Dynamic traffic awareness statistical model for firewall performance enhancement
Transcript of Dynamic traffic awareness statistical model for firewall performance enhancement
Our reference: COSE 711 P-authorquery-v9
AUTHOR QUERY FORM
Journal: COSE
Article Number: 711
Please e-mail or fax your responses and any corrections to:
E-mail: [email protected]
Fax: +31 2048 52789
Dear Author,
Please check your proof carefully and mark all corrections at the appropriate place in the proof (e.g., by using on-screen
annotation in the PDF file) or compile them in a separate list. Note: if you opt to annotate the file with software other than
Adobe Reader then please also highlight the appropriate place in the PDF file. To ensure fast publication of your paper please
return your corrections within 48 hours.
For correction or revision of any artwork, please consult http://www.elsevier.com/artworkinstructions.
Any queries or remarks that have arisen during the processing of your manuscript are listed below and highlighted by flags in
the proof.
Location
in article
Query / Remark: Click on the Q link to find the query’s location in textPlease insert your reply or correction at the corresponding line in the proof
Q1 The affiliation has been split into two different affiliations. Please check, and correct if necessary.
Q2 Please confirm that given names and surnames have been identified correctly.
Please check this box or indicate
your approval if you have no
corrections to make to the PDF file ,
Thank you for your assistance.
Highlights
� Enhanced filtering mechanism for firewalls with four optimization levels is proposed.
� Rule and rule-fields reordering process allow early packet acceptance and rejection.
� Chi-square test is performed to check if the reordering process is required.
� The optimum window size guarantees minimum packet filtering time.
� The proposed mechanism provides better filtering time compared to related works.
Available online at www.sciencedirect.com
journal homepage: www.elsevier .com/locate/cose
123456789
101112131415161718192021
222324252627282930313233343536373839404142
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1
COSE711_grabs ■ 15 July 2013 ■ 1/1
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
0167-4048/$ e see front matter ª 2013 Published by Elsevier Ltd.http://dx.doi.org/10.1016/j.cose.2013.07.001
Dynamic traffic awareness statistical model for firewallperformance enhancement
Q2 Zouheir Trabelsi a,b,*, Liren Zhang a,b, Safaa Zeidan a,b, Kilani Ghoudi a,b
aCollege of Information Technology, UAE University, Al-Ain, United Arab EmiratesQ1bCollege of Business and Economics, UAE University, Al-Ain, United Arab Emirates
a r t i c l e i n f o
Article history:
Received 24 January 2013
Received in revised form
27 June 2013
Accepted 2 July 2013
Keywords:
Firewall performance
Packet filtering
Filtering rule order
Rule-fields order
System stability
Chi-square test
Window size
a b s t r a c t
Firewall is considered to be one of the most important security components in today’s IP
network architectures. Firewall performance has a significant impact on the overall
network performance. In this paper, we propose a mechanism to improve firewall per-
formance, using network traffic behavior and packet filtering statistics. Upon certain
threshold qualification (Chi-square test), the proposed mechanism allows optimizing the
filtering rules order and their corresponding fields order according to the divergence of the
traffic behavior. That is, if the firewall system is stable, then the same current filtering rules
and/or rule-fields orders are used for filtering the next network traffic window. Otherwise,
an update of the filtering rules and/or rule-fields orders is required for filtering the next
network traffic window. The numerical results obtained by simulation demonstrate that
the proposed mechanism allow to improve significantly the firewall performance in terms
of cumulative packet processing time even for small security policies. This improvement is
a result of the minimization of the overhead corresponding to the frequency of updating
the rule/field structures, as well as of using the optimum traffic window size.
ª 2013 Published by Elsevier Ltd.
1. Introduction
Firewalls use security policies to inspect incoming and out-
going network traffic. A security policy consists of a set of
filtering rules. Each filtering rule is defined by a set of filtering
fields, and associated with an action to either block or forward
a packet to its destination. The last rule in a security policy is
the default filtering rule which is usually assumed to be
“Deny”.
Firewall packet filtering is performed in a sequential order
starting from the first rule until a matching rule is found. If no
matching rule is found, the packet is processed by the default
rule. Thus, the computational complexity of the filtering
process depends significantly on the length of each filtering
rule as well as the depth of finding a matching filtering rule in
the security policy. Hence, the order of the filtering rules, the
order of the rule-fields, and the characteristics of the network
traffic flow have all significant impact on the cumulative
packet filtering time.
In addition, unwanted traffic targeting specific rules such
as the default filtering rule may cause more harm than
others by producing an overhead to the system. This over-
head is proportional to the number of rules used in the se-
curity policy. Such unwanted network traffic may cause a
Denial of Service (DoS) attack situation and consequently
may degrade considerably the firewall performance. Thus, it
* Corresponding author. College of Information Technology, UAE University, Al-Ain, United Arab Emirates. Tel.: þ971 502330470.E-mail addresses: [email protected] (Z. Trabelsi), [email protected] (L. Zhang), [email protected] (S. Zeidan), [email protected].
ae (K. Ghoudi).
Available online at www.sciencedirect.com
journal homepage: www.elsevier .com/locate/cose
123456789
1011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465
66676869707172737475767778798081828384858687888990919293949596979899
100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3
COSE711_proof ■ 15 July 2013 ■ 1/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
0167-4048/$ e see front matter ª 2013 Published by Elsevier Ltd.http://dx.doi.org/10.1016/j.cose.2013.07.001
is very important to reject such network traffic as early as
possible.
In this paper, we propose a mechanism to optimize the
firewall early acceptance as well as early rejection packet
filtering paths. The mechanism uses filtering rules and rule-
fields histograms that change dynamically according to
network traffic flows. Based on network traffic statistics, a
decision is made regarding whether or not there is a need to
reorder the filtering rules and/or rule-fields orders. The
proposed mechanism is based on the following four opti-
mization levels: (1) The filtering rules are reordered in a
descending manner according to their packet matching
histograms. This will yield to a faster packet filtering time for
the next similar repeated network traffic (optimization in the
acceptance path). (2) The rule-fields are reordered in a
descending manner according to their packet not-matching
histograms. This will reduce the time required for tuple
comparison as well as early reject packets that do not match
any filtering rule (optimization in the rejection path). (3) The
firewall will continue filtering packets using certain filtering
rule and rule-fields orders under a certain threshold quali-
fication (Chi-square stability test). This will reduce the time
needed for the reordering process and updating the firewall
security policy structure. (4) The optimum traffic window
size that minimizes the cost is obtained empirically and
offline using a training traffic that represents the network.
These optimization levels are expected to minimize the total
packet filtering time which results in improving the overall
firewall performance, as demonstrated later in the evalua-
tion section.
The paper is organized as follows: Section 2 discusses the
related work. Section 3 presents the mathematical model of
the proposedmechanism. Section 4 evaluates the effect of the
proposed mechanism on the firewall performance. Finally,
Section 5 concludes the paper.
2. Related work
The earliest research works on firewall performance focused
on improving packet searching times using various mecha-
nisms including hardware-based solutions (Baboescu and
Varghese, 2001; McAulay and Francis, 1993), specialized
data structures (Gupta and McKeown, 2001; Srinivasan et al.,
1999; Feldmann and Muthukrishnan, 2000; Gupta and
McKeown, 1999; Cohen and Lund, 2005; Woo, 2000), and
heuristics (Gupta and McKeown, 2001). Research works in El-
Atawy et al. (2007), Gupta et al. (2000), Kencl and Schwarzer
(2006), Hamed et al. (2006), and Mothersole and Reed (2011)
considered statistical filtering schemes in order to improve
the average packet processing time. The structure of
searching by taking into account the packet flow dynamics is
introduced in Lan and Heidemann (2003), Kencl and
Schwarzer (2006), and Acharya et al. (2007). The optimiza-
tion of firewall filtering policies utilizing the characteristics of
network flow over the Internet is presented in Hamed et al.
(2006). Segments-based Tree Search (STS) scheme, outlined
in El-Atawy et al. (2007), uses collected statistics and bounded
depth Huffman trees to enhance the searching mechanism.
However, this scheme may need large overheads for
maintaining the tree periodically. To reduce such overheads,
Segments-based List Search (SLS) was proposed in El-Atawy
et al. (2007) where it is pointed that (MRU) order should be
used instead of trees.
The idea of firewall optimization through early packet
rejection was introduced in Trabelsi et al. (2011), Trabelsi and
Zeidan (2012), Al-Shear et al. (2009), Neji and Bouhououla
(2009), Hamed et al. (2006), and Mothersole and Reed (2011). In
Trabelsi et al. (2011), early packet rejection is done through
rule-fields reordering. In Trabelsi and Zeidan (2012), early
packet rejection is done through multilevel filtering process
including field and intersection filtering modules. In Hamed
et al. (2006), an approach to optimize the rejection path,
named FVSC, is proposed. This technique uses set cover
approximation algorithm to construct early rejection rules
from the common field values of the original security policy.
PBER technique in Al-Shear et al. (2009) is considered as a
generalization of FVSC (Hamed et al., 2006) in the sense that
FVSC (Hamed et al., 2006) focuses only on rejection paths
while PBER (Al-Shear et al., 2009) finds short cuts for both
accepted and rejected packets. In Neji and Bouhououla (2009),
a binary search on prefix length algorithm, described in
Waldvogel et al. (1997), is used. This algorithm is applied to
every filtering field of the security policy along with the
property of splaying the search tree nodes, as discussed in
Sleator and Tarjan (1985), while maintaining the min-node at
high level for early packet rejection.
Literature focusing on rule reordering falls into two cate-
gories. The first category considers the casewhere the filtering
rules are dependent, such as in Hamed et al. (2006) and
Mothersole and Reed (2011) where a heuristic approximation
algorithm is used in the rules reordering process. While the
second category treats the case of independent filtering rules,
such as in Wang et al. (2009, 2007), where homogeneity test
and a Markov model are applied to the rules reordering pro-
cess, respectively. Up to our knowledge, all research works
done in the field of firewall optimization through rule reor-
dering (Hamed et al., 2006; Mothersole and Reed, 2011; Wang
et al., 2009, 2007), emphasize on the importance of rule-
fields reordering in early packet rejection. However, no opti-
mization mechanisms based on both rule and rule-fields
reordering were proposed in the literature. In Trabelsi et al.
(2011), we were the first to propose and evaluate a mecha-
nism based on rule-fields reordering and focus on its major
effect in reducing the overall packet processing time. But, the
rule/rule-fields reordering processes in Trabelsi et al. (2011)
were done at the end of each traffic window without per-
forming the system stability test. Therefore, this paper in-
tends to study the stability issue applied to both rule and rule-
fields reordering processes. Error precision and traffic window
size effects on the overall firewall performance will also be
considered.
3. Proposed work
The relationship between firewall filtering rules can be one of
the following: disjoint, inclusive or correlated. When two
rules are inclusive or correlated (called dependent rules) their
order should be preserved. Since, any change in their order
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 32
131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195
196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260
COSE711_proof ■ 15 July 2013 ■ 2/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
may result in different packet filtering decision. Optimizing
the order of such dependent rules is an NP-complete problem.
This was shown using the job scheduling problem. In this
paper, we use the Firewall Decision Tree Tool (FDT) described
in Liu and Gouda (2005) to release the dependency relation-
ship between the filtering rules. The newly constructed policy
is equivalent to the original one, but with only disjoints rules.
As a result, the filtering rules can be reordered according to
their matching frequencies.
Themathematical model in this paper is based on rule and
rule-fields histograms proposed in Trabelsi et al. (2011). A
mechanism named Dynamic Rule and Rule-Fields Ordering
(DR-RFO) is proposed in Trabelsi et al. (2011). It has been
shown that the reordering of the filtering rules and the rule-
fields according to their acceptance and rejection rates,
respectively, has reduced significantly the packet processing
time and hence improved the overall firewall performance.
However, this reordering process is carried out at the end of
each network traffic window using rule matching and field
non matching histograms. Thus, in this paper we propose an
enhanced mechanism named Dynamic Rule and Rule-Fields
Ordering with Decision (DR-RFOD) to organize the reordering
process according to the system stability test ‘Chi-Square
Test’. That is, if the network traffic in a certainwindow follows
the same rule/rule-fields distribution as in the previous win-
dow, then there will be no need to perform the reordering
processes. In such a situation, the system is considered stable
and the same previous rule/rule-fields orders are used to filter
the next traffic window. By this, the processing time needed
for updating the firewall rule/rule-fields structure is saved for
windows with similar network traffic distributions. Conse-
quently, the overall firewall packet processing time will be
decreased.
Details on rule and rule-fields histograms and a description
of themechanism of the reordering processes are discussed in
the next section.
3.1. Mathematical model
3.1.1. Histogram of rule matching probability and field notmatching probabilityConsidering that packet matching test in a firewall is based on
a security policy with N filtering rules, excluding the default
“Deny” rule. Each rule consists of a maximum number of Mi
fields, excluding the action field. An N � Mi matrix vector F
represents the security policy, that is:
Fði; jÞ ¼
266664
Rð1Þ.RðiÞ.RðNÞ
377775 ¼
266664
Fð1; 1Þ.Fð1; jÞ.Fð1;M1Þ.Fði; 1Þ.Fði; jÞ.Fði;MiÞ.FðN;1Þ.FðN; jÞ.FðN;MNÞ
377775 (1)
where i ˛ {1, 2,., N} and j ˛ {1, 2,., Mi} are the indices for rule
and rule-field, respectively. Since the number of active fields
defined by the security policy can vary from rule to rule, we
assume that the non-active fields have a zero value and are
not being used during the packet filtering process. We
consider also that packet flow input into the firewall is divided
into a sequence of W equal size windows, indexed with w
(w˛ {1, 2,.,W}).We also assume that eachwindow consists of
S equal size segments with L packets per segment.
The packet flow assembled using a two-layer structure in
terms of segments and windows is based on the following two
considerations: (1) The window defined here consists of a
large population space of S � L packets, which guarantees the
accuracy of the histograms. (2) Themechanism proposed here
focuses on real-time adjustment of both rule order and field
order using histogram statistics. From practical point of view,
such real-time adjustment requires a relatively large time
scale.
Let aw,s(i,j )l and bw,s(i,j )l represent the status of the lth
packet matching and not matching an active field F(i,j ) in rule
R(i), respectively. Where w (w ˛ {1, 2,., W}), s (s ˛ {1, 2,., S})
and l (l ˛ {1, 2,., L}) are the window, segment and packet
indices, respectively. Let aw,s(i,j )0 ¼ 0 and bw,s(i,j )0 ¼ 0 be the
values of the initial state at the beginning of the sth segment.
During the process, if the lth packet matches the field F(i,j ) in
the rule R(i), then the state value of aw,s(i,j )l is incremented by
“1”, while the state value of bw,s(i,j )l remains unchanged.
That is:
�aw;sði; jÞl ¼ aw;sði; jÞl�1 þ 1bw;sði; jÞl ¼ bw;sði; jÞl�1
: (2)
By contrast, when the lth packet does not match the field
F(i,j ) in the rule R(i), the state value of bw,s(i,j )l is incremented
by “1”, while the state value of aw,s(i,j )l remains unchanged.
That is:
�aw;sði; jÞl ¼ aw;sði; jÞl�1
bw;sði; jÞl ¼ bw;sði; jÞl�1 þ 1: (3)
Note that if the lth packet is not tested for the field F(i,j ) in
the rule R(i), which could happen if the lth packet is rejected by
the field F(i,j�1) or if the field F(i,j ) is a non-active field, the
state values of aw,s(i,j )l and bw,s(i,j )l remain unchanged.
That is:
�aw;sði; jÞl ¼ aw;sði; jÞl�1
bw;sði; jÞl ¼ bw;sði; jÞl�1: (4)
Therefore, for a given rule R(i), a packet is compared with
the fields F(i,j ) for j ¼ 1, 2,., k,., Mi until a k is found such
that the packet is not matching F(i,k). Then, the filtering
process for this packet against rule R(i) is completed (eq. (3))
and the packet starts its filtering process from rule R(i þ 1).
Otherwise, if the packet matches all fields defined in rule R(i),
then the packet matches rule R(i) (eq. (2)) and therefore the
filtering process for this packet is completed.
Let Cw,s(i) ¼ aw,s(i,Mi) and Dw,s(i,j ) ¼ bw,s(i,j ) present the
number of packets in the sth segment matching rule
R(i)ji¼1,2,.,N and not matching field Fði; jÞjj¼1;2;.Miin R(i),
respectively.
Therefore, the probability of packet matching rule R(i) after
each segment can be defined as:
PrðCw;sðiÞÞ ¼ Cw;sðiÞL
for 1 � i � N: (5)
Likewise, the probability of packet not matching field
Fði; jÞjj¼1;2;.Miin the rule R(i) after each segment can be defined
as:
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 3
261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325
326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390
COSE711_proof ■ 15 July 2013 ■ 3/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
PrðDw;sði; jÞÞ ¼
8>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>:
Dw;sð1;1ÞL for i ¼ 1; j ¼ 1
Dw;sð1;jÞL�Pj�1
k¼1Dw;sð1;kÞ
for i ¼ 1; 2 � j �M1
Dw;sði;1ÞPMi�1k¼1
Dw;sði�1;kÞfor 2 � i � N; j ¼ 1
Dw;sði;jÞPMi�1k¼1
Dw;sði�1;kÞ�Pj�1
k¼1Dw;sði;kÞ
for 2 � i � N;2 � j �Mi
(6)
where termPj�1
k¼1Dw;sð1;kÞ is the number of packets in the sth
segment rejected by the F(1,j�1)jj¼2,.,M1 in the rule R(1), termPMi�1k¼1 Dw;sði� 1;kÞ is the number of packets in the sth segment
rejected by the fields in the rule R(i�1), and termPj�1
k¼1Dw;sði;kÞis the number of packets rejected by the field F(i,k)jk¼1,2,.,j�1 in
the rule R(i)ji¼1,2,.,N.
At the end of each window, there will be an average
probability for each rule and field which give a further indi-
cation regarding the importance of that rule or field. That is:
PrðRðiÞÞw ¼PS
s¼1 PrðCw;sðiÞÞS
for 1 � i � N (7)
and
Pr
�Fði; jÞRðiÞ
�w¼
PSs¼1 PrðDw;sði; jÞÞ
Sfor 1 � i � N;1 � j � Mi (8)
where PrðRðiÞÞw and PrðFði; jÞRðiÞÞw are the average probabilities
for R(i) and F(i,j ) in the wth window, respectively.
3.1.2. Reordering decision
A) Statistical rules reordering decision
This section discusses the reordering process of the
filtering rules using the number of packets matching rule R(i).
Given a certain order for the N filtering rules of the firewall in
the previous window (w�1)th, we want to know if this order
needs to be updated or not in the wth window. Table 1 shows
the notations used to describe the states of the previous and
current windows situations of the filtering rules order.
Let n(w�1),i and nw,i (observed values) are the number of
matched packets by rule R(i) in the (w�1)th andwth windows,
respectively. To see if the network traffic distribution has
changed or not, a Chi-square test of homogeneity is per-
formed to compare the distribution of windows (w�1)th and
wth. This amounts to the Chi-square test of equality of two
multinomial distributions. That is:
c2ðRulesðNÞÞ ¼Xw
k¼ðw�1Þ
XNi¼1
�nk;i � Ek;i
�2Ek;i
(9)
where Ek,i is the expected number of packets to be matched by
R(i) in the current or previous window. That is:
Ek;i ¼ TkCi
Tfor k ¼ fw; ðw� 1Þg: (10)
If the p_value, computed using a c2 with N�1 degrees of
freedom, is less than a given significance level a like (0. 05, or
0.01), then reject the null hypothesis and the result is said to
be statistically significant. In other words, the network traffic
in the wth window doesn’t match the previous rules order
distribution. That is:
If the p_value< a, then the system is not stable and there is
a need to reorder the security policy rules order according to
the histograms of packet matching R(i)’s on window basis in
descending order. The new rule distribution will be computed
using the following equation:
PrðRðiÞÞw ¼ dPrðRðiÞÞw þ ð1� dÞPrðRðiÞÞw�1 (11)
where d ¼ 1� ðp valueÞ.Otherwise, if the p_value > a, then the system is stable.
Therefore, therewill be no need to reorder the rules. The same
previous rule order will be used for the next window and the
rules histograms will be renewed using eq. (11).
Whether there is a decision to reorder the rules or not,
the new rules average probabilities will be computed based
on the statistics of the (w�1)th and wth windows. However,
the probability of the current window is given more weight.
By doing this, the behavior of the traffic in the previous
window will not be ignored and will have relatively less ef-
fect than the traffic behavior in the current window. As a
result, the new computed average probabilities would allow
producing a better optimized rules order for the next win-
dow traffic. This procedure will also be performed for all the
fields of each filtering rule, as will be described in the next
section.
B) Statistical policy rule-fields reordering decision
Here, we discuss whether to decide to reorder the policy
rule-fields or not using the number of packets non-matching
field F(i,j ) in rule R(i), where i ˛ {1, 2,., N}, j ˛ {1, 2,.,
Table 1 e Previous and current situations for the filteringrules.
State(k) R1 R2 . RN Total
Previous(w�1) n(w�1),1
E(w�1),1
n(w�1),2
E(w�1),2
n(w�1),N
E(w�1),N
T(w�1)
Current(w) nw,1
Ew,1
nw,2
Ew,2
nw,N
Ew,N
Tw
Total C1 C2 CN T
Table 2 e Previous and current situations for the fields ofthe filtering rule Ri.
State(k) Fi,1 Fi,2 . Fi;MiTotal
Previous(w�1) m(w�1),1
E(w�1),1
m(w�1),2
E(w�1),2
mðw�1Þ;Mi
Eðw�1Þ;Mi
T(w�1)
Current(w) mw,1
Ew,1
mw,2
Ew,2
mw;Mi
Ew;Mi
Tw
Total C1 C2 CMiT
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 34
391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455
456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520
COSE711_proof ■ 15 July 2013 ■ 4/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
Mi}.The same concept of the Chi-square test used in the pre-
vious section will be applied for the fields of each rule in the
security policy as shown in Table 2. That is:
c2ðFði; jÞÞRðiÞ ¼Xw
k¼ðw�1Þ
XMi
j¼1
�mk;j � Ek;j
�2Ek;j
(12)
where mk;j (observed) is the number of non-matched packets
by F(i,j ) in R(i), and k refers to the current or previous situation.
Ek,j is the expected number of packets not matching F(i,j ) in
R(i) in the current or previous window. That is:
Ek;j ¼TkCj
Tfor k ¼ fw; ðw� 1Þg: (13)
If the p_value, computed using a c2Fði;jÞRðiÞ withMi�1 degrees of
freedom, is less than a given significance level a (0. 05 or 0.01),
then reject the null hypothesis. In this case, the result is said
to be statistically significant. In other words, the traffic in the
wth window doesn’t match the previous R(i) fields order dis-
tribution. That is:
If the p_value < a, then there is a need to reorder the fields
in R(i) according to the histogram of packets not matching
F(i,j ) in R(i) on window basis in descending order. The new
F(i,j ) distribution in R(i) will be computed using the following
equation:
Pr
�Fði; jÞRðiÞ
�w¼ d Pr
�Fði; jÞRðiÞ
�wþ ð1� dÞPr
�Fði; jÞRðiÞ
�w�1
(14)
where d ¼ 1� ðp valueÞ.Otherwise, if the p_value > a, then there is no need to
reorder the fields in R(i). The same previous R(i) field order will
be used for the next window and the histograms for R(i) fields
will be renewed using eq. (14).
It is important to mention that rules and rule-fields
reordering processes are independent of each other.
Depending on c2ðRulesðNÞÞ and c2ðFði; jÞÞRðiÞ tests, the system
may change the rules order without changing the fields order
and vice-versa or changing only the fields order of some
filtering rules.
Algorithms 1 and 2 shown below illustrate the main oper-
ation of the statistical module as well as the reordering pro-
cesses. Algorithm 1 builds up the candidate filtering rules that
are independent and equivalent to the original security policy
using FDT tool. Also, the initial rule and rule-field probabilities
are calculated after training the system S0 segments, and used
as input data for Algorithm 2 (Lines 19e22).
In Algorithm 2, packet filtering is performed using function
tuple_comparasion(l), which is based on eqs. (2)e(4) (Lines
7e11). The number of packets matched by each rule as well as
the number of packets rejected by each rule-field are
computed (Lines 12e13). In lines (14e15), the corresponding
segment probabilities are calculated. Lines (18e19) compute
the average rule and rule-fields probabilities on window basis.
Lines (20e23) define the variables for the current state.
c2ðFði; jÞÞRðiÞ and c2ðRulesðNÞÞ are computed using current and
previous states for rule-fields and rules, respectively (Lines
24e36). Also, the reordering process for rules and rule-fields is
done in a descendingmanner according to the current average
probabilities based on if statement in lines 28 and 34. Lines 27
and 33 compute the current rule-fields and rule average
probabilities based on eqs. (11) and (14). Finally, in lines
(37e40), the previous state variables are updated to be used in
the next traffic window.
Algorithm 1. Startup phase
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 5
521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585
586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650
COSE711_proof ■ 15 July 2013 ■ 5/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
Algorithm 2. System stability test and reordering processes
3.1.3. Algorithm costThe cost of the proposed mechanism depends mainly on the
cost of filtering the network traffic packets in W windows and
the cost of updating the firewall rules and the rule-fields in the
corresponding windows. That is:
Algorithm cost ¼ Packet filtering costþ Reordering cost:
In a firewall, a packet is said to match rule R(i) if it matches
all the fields in R(i). Then, R(i)’s action is applied whether to
accept or deny this packet. Hence, the filtering process for this
packet is completed. But, if the packet doesn’t match field
F(i,j ) in R(i), then it will be checked against R(iþ1). Thus, the
cost of testing rule R(i) is determined by the number of its
fields hits, whether for matching or non-matching packets,
and not the simple sum of its fields’ cost. That is, for the
proposed mechanism the cost of filtering L packets in W
windows can be defined by the following equation:
Ctesting ¼XWw¼1
XNi¼1
XMi
j¼1
cðFði;jÞÞ�awði;jÞþXWw¼1
XNi¼1
XMi
j¼1
cðFði;jÞÞ�bwði;jÞ
(15)
where c(F(i,j )) is the cost of field F(i,j ) in rule R(i) and it is
usually determined by the number of bits of the field. Stan-
dard firewalls use 32 bits for IP address, 16 bits for the port and
8 bits for the protocol. The first and second terms of eq. (15)
represent the cost of packets matching and not-matching
field F(i,j ) in rule R(i), respectively. Recall that aw(i,j ) and
bw(i,j ) are defined previously in Section 3.1.
The reordering process of the rules and/or rule-fields is
done in Algorithm 2 through the reorder function (Lines 29 and
35) using Quick Sort with N Log N complexity. That is:
Creordering ¼ PWw¼1
IwN log Nþ PWw¼1
PNi¼1
IwiMi log Mi
Iw; Iwi˛f0;1g
(16)
where the first and second terms of eq. (16) represent the cost
of reordering the rules and rules-fields in W windows,
respectively. Iw and Iwiare binary random variables repre-
senting rules and rule-fields reordering decision, respectively.
Their values are ‘1’ if a reordering process is done, and ‘0’
otherwise.
4. Evaluation
Three experiments have been conducted to evaluate the per-
formance of the proposed mechanism. The first experiment
compares the proposed DR-RFODmechanism against DR-RFO
mechanism (Trabelsi et al., 2011) regarding the frequency of
rule and rule-fields reordering processes. The second experi-
ment discusses the effect of error precision a on DR-RFOD
mechanism. The third experiment investigates empirically
the dynamic change effect in the network traffic window size
on DR-RFOD mechanism.
A simulated firewall has been implemented using an al-
gorithm that dynamically changes the order of the rules and
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 36
651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715
716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780
COSE711_proof ■ 15 July 2013 ■ 6/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
rule-fields according to the system stability test using MAT-
LAB programming environment.
Practically, enterprise firewalls may have security policies
of 5Ke15K rules (as reported by Cisco). As the security policy
grows, the effect of rule reordering becomes more obvious in
improving the firewall’s performance (Hamed et al., 2006;
Hamed et al., 2006; Wang et al., 2009, 2007) as well as when
the firewall is under attack (Salah et al., 2012; Salah, 2010). In
our case, it was a challenge to show how robust our statistical
Chi-square test based mechanism using rules and rule-fields
reordering in improving firewall’s performance even though
a small filtering rule set is used. Thus, throughout the evalu-
ation of the DR-RFOD mechanism we are going to use a small
set of dummy firewall filtering rules.
The filtering rules include 12 TCP, 3 UDP and 5 ICMP rules.
The initial order list of the filtering rules was set as follows:
The first set of rules includes the 3 UDP rules, the second set
includes the 5 ICMP rules, and the last set includes the 12 TCP
rules.
Network traffic flow is generated using a packet generator
that uses three independent discrete-time burst-silence
sources with different parameters. Since TCP traffic is the
most seen traffic in common networks, the traffic generator
has been set to generate random packet types (TCP, UDP and
ICMP) with TCP packets as the most dominant type. Fig. 1
shows an example of the generated traffic using the ran-
dint() MATLAB function. That is for each traffic window, three
different percentages are generated randomly. The greatest
and lowest percentages are assigned to TCP and ICMP traffic,
respectively.
These three packet flows are multiplexed as a stream of
200 equal size windows. We note that the packet filtering
occurs in bursts, especially under the condition of heavy
traffic loading with burst arrivals. This is important to un-
derstand the histograms of packet filtering and their statis-
tical dependency when the cumulative processing time is
evaluated.
However, in order to simulate the traffic type variations,
the UDP and ICMP traffic become alternatively the dominant
traffic types for a short period of time.
This experiment is done using 200 windows each of 1000
packets, a total of 200,000 packets are used in the simulation.
These numbers are used to easily trace the rules and fields
reordering processes using both DR-RFO and DR-RFOD
mechanisms.
4.1. DR-RFOD vs DR-RFO
4.1.1. DR-RFOD vs DR-RFO according to rules reorderingprocessThe algorithms in DR-RFO and DR-RFOD mechanisms start
optimizing the filtering rules positions after treating the sec-
ond window. We considered that the first two windows are
the initial windows and are used to train the system in order
to find the initial PrðRðiÞÞ0 to start with. In DR-RFOmechanism,
the positions of the rules are updated dynamically after
treating each window as shown in Fig. 2 and Fig. 3. On the
other hand, in DR-RFODmechanism, the positions of the rules
are updated dynamically according to eq. (9) and eq. (11) after
the system stability test. As an example, Fig. 4 compares the
evolution of R1 position using DR-RFO and DR-RFOD mecha-
nisms. The horizontal constant lines in Fig. 4 shows the cor-
responding windows for DR-RFOD mechanism where the
system was stable according to eq. (9) and no rule reordering
process is done.
4.1.2. DR-RFOD vs DR-RFO according to rule-fields reorderingprocessThe same concept used in rules reordering process will be
used in rule-fields reordering process. That is, the algorithms
in DR-RFO and DR-RFOD mechanisms start optimizing the
rule-fields positions after treating the second window. We
considered that the first two windows are the initial windows
and are used to train the system in order to find the initial
PrðFði; jÞRðiÞÞ0 to start with. In DR-RFOmechanism, the positions
of the rule-fields are updated dynamically after treating each
window as shown in Fig. 5. On the other hand, in DR-RFOD
mechanism, the rule-fields positions are updated dynami-
cally according to eq. (12) and eq. (14) after system stability
test.
As an example, Fig. 6 compares the evolution of the field
Source-IP in R1 using DR-RFO and DR-RFODmechanisms. The
horizontal constant lines in the figure shows the corre-
sponding windows where the system was stable according to
eq. (12) and no rule-fields reordering process is done.
Fig. 7 shows the cumulative processing time for DR-RFO
and DR-RFOD for different values of a. For a ¼ 0.005, the gain
for using DR-RFOD for 200 traffic windows is
(66.6567e57.5448 ¼ 9.1119(s)), while for a ¼ 0.05 the gain is
(66.6567e48.3715 ¼ 18.2855(s)).
4.2. The effect of error precision (a) on DR-RFODmechanism
This experiment studies the effect of different a values in the
cumulative processing time and the frequency of rule/rule-
fields reordering processes. Fig. 8 gives an idea about the
processing time needed for each of the 200 windows when
a ¼ 0.5, 0.05 and 0.005. The cumulative processing time for
these a values is illustrated previously in Fig. 7.
Table 3 compares different values of a and their corre-
sponding frequency number of rule/rule-field reordering
processes. When a decreases:
1) The frequency of the reordering process is also decreased.
This is because for a given computed c2, decreasing theFig. 1 e Example of network traffic flow behavior.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 7
781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845
846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910
COSE711_proof ■ 15 July 2013 ■ 7/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
value of a will increase c2a ending with c2
a > computed c2
and therefore no need for reordering.
2) The cumulative processing time increases. This is because
in fact when we decide not to reorder we might keep the
system running with a non-efficient configuration (order)
for longer time. Therefore, it might take longer processing
time than when we reorder often, especially if the cost of
re-ordering is small. This depends on the number of rules
and rule-fields in the security policy.
4.3. The effect of dynamic window size in DR-RFODmechanism cumulative processing time
This experiment empirically studies the effect of window size
on the cumulative processing time associated with the
proposed mechanism. Using a network training traffic flow,
the experiment investigates the optimum window size range
that allowsminimizing the cost defined by eq. (15) and eq. (16).
The optimum window size WOpt is estimated using a
training traffic flow offline. To be specific the training flow is
passed through the firewall using different window sizes and
the WOpt yielding the minimum filtering cost is then deter-
mined. This optimal window size is then used by the firewall
to filter the incoming network traffic.
The reason behind using empirical model to estimate the
optimal window size WOpt is that analyzing the cumulative
firewall filtering time as a function of the window size is
achieved by adding the cost of testing and the cost of reor-
dering represented in eq. (15) and eq. (16). Yet, a closer look
reveals that the cost of reordering is in fact random because of
the random variables Iw and Iwi. Therefore, the firewall
Fig. 3 e Evolutions of the position of rule R1 over the first 20 windows using DR-RFO mechanism.
Fig. 2 e Example of the evolution of some rules positions using DR-RFO mechanism.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 38
911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975
976977978979980981982983984985986987988989990991992993994995996997998999
10001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040
COSE711_proof ■ 15 July 2013 ■ 8/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
optimization problem can be reduced to a stochastic optimi-
zation problem. In such situation, it is quite common to solve
forminimizing the expected cumulative filtering time. That is,
to find the window size that minimizes the expected cumu-
lative firewall processing time. Computing the expectation of
Iw and Iwi requires the knowledge of the traffic packets dis-
tribution which is rarely the case in practical situations. To
overcome this issue, an empirical approach is adopted. Given
a large training traffic flow which is assumed to represent
normal network behavior, the total cost is computed for a
large range of window sizes and the optimal size is then
selected.
This experiment uses the same previous training traffic
flow which consists of 200,000 packets. The window size is
dynamically changed in order to study its effect on the cu-
mulative filtering time for different a values, namely (0.1, 0.01
and 0.05).
The training traffic volume is divided into different
sequence of window sizes varying from 25 windows (8000
packets each) to 2000 windows (100 packets each). That is, the
training data that represents the network traffic is injected
offline to the firewall in order to find the optimal window size
WOpt that ensures minimum processing time.
Fig. 9 shows the processing time of the DR-RFOD mecha-
nism using dynamic window sizes. The processing time starts
high at z12.5(s) for W ¼ 25 (8000 packets) then drop down to
z6, 3.5 and 1.5(s) for windows w ¼ 50, 100 and 200 respec-
tively. Starting from w ¼ 250, it appears that there is some
windows with high processing time. Moving to the remaining
windows 400, 500, 800, 1000 and 2000 it can be clearly shown
that there is a very sharp increase in the processing time in
some windows among these mentioned windows sizes. This
sharp increase becomes more significant as the number of
windows increases and this will mainly affect the cumulative
processing time. Thus, for this training traffic the optimum
window range is between w ¼ [100, 200]. In other words, the
maximumfirewall performancewill be achieved if the firewall
operates using (1000e2000) packets per window.
Fig. 10 shows the evolution of the firewall cumulative
filtering time as a function of the window size for a ¼ 0.1, 0.05
and 0.01. It shows in particular that the optimal window size
range is around 1000e2000 packets.
Fig. 5 e Example of the evolution of the positions of four fields in rule R1 over the first 10 windows using DR-RFO
mechanism.
0 20 40 60 80 100 120 140 160 180 2000
2
4
6
8
10
12
14
16
18Rule 1
Window No.
Rul
e O
rder
DRFODRFOD
Fig. 4 e Evolution of R1 positions using DR-RFO and DR-
RFOD mechanisms.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 9
10411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105
11061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170
COSE711_proof ■ 15 July 2013 ■ 9/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
Fig. 11 represents the same data plotted in Fig. 10 using the
stair graph representation for better illustration of the win-
dow size range with minimum cumulative processing time.
For each a, there is an optimum window range as shown in
Fig. 11 and these ranges are intersected in a subset range
regardless of the value of a. The optimumwindow ranges that
minimize the total processing time are z200e800, 200e400,
200e250 for a ¼ 0.05, 0.01 and 0.1 respectively.
4.4. Resilience against DoS attacks
In Wang et al. (2007) and Salah (2010), it has been demon-
strated that initiating an attack traffic targeting the bottom
filtering rules of a relatively large firewall rule set will severely
degrade the performance of the firewall. To solve this prob-
lem, it was recommended either to minimize the size of the
firewall’s rule set or to reorder dynamically the firewall’s rule
set. However, reducing the rule set is not a practical solution
for large enterprise networks which usually require large rule
sets.While dynamically reordering the rule set, as proposed in
this paper, rearranges the filtering rules so that the bottom
rules can be served at the top of the rule set. In fact, DoS attack
traffic will affect the firewall performance only at the begin-
ning of the initiated traffic. Then, once the firewall optimizes
the order of the filtering rules, the DoS attack traffic will no
longer affect the firewall performance.
Indeed in Trabelsi et al. (2011), we intensely investigated
and evaluated the rule/rule-field reordering process in
defending against DoS attacks. Two experiments have been
performed using non-matching and matching DoS attack
traffics, respectively. In the first DoS attack experiment, most
packets received by the firewall do not match any filtering
0 10 20 30 40 50 60 701
2
3
4
5
6
7
8
9Field Source-IP in R1
Window No.
Fiel
d O
rder
DRFODRFOD
Fig. 6 e Evolution of the field Source-IP positions in rule R1
using DR-RFO and DR-RFOD mechanisms.
0 20 40 60 80 100 120 140 160 180 2000
10
20
30
40
50
60
70DRFD for different alfa vs DRF
Window No.
Cum
ulat
iveE
xeTi
me(
s)
DRFDRFD Alfa=0.5DRFD Alfa=0.05DRFD Alfa=0.005
Fig. 7 e Cumulative processing time for DR-RFOD vs DR-
RFO for different a values.
0 50 100 150 2000.5
1
1.5
2
2.5
3Execution time for different Alfa(w=200)
Window No.
ExeT
ime(
s)
Alfa=0.5Alfa=0.05Alfa=0.005
Fig. 8 e Execution time for DR-RFOD mechanism for
different a values.
Table 3e The effect of different a on reordering frequencyand cumulative processing time.
a No. reordering rules/Rule-fields Cumulativeprocessingtime (s)DR-RFOD
z(s)
R RF Total
0.5 102 198 300 47.4047 47e48
0.4 80 151 231 47.8677
0.3 63 124 187 47.9697
0.2 47 80 127 48.0900
0.1 26 36 62 48.1036
0.05 14 28 42 48.3715 48e57
0.04 11 29 40 49.3784
0.03 10 27 37 49.7656
0.02 9 18 27 49.9930
0.01 6 3 9 57.3541
0.005 4 0 4 57.5448 57e60
0.004 4 0 4 57.5537
0.003 3 0 3 57.7527
0.002 1 0 1 58.1344
0.001 1 0 1 60.5990
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 310
11711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235
12361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300
COSE711_proof ■ 15 July 2013 ■ 10/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
Fig. 9 e Dynamic window size vs DR-RFOD execution time.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 11
13011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365
13661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430
COSE711_proof ■ 15 July 2013 ■ 11/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
rule, and these packets are finally rejected by the default se-
curity policy. UDP flood, ICMP echo flood and Port scanning
are examples of such attacks. While, in the second DoS attack
experiment, the firewall is flooded with matching packets,
such as SYN flood attack. In conclusion, the investigation
showed that once dynamic rule and rule-field ordering is
implemented, the effects ofmany commonDoS attacks on the
firewall performance are reduced significantly. In contrast,
firewalls that don’t dynamically optimize their rule sets are
more vulnerable to common DoS attacks, especially when the
malicious traffic includes mostly non-matching packets.
5. Conclusion
Data networks may suffer from some traffic flows that are
very expensive to classify and filter as they may undergo a
longer than average list of filtering rules before being rejected
by the default deny rule. In this paper, we have proposed a
mechanism to improve firewall packet filtering time through
optimizing the order of the firewall’s filtering rules and rule-
fields. The proposed mechanism is based on reordering rules
and rule-fields according to packet matching and non-
matching histograms, respectively. The current and previous
traffic windows statistics are used to check the system sta-
bility using certain threshold qualification (Chi-square test).
The proposed mechanism allows improving the firewall
performance in terms of cumulative packet filtering time
compared to DR-RFO mechanism. The effect of a on the cu-
mulative processing time and on the frequency of the reor-
deringprocesshasbeendiscussed. Inaddition,we investigated
the effect of dynamically changing the trafficwindowsize, and
estimated the optimum window size empirically. In future
work,we intend to improve the proposedmathematicalmodel
to account for security policy with dependent rules.
Acknowledgment
The authors acknowledge the support of NRF Foundation
through research grant no. 21T023 and Emirates Foundation
through research grant no. 2011/161.
r e f e r e n c e s
Acharya S, Abliz M, Mills B, Znati TF. A hierarchical traffic-awarefirewall. In: Proceedings of 14th Annual network & distributedsystem security symposium (NDSS), San Diego, US February2007.
Al-Shear E, El-Atawy A, Tran T. Adaptive early packet filtering fordefending firewalls against DoS attack. In: Proceeding of IEEEINFOCOM 2009. p. 1e9.
Baboescu F, Varghese G. Scalable packet classification. In: ACMSIGCOMM’01 2001.
Cohen E, Lund C. Packet classification in large ISPs: design andevaluation of decision tree classifiers. In: SIGMETRICS ’05:proceedings of the 2005 ACM SIGMETRIC internationalconference on measurement and modeling of computersystems. New York, NY, USA: ACM Press; 2005. p. 73e84.
El-Atawy A, Samak T, Al-Shaer E, Li H. Using online trafficstatistical matching for optimizing packet filteringperformance. In: IEEE INFOCOM’07 2007. p. 866e74.
Feldmann A, Muthukrishnan S. Tradeoffs for packetclassification. In: IEEE INFOCOM’00 March 2000.
Gupta P, McKeown N. Algorithms for packet classification. IEEENetwork 2001;15(2):24e32.
Gupta P, McKeown N. Packet classification using hierarchicalintelligent cuttings. In: Interconnects VII August 1999.
Gupta P, Prabhakar B, Boyd S. Near optimal routing lookups withbounded worst case performance. In: IEEE INFOCOM’00 2000.
Hamed H, Al-Shear E. Dynamic rule-ordering optimization forhigh-speed firewall filtering. In: ASIACCs’ 06 March 21e24,2006. Tuipei, Taiwam.
Hamed H, El-Atawy A, Al-Shaer E. Adaptive statisticaloptimization techniques for firewall packet filtering. In: IEEEINFOCOM’06 April 2006.
Hamed H, El-Atawy A, Al-Shaer E. On dynamic optimization ofpacket matching in high-speed firewalls. IEEE Journal onSelected Areas in Communications October 2006;24(10).
200 400 600 800 1000 1200 1400 1600 1800 2000200
220
240
260
280
300
320Dynamic Window size vs Cumulative PT
Window No.
Cum
ulat
iveE
xeTi
me(
s)
Alfa=0.1Alfa=0.05Alfa=0.01
Fig. 10 e Dynamic window size vs DR-RFOD cumulative
execution time.
200 400 600 800 1000 1200 1400 1600 1800 2000200
220
240
260
280
300
320Dynamic Window size vs Cumulative PT
Window No.
Cum
ulat
iveE
xeTi
me(
s)
Alfa=0.05 Alfa=0.1Alfa=0.01
Fig. 11 e Stair graph representation for dynamic window
size vs DR-RFOD cumulative processing time.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 312
14311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495
14961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560
COSE711_proof ■ 15 July 2013 ■ 12/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001
Kencl L, Schwarzer C. Traffic-adaptive packet filtering of denial ofservice attacks. In: WOWMOM’06: the 2006 internationalsymposium on world of wireless, mobile and multimedianetworks 2006. p. 485e9. Washington, DC, USA.
Lan K, Heidemann J. On the correlation of internet flowcharacteristics. Technical Report ISI-TR-574, USC/ISI 2003.
Liu A, Gouda M. Complete redundancy detection in firewalls. In:Procedings of 19th Annual IFIP conference on data andapplications security August 2005.
McAulay AJ, Francis P. Fast routing table lookup using CAMs. In:IEEE INFOCOM’93 March 1993.
Mothersole I, Reed M. Optimizing rule order for a packet filteringfirewall. In: SAR-SSI 2011.
Neji N, Bouhououla A. Dynamic scheme for packet classificationusing splay trees. In: Information assurance and security 2009.p. 1e9.
Salah K. Queuing analysis of network firewalls. In: IEEE Globecomproceedings 2010.
Salah K, Elbadawai K, Boutaba R. Performance modeling andanalysis of network firewalls. IEEE Transaction 0n Networkand Service Management March 2012;9(1).
Sleator D, Tarjan R. Self-adjusting binary search trees. Journal ofthe ACM 1985;32(3):652e86.
Srinivasan V, Suri S, Varghese G. Packet classification using tuplespace search. In: Computer ACM SIGCOMM communicationreview October 1999. p. 135e46.
Trabelsi Z, Zeidan S. Multilevel early packet filtering techniquebased on traffic statistics and splay trees for firewallperformance improvement. In: ICC June 2012.
Trabelsi Z, Zhang L, Zeidan S. Packet flow histograms to improvefirewall efficiency. In: ICICS December 2011.
Waldvogel M, Varghese G, Turner J, Plattner B. Scalable highspeed IP routing lookups. In: Proceedings of the ACMSIGCOMM (SIGCOMM ’97) 1997. p. 25e36.
Wang W, Ji R, Chen W, Chen B, Li Z. Firewall rules sorting basedon Markov model. In: Procedings of the internationalsymposium on data privacy and E-commerce 2007.
Wang W, Chen H, Chen J, Liu B. Firewall rule ordering based onstatistical model. In: International conference on computerenginnering and technology 2009.
Woo T. A modular approach to packet classification: algorithmsand results. In: IEEE INFOCOM’00 March 2000. p. 1213e22.
Zouheir Trabelsi is an associate professor at the College of Infor-mation Technology, United Arab Emirates University. He receivedthe Ph.D. degree in Computer Science from Tokyo University ofTechnology and Agriculture, Japan. His primary research interestsare in the area of network security, intrusion detection, firewalls,and TCP/IP covert channels.
Liren Zhang is a professor of network engineering at the College ofInformation Technology, United Arab Emirates University. Hereceived the Ph.D. degree in telecommunication networks fromUniversity of Adelaide, Australia. His primary research interests arein the areas of ad hoc networks and network security.
Safaa Zeidan is an assistant researcher at the College of Infor-mation Technology, United Arab Emirates University. Shereceived the Bachelor of Science degree in Computer Engineering(Networking and Software) from University of Sharjah, UAE. Herprimary research interests are in the areas of network packetfiltering optimization and intrusion detection.
Kilani Ghoudi is a professor of statistics at the College of Business& Economics, United Arab Emirates University. He received thePh.D. degree in statistics from University of Ottawa, Canada. Hisprimary research interests are in the areas of nonparametricstatistics, empirical processes, pseudo-observations, and copulas.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1e1 3 13
15611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595
15961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630
COSE711_proof ■ 15 July 2013 ■ 13/13
Please cite this article in press as: Trabelsi Z, et al., Dynamic traffic awareness statistical model for firewall performanceenhancement, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.07.001