Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Research output: Contribution to journalArticlepeer-review

11 Citations (Scopus)

Abstract

Network Firewalls are considered to be one of the most important security components in today's IP network architectures. Performance of firewalls has significant impact on the overall network performance. Firewalls should be able to sustain a very high throughput and ensure network services availability. In this paper, we propose an analytical dynamic multilevel early packet filtering mechanism to enhance firewall performance. The proposed mechanism uses statistical splay tree filters that utilize traffic characteristics to minimize packet filtering time. The statistical splay tree filters are reordered according to the network traffic divergence upon certain threshold qualification (Chi-Square Test). That is, the proposed mechanism is able to decide whether or not there is a need to update the dynamic splay tree filters' order for filtering the next network traffic window and predict the best order pattern. Furthermore, the importance of optimizing packet rejection and acceptance is done through the multilevel packet filtering process; where in each level, unwanted packets are rejected as early as possible. The proposed mechanism can also be considered as a device protection mechanism against denial of service (DoS) attacks targeting the default filtering rule. Early packet acceptance is done using the splay tree data structure which adapts dynamically according to network traffic flows. Consequently, repeated packets will have less memory accesses and therefore reduce the overall packets filtering time as demonstrated in the evaluation section.

Original languageEnglish
Pages (from-to)109-131
Number of pages23
JournalComputers and Security
Volume53
DOIs
Publication statusPublished - Jul 10 2015

Keywords

  • Binary search on prefix length
  • Chi-Square Test
  • Early packet rejection and acceptance
  • Firewall performance
  • Hash table
  • Packet filtering
  • Splay tree
  • System stability

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Fingerprint

Dive into the research topics of 'Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement'. Together they form a unique fingerprint.

Cite this