www.sciencedirect.com

journal homepage: www.elsevier .com/locate/cose

123456789

101112131415161718192021

222324252627282930313233343536373839404142

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1

COSE711_grabs ■ 15 July 2013 ■ 1/1

Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001

0167-4048/$ e see front matter ª 2013 Published by Elsevier Ltd.http://dx.doi.org/10.1016/j.cose.2013.07.001

mailto:imprint_logo

www.sciencedirect.com/science/journal/01674048

www.elsevier.com/locate/cose

mailto:journal_logo

http://dx.doi.org/10.1016/j.cose.2013.07.001


Dynamic traffic awareness statistical model for firewallperformance enhancement

Q2 Zouheir Trabelsi a,b,*, Liren Zhang a,b, Safaa Zeidan a,b, Kilani Ghoudi a,b

aCollege of Information Technology, UAE University, Al-Ain, United Arab EmiratesQ1bCollege of Business and Economics, UAE University, Al-Ain, United Arab Emirates

a r t i c l e i n f o

Article history:

Received 24 January 2013

Received in revised form

27 June 2013

Accepted 2 July 2013

Keywords:

Firewall performance

Packet filtering

Filtering rule order

Rule-fields order

System stability

Chi-square test

Window size

a b s t r a c t

Firewall is considered to be one of the most important security components in today’s IP

network architectures. Firewall performance has a significant impact on the overall

network performance. In this paper, we propose a mechanism to improve firewall per-

formance, using network traffic behavior and packet filtering statistics. Upon certain

threshold qualification (Chi-square test), the proposed mechanism allows optimizing the

filtering rules order and their corresponding fields order according to the divergence of the

traffic behavior. That is, if the firewall system is stable, then the same current filtering rules

and/or rule-fields orders are used for filtering the next network traffic window. Otherwise,

an update of the filtering rules and/or rule-fields orders is required for filtering the next

network traffic window. The numerical results obtained by simulation demonstrate that

the proposed mechanism allow to improve significantly the firewall performance in terms

of cumulative packet processing time even for small security policies. This improvement is

a result of the minimization of the overhead corresponding to the frequency of updating

the rule/field structures, as well as of using the optimum traffic window size.

ª 2013 Published by Elsevier Ltd.

1. Introduction

Firewalls use security policies to inspect incoming and out-

going network traffic. A security policy consists of a set of

filtering rules. Each filtering rule is defined by a set of filtering

fields, and associated with an action to either block or forward

a packet to its destination. The last rule in a security policy is

the default filtering rule which is usually assumed to be

“Deny”.

Firewall packet filtering is performed in a sequential order

starting from the first rule until a matching rule is found. If no

matching rule is found, the packet is processed by the default

rule. Thus, the computational complexity of the filtering

process depends significantly on the length of each filtering

rule as well as the depth of finding a matching filtering rule in

the security policy. Hence, the order of the filtering rules, the

order of the rule-fields, and the characteristics of the network

traffic flow have all significant impact on the cumulative

packet filtering time.

In addition, unwanted traffic targeting specific rules such

as the default filtering rule may cause more harm than

others by producing an overhead to the system. This over-

head is proportional to the number of rules used in the se-

curity policy. Such unwanted network traffic may cause a

Denial of Service (DoS) attack situation and consequently

may degrade considerably the firewall performance. Thus, it

* Corresponding author. College of Information Technology, UAE University, Al-Ain, United Arab Emirates. Tel.: þ971 502330470.E-mail addresses: [email protected] (Z. Trabelsi), [email protected] (L. Zhang), [email protected] (S. Zeidan), [email protected].

ae (K. Ghoudi).

Available online at www.sciencedirect.com

journal homepage: www.elsevier .com/locate/cose

123456789

1011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465

66676869707172737475767778798081828384858687888990919293949596979899

100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3

COSE711_proof ■ 15 July 2013 ■ 1/13


0167-4048/$ e see front matter ª 2013 Published by Elsevier Ltd.http://dx.doi.org/10.1016/j.cose.2013.07.001

Delta:1_given name

Delta:1_surname

Delta:1_given name

Delta:1_surname

Delta:1_given name

Delta:1_surname

Delta:1_given name

Delta:1_surname






www.sciencedirect.com/science/journal/01674048

www.elsevier.com/locate/cose




Original text:

Inserted Text

given name

Original text:

Inserted Text

surname

Original text:

Inserted Text

given name

Original text:

Inserted Text

surname

Original text:

Inserted Text

given name

Original text:

Inserted Text

surname

Original text:

Inserted Text

given name

Original text:

Inserted Text

surname

is very important to reject such network traffic as early as

possible.

In this paper, we propose a mechanism to optimize the

firewall early acceptance as well as early rejection packet

filtering paths. The mechanism uses filtering rules and rule-

fields histograms that change dynamically according to

network traffic flows. Based on network traffic statistics, a

decision is made regarding whether or not there is a need to

reorder the filtering rules and/or rule-fields orders. The

proposed mechanism is based on the following four opti-

mization levels: (1) The filtering rules are reordered in a

descending manner according to their packet matching

histograms. This will yield to a faster packet filtering time for

the next similar repeated network traffic (optimization in the

acceptance path). (2) The rule-fields are reordered in a

descending manner according to their packet not-matching

histograms. This will reduce the time required for tuple

comparison as well as early reject packets that do not match

any filtering rule (optimization in the rejection path). (3) The

firewall will continue filtering packets using certain filtering

rule and rule-fields orders under a certain threshold quali-

fication (Chi-square stability test). This will reduce the time

needed for the reordering process and updating the firewall

security policy structure. (4) The optimum traffic window

size that minimizes the cost is obtained empirically and

offline using a training traffic that represents the network.

These optimization levels are expected to minimize the total

packet filtering time which results in improving the overall

firewall performance, as demonstrated later in the evalua-

tion section.

The paper is organized as follows: Section 2 discusses the

related work. Section 3 presents the mathematical model of

the proposedmechanism. Section 4 evaluates the effect of the

proposed mechanism on the firewall performance. Finally,

Section 5 concludes the paper.

2. Related work

The earliest research works on firewall performance focused

on improving packet searching times using various mecha-

nisms including hardware-based solutions (Baboescu and

Varghese, 2001; McAulay and Francis, 1993), specialized

data structures (Gupta and McKeown, 2001; Srinivasan et al.,

1999; Feldmann and Muthukrishnan, 2000; Gupta and

McKeown, 1999; Cohen and Lund, 2005; Woo, 2000), and

heuristics (Gupta and McKeown, 2001). Research works in El-

Atawy et al. (2007), Gupta et al. (2000), Kencl and Schwarzer

(2006), Hamed et al. (2006), and Mothersole and Reed (2011)

considered statistical filtering schemes in order to improve

the average packet processing time. The structure of

searching by taking into account the packet flow dynamics is

introduced in Lan and Heidemann (2003), Kencl and

Schwarzer (2006), and Acharya et al. (2007). The optimiza-

tion of firewall filtering policies utilizing the characteristics of

network flow over the Internet is presented in Hamed et al.

(2006). Segments-based Tree Search (STS) scheme, outlined

in El-Atawy et al. (2007), uses collected statistics and bounded

depth Huffman trees to enhance the searching mechanism.

However, this scheme may need large overheads for

maintaining the tree periodically. To reduce such overheads,

Segments-based List Search (SLS) was proposed in El-Atawy

et al. (2007) where it is pointed that (MRU) order should be

used instead of trees.

The idea of firewall optimization through early packet

rejection was introduced in Trabelsi et al. (2011), Trabelsi and

Zeidan (2012), Al-Shear et al. (2009), Neji and Bouhououla

(2009), Hamed et al. (2006), and Mothersole and Reed (2011). In

Trabelsi et al. (2011), early packet rejection is done through

rule-fields reordering. In Trabelsi and Zeidan (2012), early

packet rejection is done through multilevel filtering process

including field and intersection filtering modules. In Hamed

et al. (2006), an approach to optimize the rejection path,

named FVSC, is proposed. This technique uses set cover

approximation algorithm to construct early rejection rules

from the common field values of the original security policy.

PBER technique in Al-Shear et al. (2009) is considered as a

generalization of FVSC (Hamed et al., 2006) in the sense that

FVSC (Hamed et al., 2006) focuses only on rejection paths

while PBER (Al-Shear et al., 2009) finds short cuts for both

accepted and rejected packets. In Neji and Bouhououla (2009),

a binary search on prefix length algorithm, described in

Waldvogel et al. (1997), is used. This algorithm is applied to

every filtering field of the security policy along with the

property of splaying the search tree nodes, as discussed in

Sleator and Tarjan (1985), while maintaining the min-node at

high level for early packet rejection.

Literature focusing on rule reordering falls into two cate-

gories. The first category considers the casewhere the filtering

rules are dependent, such as in Hamed et al. (2006) and

Mothersole and Reed (2011) where a heuristic approximation

algorithm is used in the rules reordering process. While the

second category treats the case of independent filtering rules,

such as in Wang et al. (2009, 2007), where homogeneity test

and a Markov model are applied to the rules reordering pro-

cess, respectively. Up to our knowledge, all research works

done in the field of firewall optimization through rule reor-

dering (Hamed et al., 2006; Mothersole and Reed, 2011; Wang

et al., 2009, 2007), emphasize on the importance of rule-

fields reordering in early packet rejection. However, no opti-

mization mechanisms based on both rule and rule-fields

reordering were proposed in the literature. In Trabelsi et al.

(2011), we were the first to propose and evaluate a mecha-

nism based on rule-fields reordering and focus on its major

effect in reducing the overall packet processing time. But, the

rule/rule-fields reordering processes in Trabelsi et al. (2011)

were done at the end of each traffic window without per-

forming the system stability test. Therefore, this paper in-

tends to study the stability issue applied to both rule and rule-

fields reordering processes. Error precision and traffic window

size effects on the overall firewall performance will also be

considered.

3. Proposed work

The relationship between firewall filtering rules can be one of

the following: disjoint, inclusive or correlated. When two

rules are inclusive or correlated (called dependent rules) their

order should be preserved. Since, any change in their order


131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195

196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260

COSE711_proof ■ 15 July 2013 ■ 2/13




may result in different packet filtering decision. Optimizing

the order of such dependent rules is an NP-complete problem.

This was shown using the job scheduling problem. In this

paper, we use the Firewall Decision Tree Tool (FDT) described

in Liu and Gouda (2005) to release the dependency relation-

ship between the filtering rules. The newly constructed policy

is equivalent to the original one, but with only disjoints rules.

As a result, the filtering rules can be reordered according to

their matching frequencies.

Themathematical model in this paper is based on rule and

rule-fields histograms proposed in Trabelsi et al. (2011). A

mechanism named Dynamic Rule and Rule-Fields Ordering

(DR-RFO) is proposed in Trabelsi et al. (2011). It has been

shown that the reordering of the filtering rules and the rule-

fields according to their acceptance and rejection rates,

respectively, has reduced significantly the packet processing

time and hence improved the overall firewall performance.

However, this reordering process is carried out at the end of

each network traffic window using rule matching and field

non matching histograms. Thus, in this paper we propose an

enhanced mechanism named Dynamic Rule and Rule-Fields

Ordering with Decision (DR-RFOD) to organize the reordering

process according to the system stability test ‘Chi-Square

Test’. That is, if the network traffic in a certainwindow follows

the same rule/rule-fields distribution as in the previous win-

dow, then there will be no need to perform the reordering

processes. In such a situation, the system is considered stable

and the same previous rule/rule-fields orders are used to filter

the next traffic window. By this, the processing time needed

for updating the firewall rule/rule-fields structure is saved for

windows with similar network traffic distributions. Conse-

quently, the overall firewall packet processing time will be

decreased.

Details on rule and rule-fields histograms and a description

of themechanism of the reordering processes are discussed in

the next section.

3.1. Mathematical model

3.1.1. Histogram of rule matching probability and field notmatching probabilityConsidering that packet matching test in a firewall is based on

a security policy with N filtering rules, excluding the default

“Deny” rule. Each rule consists of a maximum number of Mi

fields, excluding the action field. An N � Mi matrix vector F

represents the security policy, that is:

Fði; jÞ ¼

266664

Rð1Þ.RðiÞ.RðNÞ

377775 ¼

266664

Fð1; 1Þ.Fð1; jÞ.Fð1;M1Þ.Fði; 1Þ.Fði; jÞ.Fði;MiÞ.FðN;1Þ.FðN; jÞ.FðN;MNÞ

377775 (1)

where i ˛ {1, 2,., N} and j ˛ {1, 2,., Mi} are the indices for rule

and rule-field, respectively. Since the number of active fields

defined by the security policy can vary from rule to rule, we

assume that the non-active fields have a zero value and are

not being used during the packet filtering process. We

consider also that packet flow input into the firewall is divided

into a sequence of W equal size windows, indexed with w

(w˛ {1, 2,.,W}).We also assume that eachwindow consists of

S equal size segments with L packets per segment.

The packet flow assembled using a two-layer structure in

terms of segments and windows is based on the following two

considerations: (1) The window defined here consists of a

large population space of S � L packets, which guarantees the

accuracy of the histograms. (2) Themechanism proposed here

focuses on real-time adjustment of both rule order and field

order using histogram statistics. From practical point of view,

such real-time adjustment requires a relatively large time

scale.

Let aw,s(i,j )l and bw,s(i,j )l represent the status of the lth

packet matching and not matching an active field F(i,j ) in rule

R(i), respectively. Where w (w ˛ {1, 2,., W}), s (s ˛ {1, 2,., S})

and l (l ˛ {1, 2,., L}) are the window, segment and packet

indices, respectively. Let aw,s(i,j )0 ¼ 0 and bw,s(i,j )0 ¼ 0 be the

values of the initial state at the beginning of the sth segment.

During the process, if the lth packet matches the field F(i,j ) in

the rule R(i), then the state value of aw,s(i,j )l is incremented by

“1”, while the state value of bw,s(i,j )l remains unchanged.

That is:

�aw;sði; jÞl ¼ aw;sði; jÞl�1 þ 1bw;sði; jÞl ¼ bw;sði; jÞl�1

: (2)

By contrast, when the lth packet does not match the field

F(i,j ) in the rule R(i), the state value of bw,s(i,j )l is incremented

by “1”, while the state value of aw,s(i,j )l remains unchanged.

That is:

�aw;sði; jÞl ¼ aw;sði; jÞl�1

bw;sði; jÞl ¼ bw;sði; jÞl�1 þ 1: (3)

Note that if the lth packet is not tested for the field F(i,j ) in

the rule R(i), which could happen if the lth packet is rejected by

the field F(i,j�1) or if the field F(i,j ) is a non-active field, the

state values of aw,s(i,j )l and bw,s(i,j )l remain unchanged.

That is:

�aw;sði; jÞl ¼ aw;sði; jÞl�1

bw;sði; jÞl ¼ bw;sði; jÞl�1: (4)

Therefore, for a given rule R(i), a packet is compared with

the fields F(i,j ) for j ¼ 1, 2,., k,., Mi until a k is found such

that the packet is not matching F(i,k). Then, the filtering

process for this packet against rule R(i) is completed (eq. (3))

and the packet starts its filtering process from rule R(i þ 1).

Otherwise, if the packet matches all fields defined in rule R(i),

then the packet matches rule R(i) (eq. (2)) and therefore the

filtering process for this packet is completed.

Let Cw,s(i) ¼ aw,s(i,Mi) and Dw,s(i,j ) ¼ bw,s(i,j ) present the

number of packets in the sth segment matching rule

R(i)ji¼1,2,.,N and not matching field Fði; jÞjj¼1;2;.Miin R(i),

respectively.

Therefore, the probability of packet matching rule R(i) after

each segment can be defined as:

PrðCw;sðiÞÞ ¼ Cw;sðiÞL

for 1 � i � N: (5)

Likewise, the probability of packet not matching field

Fði; jÞjj¼1;2;.Miin the rule R(i) after each segment can be defined

as:

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 3

261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325

326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390

COSE711_proof ■ 15 July 2013 ■ 3/13




PrðDw;sði; jÞÞ ¼

8>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>:

Dw;sð1;1ÞL for i ¼ 1; j ¼ 1

Dw;sð1;jÞL�Pj�1

k¼1Dw;sð1;kÞ

for i ¼ 1; 2 � j �M1

Dw;sði;1ÞPMi�1k¼1

Dw;sði�1;kÞfor 2 � i � N; j ¼ 1

Dw;sði;jÞPMi�1k¼1

Dw;sði�1;kÞ�Pj�1

k¼1Dw;sði;kÞ

for 2 � i � N;2 � j �Mi

(6)

where termPj�1

k¼1Dw;sð1;kÞ is the number of packets in the sth

segment rejected by the F(1,j�1)jj¼2,.,M1 in the rule R(1), termPMi�1k¼1 Dw;sði� 1;kÞ is the number of packets in the sth segment

rejected by the fields in the rule R(i�1), and termPj�1

k¼1Dw;sði;kÞis the number of packets rejected by the field F(i,k)jk¼1,2,.,j�1 in

the rule R(i)ji¼1,2,.,N.

At the end of each window, there will be an average

probability for each rule and field which give a further indi-

cation regarding the importance of that rule or field. That is:

PrðRðiÞÞw ¼PS

s¼1 PrðCw;sðiÞÞS

for 1 � i � N (7)

and

Pr

�Fði; jÞRðiÞ

�w¼

PSs¼1 PrðDw;sði; jÞÞ

Sfor 1 � i � N;1 � j � Mi (8)

where PrðRðiÞÞw and PrðFði; jÞRðiÞÞw are the average probabilities

for R(i) and F(i,j ) in the wth window, respectively.

3.1.2. Reordering decision

A) Statistical rules reordering decision

This section discusses the reordering process of the

filtering rules using the number of packets matching rule R(i).

Given a certain order for the N filtering rules of the firewall in

the previous window (w�1)th, we want to know if this order

needs to be updated or not in the wth window. Table 1 shows

the notations used to describe the states of the previous and

current windows situations of the filtering rules order.

Let n(w�1),i and nw,i (observed values) are the number of

matched packets by rule R(i) in the (w�1)th andwth windows,

respectively. To see if the network traffic distribution has

changed or not, a Chi-square test of homogeneity is per-

formed to compare the distribution of windows (w�1)th and

wth. This amounts to the Chi-square test of equality of two

multinomial distributions. That is:

c2ðRulesðNÞÞ ¼Xw

k¼ðw�1Þ

XNi¼1

�nk;i � Ek;i

�2Ek;i

(9)

where Ek,i is the expected number of packets to be matched by

R(i) in the current or previous window. That is:

Ek;i ¼ TkCi

Tfor k ¼ fw; ðw� 1Þg: (10)

If the p_value, computed using a c2 with N�1 degrees of

freedom, is less than a given significance level a like (0. 05, or

0.01), then reject the null hypothesis and the result is said to

be statistically significant. In other words, the network traffic

in the wth window doesn’t match the previous rules order

distribution. That is:

If the p_value< a, then the system is not stable and there is

a need to reorder the security policy rules order according to

the histograms of packet matching R(i)’s on window basis in

descending order. The new rule distribution will be computed

using the following equation:

PrðRðiÞÞw ¼ dPrðRðiÞÞw þ ð1� dÞPrðRðiÞÞw�1 (11)

where d ¼ 1� ðp valueÞ.Otherwise, if the p_value > a, then the system is stable.

Therefore, therewill be no need to reorder the rules. The same

previous rule order will be used for the next window and the

rules histograms will be renewed using eq. (11).

Whether there is a decision to reorder the rules or not,

the new rules average probabilities will be computed based

on the statistics of the (w�1)th and wth windows. However,

the probability of the current window is given more weight.

By doing this, the behavior of the traffic in the previous

window will not be ignored and will have relatively less ef-

fect than the traffic behavior in the current window. As a

result, the new computed average probabilities would allow

producing a better optimized rules order for the next win-

dow traffic. This procedure will also be performed for all the

fields of each filtering rule, as will be described in the next

section.

B) Statistical policy rule-fields reordering decision

Here, we discuss whether to decide to reorder the policy

rule-fields or not using the number of packets non-matching

field F(i,j ) in rule R(i), where i ˛ {1, 2,., N}, j ˛ {1, 2,.,

Table 1 e Previous and current situations for the filteringrules.

State(k) R1 R2 . RN Total

Previous(w�1) n(w�1),1

E(w�1),1

n(w�1),2

E(w�1),2

n(w�1),N

E(w�1),N

T(w�1)

Current(w) nw,1

Ew,1

nw,2

Ew,2

nw,N

Ew,N

Tw

Total C1 C2 CN T

Table 2 e Previous and current situations for the fields ofthe filtering rule Ri.

State(k) Fi,1 Fi,2 . Fi;MiTotal

Previous(w�1) m(w�1),1

E(w�1),1

m(w�1),2

E(w�1),2

mðw�1Þ;Mi

Eðw�1Þ;Mi

T(w�1)

Current(w) mw,1

Ew,1

mw,2

Ew,2

mw;Mi

Ew;Mi

Tw

Total C1 C2 CMiT


391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455

456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520

COSE711_proof ■ 15 July 2013 ■ 4/13




Original text:

Inserted Text

[space]

Mi}.The same concept of the Chi-square test used in the pre-

vious section will be applied for the fields of each rule in the

security policy as shown in Table 2. That is:

c2ðFði; jÞÞRðiÞ ¼Xw

k¼ðw�1Þ

XMi

j¼1

�mk;j � Ek;j

�2Ek;j

(12)

where mk;j (observed) is the number of non-matched packets

by F(i,j ) in R(i), and k refers to the current or previous situation.

Ek,j is the expected number of packets not matching F(i,j ) in

R(i) in the current or previous window. That is:

Ek;j ¼TkCj

Tfor k ¼ fw; ðw� 1Þg: (13)

If the p_value, computed using a c2Fði;jÞRðiÞ withMi�1 degrees of

freedom, is less than a given significance level a (0. 05 or 0.01),

then reject the null hypothesis. In this case, the result is said

to be statistically significant. In other words, the traffic in the

wth window doesn’t match the previous R(i) fields order dis-

tribution. That is:

If the p_value < a, then there is a need to reorder the fields

in R(i) according to the histogram of packets not matching

F(i,j ) in R(i) on window basis in descending order. The new

F(i,j ) distribution in R(i) will be computed using the following

equation:

Pr

�Fði; jÞRðiÞ

�w¼ d Pr

�Fði; jÞRðiÞ

�wþ ð1� dÞPr

�Fði; jÞRðiÞ

�w�1

(14)

where d ¼ 1� ðp valueÞ.Otherwise, if the p_value > a, then there is no need to

reorder the fields in R(i). The same previous R(i) field order will

be used for the next window and the histograms for R(i) fields

will be renewed using eq. (14).

It is important to mention that rules and rule-fields

reordering processes are independent of each other.

Depending on c2ðRulesðNÞÞ and c2ðFði; jÞÞRðiÞ tests, the system

may change the rules order without changing the fields order

and vice-versa or changing only the fields order of some

filtering rules.

Algorithms 1 and 2 shown below illustrate the main oper-

ation of the statistical module as well as the reordering pro-

cesses. Algorithm 1 builds up the candidate filtering rules that

are independent and equivalent to the original security policy

using FDT tool. Also, the initial rule and rule-field probabilities

are calculated after training the system S0 segments, and used

as input data for Algorithm 2 (Lines 19e22).

In Algorithm 2, packet filtering is performed using function

tuple_comparasion(l), which is based on eqs. (2)e(4) (Lines

7e11). The number of packets matched by each rule as well as

the number of packets rejected by each rule-field are

computed (Lines 12e13). In lines (14e15), the corresponding

segment probabilities are calculated. Lines (18e19) compute

the average rule and rule-fields probabilities on window basis.

Lines (20e23) define the variables for the current state.

c2ðFði; jÞÞRðiÞ and c2ðRulesðNÞÞ are computed using current and

previous states for rule-fields and rules, respectively (Lines

24e36). Also, the reordering process for rules and rule-fields is

done in a descendingmanner according to the current average

probabilities based on if statement in lines 28 and 34. Lines 27

and 33 compute the current rule-fields and rule average

probabilities based on eqs. (11) and (14). Finally, in lines

(37e40), the previous state variables are updated to be used in

the next traffic window.

Algorithm 1. Startup phase


521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585

586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650

COSE711_proof ■ 15 July 2013 ■ 5/13




Algorithm 2. System stability test and reordering processes

3.1.3. Algorithm costThe cost of the proposed mechanism depends mainly on the

cost of filtering the network traffic packets in W windows and

the cost of updating the firewall rules and the rule-fields in the

corresponding windows. That is:

Algorithm cost ¼ Packet filtering costþ Reordering cost:

In a firewall, a packet is said to match rule R(i) if it matches

all the fields in R(i). Then, R(i)’s action is applied whether to

accept or deny this packet. Hence, the filtering process for this

packet is completed. But, if the packet doesn’t match field

F(i,j ) in R(i), then it will be checked against R(iþ1). Thus, the

cost of testing rule R(i) is determined by the number of its

fields hits, whether for matching or non-matching packets,

and not the simple sum of its fields’ cost. That is, for the

proposed mechanism the cost of filtering L packets in W

windows can be defined by the following equation:

Ctesting ¼XWw¼1

XNi¼1

XMi

j¼1

cðFði;jÞÞ�awði;jÞþXWw¼1

XNi¼1

XMi

j¼1

cðFði;jÞÞ�bwði;jÞ

(15)

where c(F(i,j )) is the cost of field F(i,j ) in rule R(i) and it is

usually determined by the number of bits of the field. Stan-

dard firewalls use 32 bits for IP address, 16 bits for the port and

8 bits for the protocol. The first and second terms of eq. (15)

represent the cost of packets matching and not-matching

field F(i,j ) in rule R(i), respectively. Recall that aw(i,j ) and

bw(i,j ) are defined previously in Section 3.1.

The reordering process of the rules and/or rule-fields is

done in Algorithm 2 through the reorder function (Lines 29 and

35) using Quick Sort with N Log N complexity. That is:

Creordering ¼ PWw¼1

IwN log Nþ PWw¼1

PNi¼1

IwiMi log Mi

Iw; Iwi˛f0;1g

(16)

where the first and second terms of eq. (16) represent the cost

of reordering the rules and rules-fields in W windows,

respectively. Iw and Iwiare binary random variables repre-

senting rules and rule-fields reordering decision, respectively.

Their values are ‘1’ if a reordering process is done, and ‘0’

otherwise.

4. Evaluation

Three experiments have been conducted to evaluate the per-

formance of the proposed mechanism. The first experiment

compares the proposed DR-RFODmechanism against DR-RFO

mechanism (Trabelsi et al., 2011) regarding the frequency of

rule and rule-fields reordering processes. The second experi-

ment discusses the effect of error precision a on DR-RFOD

mechanism. The third experiment investigates empirically

the dynamic change effect in the network traffic window size

on DR-RFOD mechanism.

A simulated firewall has been implemented using an al-

gorithm that dynamically changes the order of the rules and


651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715

716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780

COSE711_proof ■ 15 July 2013 ■ 6/13




rule-fields according to the system stability test using MAT-

LAB programming environment.

Practically, enterprise firewalls may have security policies

of 5Ke15K rules (as reported by Cisco). As the security policy

grows, the effect of rule reordering becomes more obvious in

improving the firewall’s performance (Hamed et al., 2006;

Hamed et al., 2006; Wang et al., 2009, 2007) as well as when

the firewall is under attack (Salah et al., 2012; Salah, 2010). In

our case, it was a challenge to show how robust our statistical

Chi-square test based mechanism using rules and rule-fields

reordering in improving firewall’s performance even though

a small filtering rule set is used. Thus, throughout the evalu-

ation of the DR-RFOD mechanism we are going to use a small

set of dummy firewall filtering rules.

The filtering rules include 12 TCP, 3 UDP and 5 ICMP rules.

The initial order list of the filtering rules was set as follows:

The first set of rules includes the 3 UDP rules, the second set

includes the 5 ICMP rules, and the last set includes the 12 TCP

rules.

Network traffic flow is generated using a packet generator

that uses three independent discrete-time burst-silence

sources with different parameters. Since TCP traffic is the

most seen traffic in common networks, the traffic generator

has been set to generate random packet types (TCP, UDP and

ICMP) with TCP packets as the most dominant type. Fig. 1

shows an example of the generated traffic using the ran-

dint() MATLAB function. That is for each traffic window, three

different percentages are generated randomly. The greatest

and lowest percentages are assigned to TCP and ICMP traffic,

respectively.

These three packet flows are multiplexed as a stream of

200 equal size windows. We note that the packet filtering

occurs in bursts, especially under the condition of heavy

traffic loading with burst arrivals. This is important to un-

derstand the histograms of packet filtering and their statis-

tical dependency when the cumulative processing time is

evaluated.

However, in order to simulate the traffic type variations,

the UDP and ICMP traffic become alternatively the dominant

traffic types for a short period of time.

This experiment is done using 200 windows each of 1000

packets, a total of 200,000 packets are used in the simulation.

These numbers are used to easily trace the rules and fields

reordering processes using both DR-RFO and DR-RFOD

mechanisms.

4.1. DR-RFOD vs DR-RFO

4.1.1. DR-RFOD vs DR-RFO according to rules reorderingprocessThe algorithms in DR-RFO and DR-RFOD mechanisms start

optimizing the filtering rules positions after treating the sec-

ond window. We considered that the first two windows are

the initial windows and are used to train the system in order

to find the initial PrðRðiÞÞ0 to start with. In DR-RFOmechanism,

the positions of the rules are updated dynamically after

treating each window as shown in Fig. 2 and Fig. 3. On the

other hand, in DR-RFODmechanism, the positions of the rules

are updated dynamically according to eq. (9) and eq. (11) after

the system stability test. As an example, Fig. 4 compares the

evolution of R1 position using DR-RFO and DR-RFOD mecha-

nisms. The horizontal constant lines in Fig. 4 shows the cor-

responding windows for DR-RFOD mechanism where the

system was stable according to eq. (9) and no rule reordering

process is done.

4.1.2. DR-RFOD vs DR-RFO according to rule-fields reorderingprocessThe same concept used in rules reordering process will be

used in rule-fields reordering process. That is, the algorithms

in DR-RFO and DR-RFOD mechanisms start optimizing the

rule-fields positions after treating the second window. We

considered that the first two windows are the initial windows

and are used to train the system in order to find the initial

PrðFði; jÞRðiÞÞ0 to start with. In DR-RFOmechanism, the positions

of the rule-fields are updated dynamically after treating each

window as shown in Fig. 5. On the other hand, in DR-RFOD

mechanism, the rule-fields positions are updated dynami-

cally according to eq. (12) and eq. (14) after system stability

test.

As an example, Fig. 6 compares the evolution of the field

Source-IP in R1 using DR-RFO and DR-RFODmechanisms. The

horizontal constant lines in the figure shows the corre-

sponding windows where the system was stable according to

eq. (12) and no rule-fields reordering process is done.

Fig. 7 shows the cumulative processing time for DR-RFO

and DR-RFOD for different values of a. For a ¼ 0.005, the gain

for using DR-RFOD for 200 traffic windows is

(66.6567e57.5448 ¼ 9.1119(s)), while for a ¼ 0.05 the gain is

(66.6567e48.3715 ¼ 18.2855(s)).

4.2. The effect of error precision (a) on DR-RFODmechanism

This experiment studies the effect of different a values in the

cumulative processing time and the frequency of rule/rule-

fields reordering processes. Fig. 8 gives an idea about the

processing time needed for each of the 200 windows when

a ¼ 0.5, 0.05 and 0.005. The cumulative processing time for

these a values is illustrated previously in Fig. 7.

Table 3 compares different values of a and their corre-

sponding frequency number of rule/rule-field reordering

processes. When a decreases:

1) The frequency of the reordering process is also decreased.

This is because for a given computed c2, decreasing theFig. 1 e Example of network traffic flow behavior.


781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845

846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910

COSE711_proof ■ 15 July 2013 ■ 7/13




value of a will increase c2a ending with c2

a > computed c2

and therefore no need for reordering.

2) The cumulative processing time increases. This is because

in fact when we decide not to reorder we might keep the

system running with a non-efficient configuration (order)

for longer time. Therefore, it might take longer processing

time than when we reorder often, especially if the cost of

re-ordering is small. This depends on the number of rules

and rule-fields in the security policy.

4.3. The effect of dynamic window size in DR-RFODmechanism cumulative processing time

This experiment empirically studies the effect of window size

on the cumulative processing time associated with the

proposed mechanism. Using a network training traffic flow,

the experiment investigates the optimum window size range

that allowsminimizing the cost defined by eq. (15) and eq. (16).

The optimum window size WOpt is estimated using a

training traffic flow offline. To be specific the training flow is

passed through the firewall using different window sizes and

the WOpt yielding the minimum filtering cost is then deter-

mined. This optimal window size is then used by the firewall

to filter the incoming network traffic.

The reason behind using empirical model to estimate the

optimal window size WOpt is that analyzing the cumulative

firewall filtering time as a function of the window size is

achieved by adding the cost of testing and the cost of reor-

dering represented in eq. (15) and eq. (16). Yet, a closer look

reveals that the cost of reordering is in fact random because of

the random variables Iw and Iwi. Therefore, the firewall

Fig. 3 e Evolutions of the position of rule R1 over the first 20 windows using DR-RFO mechanism.

Fig. 2 e Example of the evolution of some rules positions using DR-RFO mechanism.


911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975

976977978979980981982983984985986987988989990991992993994995996997998999

10001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040

COSE711_proof ■ 15 July 2013 ■ 8/13




optimization problem can be reduced to a stochastic optimi-

zation problem. In such situation, it is quite common to solve

forminimizing the expected cumulative filtering time. That is,

to find the window size that minimizes the expected cumu-

lative firewall processing time. Computing the expectation of

Iw and Iwi requires the knowledge of the traffic packets dis-

tribution which is rarely the case in practical situations. To

overcome this issue, an empirical approach is adopted. Given

a large training traffic flow which is assumed to represent

normal network behavior, the total cost is computed for a

large range of window sizes and the optimal size is then

selected.

This experiment uses the same previous training traffic

flow which consists of 200,000 packets. The window size is

dynamically changed in order to study its effect on the cu-

mulative filtering time for different a values, namely (0.1, 0.01

and 0.05).

The training traffic volume is divided into different

sequence of window sizes varying from 25 windows (8000

packets each) to 2000 windows (100 packets each). That is, the

training data that represents the network traffic is injected

offline to the firewall in order to find the optimal window size

WOpt that ensures minimum processing time.

Fig. 9 shows the processing time of the DR-RFOD mecha-

nism using dynamic window sizes. The processing time starts

high at z12.5(s) for W ¼ 25 (8000 packets) then drop down to

z6, 3.5 and 1.5(s) for windows w ¼ 50, 100 and 200 respec-

tively. Starting from w ¼ 250, it appears that there is some

windows with high processing time. Moving to the remaining

windows 400, 500, 800, 1000 and 2000 it can be clearly shown

that there is a very sharp increase in the processing time in

some windows among these mentioned windows sizes. This

sharp increase becomes more significant as the number of

windows increases and this will mainly affect the cumulative

processing time. Thus, for this training traffic the optimum

window range is between w ¼ [100, 200]. In other words, the

maximumfirewall performancewill be achieved if the firewall

operates using (1000e2000) packets per window.

Fig. 10 shows the evolution of the firewall cumulative

filtering time as a function of the window size for a ¼ 0.1, 0.05

and 0.01. It shows in particular that the optimal window size

range is around 1000e2000 packets.

Fig. 5 e Example of the evolution of the positions of four fields in rule R1 over the first 10 windows using DR-RFO

mechanism.

0 20 40 60 80 100 120 140 160 180 2000

2

4

6

8

10

12

14

16

18Rule 1

Window No.

Rul

e O

rder

DRFODRFOD

Fig. 4 e Evolution of R1 positions using DR-RFO and DR-

RFOD mechanisms.


10411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105

11061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170

COSE711_proof ■ 15 July 2013 ■ 9/13




Fig. 11 represents the same data plotted in Fig. 10 using the

stair graph representation for better illustration of the win-

dow size range with minimum cumulative processing time.

For each a, there is an optimum window range as shown in

Fig. 11 and these ranges are intersected in a subset range

regardless of the value of a. The optimumwindow ranges that

minimize the total processing time are z200e800, 200e400,

200e250 for a ¼ 0.05, 0.01 and 0.1 respectively.

4.4. Resilience against DoS attacks

In Wang et al. (2007) and Salah (2010), it has been demon-

strated that initiating an attack traffic targeting the bottom

filtering rules of a relatively large firewall rule set will severely

degrade the performance of the firewall. To solve this prob-

lem, it was recommended either to minimize the size of the

firewall’s rule set or to reorder dynamically the firewall’s rule

set. However, reducing the rule set is not a practical solution

for large enterprise networks which usually require large rule

sets.While dynamically reordering the rule set, as proposed in

this paper, rearranges the filtering rules so that the bottom

rules can be served at the top of the rule set. In fact, DoS attack

traffic will affect the firewall performance only at the begin-

ning of the initiated traffic. Then, once the firewall optimizes

the order of the filtering rules, the DoS attack traffic will no

longer affect the firewall performance.

Indeed in Trabelsi et al. (2011), we intensely investigated

and evaluated the rule/rule-field reordering process in

defending against DoS attacks. Two experiments have been

performed using non-matching and matching DoS attack

traffics, respectively. In the first DoS attack experiment, most

packets received by the firewall do not match any filtering

0 10 20 30 40 50 60 701

2

3

4

5

6

7

8

9Field Source-IP in R1

Window No.

Fiel

d O

rder

DRFODRFOD

Fig. 6 e Evolution of the field Source-IP positions in rule R1

using DR-RFO and DR-RFOD mechanisms.

0 20 40 60 80 100 120 140 160 180 2000

10

20

30

40

50

60

70DRFD for different alfa vs DRF

Window No.

Cum

ulat

iveE

xeTi

me(

s)

DRFDRFD Alfa=0.5DRFD Alfa=0.05DRFD Alfa=0.005

Fig. 7 e Cumulative processing time for DR-RFOD vs DR-

RFO for different a values.

0 50 100 150 2000.5

1

1.5

2

2.5

3Execution time for different Alfa(w=200)

Window No.

ExeT

ime(

s)

Alfa=0.5Alfa=0.05Alfa=0.005

Fig. 8 e Execution time for DR-RFOD mechanism for

different a values.

Table 3e The effect of different a on reordering frequencyand cumulative processing time.

a No. reordering rules/Rule-fields Cumulativeprocessingtime (s)DR-RFOD

z(s)

R RF Total

0.5 102 198 300 47.4047 47e48

0.4 80 151 231 47.8677

0.3 63 124 187 47.9697

0.2 47 80 127 48.0900

0.1 26 36 62 48.1036

0.05 14 28 42 48.3715 48e57

0.04 11 29 40 49.3784

0.03 10 27 37 49.7656

0.02 9 18 27 49.9930

0.01 6 3 9 57.3541

0.005 4 0 4 57.5448 57e60

0.004 4 0 4 57.5537

0.003 3 0 3 57.7527

0.002 1 0 1 58.1344

0.001 1 0 1 60.5990


11711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235

12361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300

COSE711_proof ■ 15 July 2013 ■ 10/13




Fig. 9 e Dynamic window size vs DR-RFOD execution time.


13011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365

13661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430

COSE711_proof ■ 15 July 2013 ■ 11/13




rule, and these packets are finally rejected by the default se-

curity policy. UDP flood, ICMP echo flood and Port scanning

are examples of such attacks. While, in the second DoS attack

experiment, the firewall is flooded with matching packets,

such as SYN flood attack. In conclusion, the investigation

showed that once dynamic rule and rule-field ordering is

implemented, the effects ofmany commonDoS attacks on the

firewall performance are reduced significantly. In contrast,

firewalls that don’t dynamically optimize their rule sets are

more vulnerable to common DoS attacks, especially when the

malicious traffic includes mostly non-matching packets.

5. Conclusion

Data networks may suffer from some traffic flows that are

very expensive to classify and filter as they may undergo a

longer than average list of filtering rules before being rejected

by the default deny rule. In this paper, we have proposed a

mechanism to improve firewall packet filtering time through

optimizing the order of the firewall’s filtering rules and rule-

fields. The proposed mechanism is based on reordering rules

and rule-fields according to packet matching and non-

matching histograms, respectively. The current and previous

traffic windows statistics are used to check the system sta-

bility using certain threshold qualification (Chi-square test).

The proposed mechanism allows improving the firewall

performance in terms of cumulative packet filtering time

compared to DR-RFO mechanism. The effect of a on the cu-

mulative processing time and on the frequency of the reor-

deringprocesshasbeendiscussed. Inaddition,we investigated

the effect of dynamically changing the trafficwindowsize, and

estimated the optimum window size empirically. In future

work,we intend to improve the proposedmathematicalmodel

to account for security policy with dependent rules.

Acknowledgment

The authors acknowledge the support of NRF Foundation

through research grant no. 21T023 and Emirates Foundation

through research grant no. 2011/161.

r e f e r e n c e s

Acharya S, Abliz M, Mills B, Znati TF. A hierarchical traffic-awarefirewall. In: Proceedings of 14th Annual network & distributedsystem security symposium (NDSS), San Diego, US February2007.

Al-Shear E, El-Atawy A, Tran T. Adaptive early packet filtering fordefending firewalls against DoS attack. In: Proceeding of IEEEINFOCOM 2009. p. 1e9.

Baboescu F, Varghese G. Scalable packet classification. In: ACMSIGCOMM’01 2001.

Cohen E, Lund C. Packet classification in large ISPs: design andevaluation of decision tree classifiers. In: SIGMETRICS ’05:proceedings of the 2005 ACM SIGMETRIC internationalconference on measurement and modeling of computersystems. New York, NY, USA: ACM Press; 2005. p. 73e84.

El-Atawy A, Samak T, Al-Shaer E, Li H. Using online trafficstatistical matching for optimizing packet filteringperformance. In: IEEE INFOCOM’07 2007. p. 866e74.

Feldmann A, Muthukrishnan S. Tradeoffs for packetclassification. In: IEEE INFOCOM’00 March 2000.

Gupta P, McKeown N. Algorithms for packet classification. IEEENetwork 2001;15(2):24e32.

Gupta P, McKeown N. Packet classification using hierarchicalintelligent cuttings. In: Interconnects VII August 1999.

Gupta P, Prabhakar B, Boyd S. Near optimal routing lookups withbounded worst case performance. In: IEEE INFOCOM’00 2000.

Hamed H, Al-Shear E. Dynamic rule-ordering optimization forhigh-speed firewall filtering. In: ASIACCs’ 06 March 21e24,2006. Tuipei, Taiwam.

Hamed H, El-Atawy A, Al-Shaer E. Adaptive statisticaloptimization techniques for firewall packet filtering. In: IEEEINFOCOM’06 April 2006.

Hamed H, El-Atawy A, Al-Shaer E. On dynamic optimization ofpacket matching in high-speed firewalls. IEEE Journal onSelected Areas in Communications October 2006;24(10).

200 400 600 800 1000 1200 1400 1600 1800 2000200

220

240

260

280

300

320Dynamic Window size vs Cumulative PT

Window No.

Cum

ulat

iveE

xeTi

me(

s)

Alfa=0.1Alfa=0.05Alfa=0.01

Fig. 10 e Dynamic window size vs DR-RFOD cumulative

execution time.

200 400 600 800 1000 1200 1400 1600 1800 2000200

220

240

260

280

300

320Dynamic Window size vs Cumulative PT

Window No.

Cum

ulat

iveE

xeTi

me(

s)

Alfa=0.05 Alfa=0.1Alfa=0.01

Fig. 11 e Stair graph representation for dynamic window

size vs DR-RFOD cumulative processing time.


14311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495

14961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560

COSE711_proof ■ 15 July 2013 ■ 12/13


http://refhub.elsevier.com/S0167-4048(13)00092-8/sref1









































Kencl L, Schwarzer C. Traffic-adaptive packet filtering of denial ofservice attacks. In: WOWMOM’06: the 2006 internationalsymposium on world of wireless, mobile and multimedianetworks 2006. p. 485e9. Washington, DC, USA.

Lan K, Heidemann J. On the correlation of internet flowcharacteristics. Technical Report ISI-TR-574, USC/ISI 2003.

Liu A, Gouda M. Complete redundancy detection in firewalls. In:Procedings of 19th Annual IFIP conference on data andapplications security August 2005.

McAulay AJ, Francis P. Fast routing table lookup using CAMs. In:IEEE INFOCOM’93 March 1993.

Mothersole I, Reed M. Optimizing rule order for a packet filteringfirewall. In: SAR-SSI 2011.

Neji N, Bouhououla A. Dynamic scheme for packet classificationusing splay trees. In: Information assurance and security 2009.p. 1e9.

Salah K. Queuing analysis of network firewalls. In: IEEE Globecomproceedings 2010.

Salah K, Elbadawai K, Boutaba R. Performance modeling andanalysis of network firewalls. IEEE Transaction 0n Networkand Service Management March 2012;9(1).

Sleator D, Tarjan R. Self-adjusting binary search trees. Journal ofthe ACM 1985;32(3):652e86.

Srinivasan V, Suri S, Varghese G. Packet classification using tuplespace search. In: Computer ACM SIGCOMM communicationreview October 1999. p. 135e46.

Trabelsi Z, Zeidan S. Multilevel early packet filtering techniquebased on traffic statistics and splay trees for firewallperformance improvement. In: ICC June 2012.

Trabelsi Z, Zhang L, Zeidan S. Packet flow histograms to improvefirewall efficiency. In: ICICS December 2011.

Waldvogel M, Varghese G, Turner J, Plattner B. Scalable highspeed IP routing lookups. In: Proceedings of the ACMSIGCOMM (SIGCOMM ’97) 1997. p. 25e36.

Wang W, Ji R, Chen W, Chen B, Li Z. Firewall rules sorting basedon Markov model. In: Procedings of the internationalsymposium on data privacy and E-commerce 2007.

Wang W, Chen H, Chen J, Liu B. Firewall rule ordering based onstatistical model. In: International conference on computerenginnering and technology 2009.

Woo T. A modular approach to packet classification: algorithmsand results. In: IEEE INFOCOM’00 March 2000. p. 1213e22.

Zouheir Trabelsi is an associate professor at the College of Infor-mation Technology, United Arab Emirates University. He receivedthe Ph.D. degree in Computer Science from Tokyo University ofTechnology and Agriculture, Japan. His primary research interestsare in the area of network security, intrusion detection, firewalls,and TCP/IP covert channels.

Liren Zhang is a professor of network engineering at the College ofInformation Technology, United Arab Emirates University. Hereceived the Ph.D. degree in telecommunication networks fromUniversity of Adelaide, Australia. His primary research interests arein the areas of ad hoc networks and network security.

Safaa Zeidan is an assistant researcher at the College of Infor-mation Technology, United Arab Emirates University. Shereceived the Bachelor of Science degree in Computer Engineering(Networking and Software) from University of Sharjah, UAE. Herprimary research interests are in the areas of network packetfiltering optimization and intrusion detection.

Kilani Ghoudi is a professor of statistics at the College of Business& Economics, United Arab Emirates University. He received thePh.D. degree in statistics from University of Ottawa, Canada. Hisprimary research interests are in the areas of nonparametricstatistics, empirical processes, pseudo-observations, and copulas.


15611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595

15961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630

COSE711_proof ■ 15 July 2013 ■ 13/13




















































Dynamic traffic awareness statistical model for firewall performance enhancement

Documents

Transcript of Dynamic traffic awareness statistical model for firewall performance enhancement