Modelling and analysis of rule-based network security middleboxes

Khaled Salah; Aslam Chaudary

Modelling and analysis of rule-based network security middleboxes

View Fulltext

Author(s): Khaled Salah ¹ and Aslam Chaudary ²
- Affiliations: 1: Electrical and Computer Engineering Department, Khalifa University of Science, Technology and Research (KUSTAR), P.O. Box 573, Sharjah, UAE ;
  2: Department of Mathematics and Statistics, King Fahd University of Petroleum and Minerals (KFUPM), Saudi Arabia
Source: Volume 9, Issue 6, November 2015, p. 305 – 312
DOI: 10.1049/iet-ifs.2014.0545 , Print ISSN 1751-8709, Online ISSN 1751-8717

« Previous Article
Table of contents
Next Article »

Received 31/05/2014, Accepted 19/01/2015, Revised 20/12/2014, Published 19/06/2015

This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.

References

1. 1)
  - 6. Nair, M., Kakaraddi, S., Ramanarayan, K., Gopalakrishna, V.: ‘Agent with rule engine: the ‘glue’ for web service oriented computing applied to network management’. Proc. of the IEEE Int. Conf. on Services Computing (SCC'09), September 2009, pp. 528–531.
2. 2)
  - 30. Salah, K.: ‘Queueing analysis of network firewalls’. Proc. of the IEEE Globecom 2010, 6–10 December 2010, pp. 1–5.
3. 3)
  - 12. Salah, K., Kahtani, A.: ‘Improving snort performance under linux’, Int. J. IET Commun., 2009, 3, (12), pp. 1883–1895 (doi: 10.1049/iet-com.2009.0114).
4. 4)
  - 23. Gross, D., Harris, C.: ‘Fundamentals of queueing theory’ (Wiley, 1998).
5. 5)
  - 19. Mitra, A., Najjar, W., Bhuyan, L.: ‘Compiling FCRE to FPGA for accelerating SNORT IDS’. Proc. of the Third ACM/IEEE Symp. on Architecture for Networking and Communications Systems (ANCS'07), 2007, pp. 127–136.
6. 6)
  - 39. Takagi, H.: ‘Queueing analysis, Vol. 1: finite systems’ (North-Holland, 1993).
7. 7)
  - 44. Zander, S., Kennedy, D.d., Armitage, G.: ‘KUTE – a high performance Kernel-based UDP traffic engine’. Technical Report 050118A, Center for Advanced Internet Architectures (CAIA).
8. 8)
  - 17. Acharya, S., Wang, J., Ge, Z., Znati, T., Greeberg, A.: ‘Simulation study of firewalls to aid improved performance’. Proc. of the 39th Annual Simulation Symp. (ANSS'06), 2006.
9. 9)
  - 5. Choi, O., Han, S.: ‘Flexible rule-based web services system for users’ preferences’. Proc. of the Fourth Int. Conf. on Next Generation Web Services Practices, 2008, pp. 1–4.
10. 10)
  - 2. Melara, A.J.: ‘Performance analysis of the linux firewall in a host’. Master Thesis, California Polytechnic State University, June 2002.
11. 11)
  - 3. FreeBSD ipfw, http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html, Last accessed September 2014.
12. 12)
  - 4. ‘Snort’, http://www.snort.org/, Last accessed September 2014.
13. 13)
  - 37. Paxson, V., Floyd, S.: ‘Wide-area traffic: the failure of Poisson modeling’, IEEE/ACM Trans. Netw., 1995, 3, (3), pp. 226–244 (doi: 10.1109/90.392383).
14. 14)
  - 22. Jiang, H., Zhang, G., Xie, G., Salamatian, K., Mathy, L.: ‘Scalable high-performance parallel design for network intrusion detection systems on many-core processors’. Proc. of the Ninth ACM/IEEE Symp. on Architectures for Networking and Communications Systems, 2013, pp. 137–146.
15. 15)
  - 29. Salah, K., Badawi, K., Rauof, B.: ‘Performance modeling and analysis of network firewalls’, IEEE Trans. Netw. Service Manage., 2012, 9, (1), pp. 12–21 (doi: 10.1109/TNSM.2011.122011.110151).
16. 16)
  - 14. Duan, Q., Al-Shaer, E.: ‘Traffic-aware dynamic firewall policy management: techniques and applications’, IEEE Commun. Mag., 2013, 51, (7) (doi: 10.1109/MCOM.2013.6553681).
17. 17)
  - 15. Benner, R., Echeverria, V., Onunkwo, U., Patel, J., Zage, D.: ‘Harnessing many-core processors for scalable, highly efficient, and adaptable firewall solutions’. Proc. of the 2013 Int. Conf. on Computing, Networking and Communications (ICNC), 2013, pp. 637–641.
18. 18)
  - 40. Erdelyi, A., Magnus, W., Oberhettinger, F., Tricomi, F.G.: ‘Tables of integral transforms; (McGraw-Hill, 1954), vol. I.
19. 19)
  - 24. Kleinrock, L.: ‘Queueing systems, Vol. 1: theory’ (John Wiley & Sons, 1975).
20. 20)
  - 45. Olsson, R.: ‘pktgen the linux packet generator’. Proc. of Linux Symp., 2005.
21. 21)
  - 25. Neuts, M.F.: ‘Matrix-geometric solutions in stochastic models: an algorithmic approach’ (Dover Publications Inc., 1981).
22. 22)
  - 16. Meiners, C.R., Liu, A.X., Torng, E.: ‘Topological transformation approaches to optimizing TCAM-based packet classification systems’. Proc. of the Eleventh Int. Joint Conf. on Measurement and Modeling of Computer Systems (SIGMETRICS'09), 2009, pp. 73–84.
23. 23)
  - 9. Cormack, G.V.: ‘Email spam filtering: a systematic review’, J. Found. Trends Inf. Retr., 2007, 1, (4), pp. 335–455 (doi: 10.1561/1500000006).
24. 24)
  - 38. Jain, R.: ‘The art of computer systems performance analysis: techniques for experimental design, measurement, simulation, and modeling’ (Jonh Wiley & Sons, Inc., 1991).
25. 25)
  - 21. Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E., Ioannidis, S.: ‘Gnort: High performance network intrusion detection using graphics processors’. Recent Advances in Intrusion Detection, 2008, pp. 116–134.
26. 26)
  - 8. Vrancic, A., Jurasovic, K., Kusek, M., Jezic, G., Trzec, K.: ‘Service provisioning in telecom networks using software agents and rule based approach’. Technical Paper, Zagreb R & D Centre, Croatia, 2006.
27. 27)
  - 36. Leland, W., Taqqu, M., Willinger, W., Wilson, D.: ‘On the self-similar nature of ethernet traffic’, IEEE/ACM Trans. Network., 1994, 2, (1), pp. 1–15 (doi: 10.1109/90.282603).
28. 28)
  - 33. Salah, K., Qahtan, A.: ‘Implementation and experimental performance evaluation of a hybrid interrupt-handling scheme’, Int. J. Comput. Commun., 2009, 32, (1), pp. 179–188 (doi: 10.1016/j.comcom.2008.10.001).
29. 29)
  - 11. Salah, K., Sattar, K., Sqalli, M., Alshaer, E.: ‘A potential low-rate DoS attack against network firewalls’, Int. J. Secur. Commun. Netw., 2011, 4, (2), pp. 136–146 (doi: 10.1002/sec.118).
30. 30)
  - 42. White, J.: ‘An effective truncation heuristic for bias reduction in simulation output’, Simul. J., 1997, 69, (6), pp. 323–334 (doi: 10.1177/003754979706900601).
31. 31)
  - 18. Aldalki, R., Salah, K., Otrok, H., Alqutayri, M.: ‘Accelerating snort NIDS using NetFPGA-based bloom filter’. Proc. of the IEEE IWCMC 2014 Conf., 4–8 August 2014.
32. 32)
  - 35. Andersson, M., Bengtsson, A., Host, M., Nyberg, C.: ‘Web server traffic in crisis conditions’. Proc. of the Third Swedish National Computer Networking Workshop, November 2005.
33. 33)
  - 28. Salah, K.: ‘Analysis of a two-stage network server’, Int. J. Appl. Math. Comput., 2011, 217, (23), pp. 9635–9645.
34. 34)
  - 26. Krishna, C., Lee, Y.: ‘A study of two-stage service’, Oper. Res. Lett., 1990, 9, pp. 91–97 (doi: 10.1016/0167-6377(90)90047-9).
35. 35)
  - 32. McKusick, M., Bostic, K., Karels, M., Quarterman, J.: ‘The design and implementation of the 4.4BSD unix operating system’ (Addison Wesley, Reading, MA, 1996).
36. 36)
  - 41. Law, A., Kelton, W.: ‘Simulation modeling and analysis’ (McGraw-Hill, 1991, 2nd edn.).
37. 37)
  - 43. Distributed Internet Traffic Generator, 2014, Available at: http://www.grid.unina.it/software/ITG.
38. 38)
  - 27. Doshi, B.: ‘Analysis of a two phase queueing system with general service times’, J. Oper. Res. Lett., 1991, 10, pp. 265–272 (doi: 10.1016/0167-6377(91)90012-E).
39. 39)
  - 13. Amazon Inc.: ‘Amazon web services auto scaling’, 2014, Available at: http://www.aws.amazon.com/autoscaling.
40. 40)
  - 1. Linux Netfilter, http://www.netfilter.org, Last accessed September 20144.
41. 41)
  - 46. Melara, A.J.: ‘Performance analysis of the linux firewall in a host’. Master Thesis, California Polytechnic State University, June 2002.
42. 42)
  - 31. Bovet, D., Cesati, M.: ‘Understanding the linux kernel’ (O'Reily, 2005, 3rd edn.).
43. 43)
  - 10. Blanzieri, E., Bryl, A.: ‘A survey of learning-based techniques of email spam filtering’, J. Artif. Intell. Rev., 2008, 29, (1), pp. 63–92 (doi: 10.1007/s10462-009-9109-6).
44. 44)
  - 20. Jacob, N., Brodley, C.: ‘Offloading IDS computation to the GPU’. Proc. of the 22nd Annual Computer Security Applications Conf. (ACSAC'06), 2006, pp. 371–380.
45. 45)
  - 7. Albert, M., Menditto, L., Shannon, N., Tiwari, P., Tsang, T.: ‘Distributed rule-based packet redirection’. US Patent 6836462, 2004.
46. 46)
  - 34. Karam, M., Tobagi, F.: ‘Analysis of delay and delay jitter of voice traffic in the internet’, Comput. Netw. Mag., 2002, 40, (6), pp. 711–726 (doi: 10.1016/S1389-1286(02)00310-9).

Login

Not registered yet?

Share

Tools

Login to add to favourites

Key

Modelling and analysis of rule-based network security middleboxes

References

Related content