access icon free Hybrid mechanism towards network packet early acceptance and rejection for unified threat management

Recent network architectures utilise many types of security appliances to combat blended attacks. However, managing multiple separate security appliances can be overwhelming, inefficient and expensive. Thus, multiple security features are needed to be integrated into unified security architecture resulting in an unified threat management system (UTM). In most current UTM systems, whenever a security feature is needed, the corresponding module is just ‘attached or added on’. This approach of adding on may reduce the UTM performance dramatically, especially when security features such as IDS/IPS are enabled. In this study, a hybrid mechanism is proposed to solve UTM redundant packet classification problem. The mechanism is based on the use of splay tree filters and pattern-matching algorithms to enhance packet filtering and deep packet inspection (DPI) performance. The proposed mechanism uses network traffic statistics to dynamically optimise the order of the splay tree filters, allowing early acceptance and rejection of network packets. In addition, DPI signature rules are reordered according to their matching frequencies, allowing early packets acceptance. The authors demonstrate the merit of their mechanism through simulations performed on firewall and snort as independent packet manipulation systems compared with the proposed hybrid mechanism that uses unified communication between them.

Inspec keywords: statistical analysis; digital signatures; computer network performance evaluation; firewalls; telecommunication traffic; pattern matching

Other keywords: firewall; DPI signature rules; UTM system; blended attacks; network packet early acceptance; multiple separate security appliances; unified threat management system; pattern-matching algorithms; network traffic statistics; splay tree filters; IDS; security features; independent packet manipulation systems; hybrid mechanism; network architectures; UTM redundant packet classification problem; IPS; deep packet inspection performance enhancement; packet filtering enhancement; network packet early rejection

Subjects: Cryptography; Computer network performance; Data security; Computer communications; Other topics in statistics; Other topics in statistics; Computer networks and techniques

References

    1. 1)
      • 11. Trabelsi, Z., Zhang, L., Zeidan, S.: ‘Packet flow histograms to improve firewall efficiency’. ICICS, December 2011.
    2. 2)
      • 5. Dharmapurikar, S., Krishnamurthy, P., Sproull, T.S., et al: ‘Deep packet inspection using parallel bloom filters’, IEEE Micro, 2004, 24, (1), pp. 5261.
    3. 3)
      • 13. Trabelsi, Z., Zhang, L., Zeidan, S., et al: ‘Dynamic traffic awareness statistical model for firewall performance enhancement’, Elsevier Comput. Secur., 2013, 39, pp. 160172.
    4. 4)
      • 22. http://www.caida.org/data/.
    5. 5)
      • 9. Hamed, H., El-Atawy, A., Al-Shaer, E.: ‘Adaptive statistical optimization techniques for firewall packet filtering’. IEEE INFOCOM'06, April 2006.
    6. 6)
      • 15. Trabelsi, Z., Zeidan, S.: ‘Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement’. IEEE, ICC CISS, 2012, pp. 10741078.
    7. 7)
      • 18. Qi, Y., Yang, B., Xu, B., et al: ‘Towards system-level optimization for high performance unified threat management’. Proc. Int. Conf. on Networking and Services, 2007.
    8. 8)
      • 4. Boyer, R.S., Strother Moore, J.: ‘A fast string searching algorithm’, Commun. ACM, 1977, 0, (10), pp. 76172.
    9. 9)
      • 19. Alfaro, J., Boulahia-Cuppens, N., Cuppens, F.: ‘Complete analysis of configuration rules to guarantee reliable network security policies’, Int. J. Inf. Secur., 2008, 7, (2), pp. 103122.
    10. 10)
      • 17. Stevens, M.: ‘UTM: one-stop protection’, Netw. Secur., 2006, 2006, (2), pp. 1214.
    11. 11)
      • 12. Trabelsi, Z., Zhang, L., Zeidan, S.: ‘Dynamic rule and rule-field orders optimization for improving firewall performance and security’, IET Inf. Secur. J., 2013, 8, (4), pp. 250257.
    12. 12)
      • 1. Aho, A.V., Corasick, M.J.: ‘Efficient string matching: an aid to bibliographic search’, Commun. ACM, 1975, 18, (6), pp. 333340.
    13. 13)
      • 21. http://www.math.hws.edu/javamath/ryan/ChiSquare.html.
    14. 14)
      • 2. Commentz-Walter, B.: ‘A string matching algorithm fast on the average’. Proc. ICALP, 1979, pp. 118132.
    15. 15)
      • 20. Waldvogel, M., Varghese, G., Turner, J., et al: ‘Scalable high speed IP routing lookups’. Proc. ACM SIGCOMM (SIGCOMM ‘97), 1997, pp. 2536.
    16. 16)
      • 6. Taylor, D.E.: ‘Survey and taxonomy of packet classification techniques’, ACM Comput. Surv., 2005, 37, (3), pp. 238275.
    17. 17)
      • 8. Hamed, H., El-Atawy, A., Al-Shaer, E.: ‘On dynamic optimization of packet matching in high-speed firewalls’, IEEE Sel J. Areas Commun., 2006, 24, (10), pp. 18171830.
    18. 18)
      • 16. Song, T., Zhang, W., Wang, D., et al: ‘A memory efficient multiple pattern matching architecture for network security’. IEEE INFOCOM 2008 Proc., 2008.
    19. 19)
      • 7. Fang, Y., Katz, R.H., Lakshman, T.V.: ‘Gigabit rate packet pattern-matching using TCAM’. ICNP, 2004, pp. 174183.
    20. 20)
      • 10. Al-Shear, E., El-Atawy, A., Tran, T.: ‘Adaptive early packet filtering for defending firewalls against DoS attack’. Proc. IEEE INFOCOM, 2009, pp. 19.
    21. 21)
      • 3. Knuth, D.: ‘The art of computer programming: semi-numerical algorithms’ (Addison-Wesley, 1997), vol. 2, 3rd edn., ISBN: 0-201-89684- 2.
    22. 22)
      • 14. Neji, N., Bouhououla, A.: ‘Dynamic scheme for packet classification using splay trees’. Inf. Assur. Secur. J., 2009, 4, pp. 133141.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2015.0246
Loading

Related content

content/journals/10.1049/iet-ifs.2015.0246
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading