a search for effective firewall packet rebuff technique

8/2/2019 A Search for Effective Firewall Packet Rebuff Technique

1/25

A Search for Effective Firewall

Packet Rebuff Technique

Presented By

M. Mohanraj,

R. Lavanya &V. Umashankari


2/25

Objective :

A search for effective firewall early packet

rejection technique among the techniques such asField Value Set Cover (FVSC), Policy BooleanExpression Relaxation (PBER) and Self AdjustingBinary Search on Prefix Length.


3/25

Introduction Performance of Network devices such as firewall and

Qos routers are optimized by packet classification andmatching filters.

Routers use rule table with priority. Each ruleassociated with action to perform either Allow orDeny.

Most of the proposed algorithms do not processdynamically & causes significant matching overhead.

We conceive a one among the technique with set ofself adjusting tree filters by combining scheme of

binary search on prefix length with the splay tree.


4/25

Field Value Set Cover (FVSC)Analyze and construct set of rules that rejects the max.

Basic idea rejecting packets with no matches as early

as possible. Early rejection rule formed by combination of all filed

values that cover all rules.


5/25

FVSC PHASES Building up the rejection rule list.

Periodic addition/removal of rules according to the

performance gain/ loss of each rule. Per packet operation of filtering as well as updating

the statistics.


6/25

Policy Boolean Expression Relaxation : Converting the rules into Single Boolean Expression.

Each packet header considered as binary variable.

Binary variable which satisfies Boolean Expression isaccepted.

Technique involves 3 options with the packet:

either 1. accepted 2. rejected 3. more filtering needed.

Binary Decision Diagram data structures can facilitatethe representing the expression in the form of tree andevaluate.


7/25

Self Adjusting Binary Search onPrefix Length - Introduction

Binary search reduces the number of searches. The Splay Tree is an ordered binary tree data structure

in which for every node x, every element in the leftsub-tree of x is x, and every element in the right sub-

tree of x is x. This technique uses the splaying properties to

optimize the early rejection of unwanted flows.


8/25

Self Adjusting Binary Search

on Prefix Length

Overview1. Example Rule Set


9/25

Self Adjusting Binary Search on

Prefix Length

Overview2. A Scheme of Binary Search on Prefix Length


10/25

Self Adjusting Binary Search

on Prefix Length

Overview3. The collection of hash-tables according to the

destination address field of Table


11/25

SABSPLIt includes the following operations:

1. Range to Prefix Conversion

2. Minimizing the Number of Tree Rotations3. Top-Down Splay Tree

4. Complexity Analysis

based upon amortized analysis, no ofnodes & memory access.


12/25

Range to Prefix Conversion Matching paradigm works well for IP not for range

Each range is converted into one or more prefixes.

eg: range R = [2, 6] is converted into three prefixes,001*, 010*, and 0110.

In the worst case, the range [1, 2W 2] is split into

2W 2 prefixes.

In our scheme, we still use binary search on prefixlength but with splaying operations


13/25

splaying operations - 01 The trivial composed splaying operation (CSplay) is

expressed as follows:

CSplay(x,x+) = Splay(x, root) + Splay(x+,x.right)


14/25

splaying operations - 02 The optimized composed splay operation (OCSplay) is

expressed as follows (2):

OCSplay(x,x+) = Splay(x+,x.droit) + Splay((x,x+), root)


15/25

splaying operations - 03 The optimized composed splay operation (OCSplay) is

expressed as follows :

OCSplay(x,x+) = Splay(x,x+) + Splay((x,x+), root


16/25

Minimizing the Number of Tree Rotations

An efficient technique to minimize tree rotations.


17/25

Searching process in the Top-Down Splay Tree

Minimizing the Number of Tree Rotations


18/25

Top-Down Splay TreeWe look at two nodes at a time, while searching for the

best length value, and also we keep restructuring thetree until we reach a leaf and the item we are lookingfor has been located. While searching..

The current tree is divided into three sub-trees:

1. Middle Sub-tree

2. Left Sub-tree3. Right Sub-tree


19/25

Complexity AnalysisAmortized Analysis:

if each item of the splay tree is given a weight wx , withw

tdenoting the sum of the weights in the tree t, then

the amortized cost to access an item x have thefollowing upper bounds:

Let x+ denote the item following x in the tree t and x-

denote the item preceding x.


20/25


21/25

Complexity Analysis

Number of Nodes :


22/25

Memory accesses


23/25

CONCLUSION AND FUTURE WORK In this paper, early packet rejection techniques are

discussed. The efficient technique is found to be SA-BSPL, which uses the splay tree data structure property

to change dynamically according to traffic behavior..

Range to prefix conversion increases storage space.Our next search begin with the effective conversiontechnique which reduces the storage space when rangeis converted into prefixes.


24/25

Reference [1] H. Hamed, A. El-Atawy, E. Al-Shaer. Adaptive Statistical Optimization

Techniques for Firewall Packet Filtering. In Proceeding of IEEE INFOCOM, pp.1-12, 2006.

[2] E. Al-Shear, A. El-Atawy, T. Tran. Adaptive Early Packet filtering for

Defending firewalls against DoS Attack. In Proceeding of IEEE INFOCOM, pp.1-9, 2009.

[3] N. Neji, A. Bouhououla. Dynamic Scheme for Packet Classification UsingSplay trees. Information Assurance and Security, pp. 1-9, 2009.

[4] S Zeidan, Z. Trabelsi. A Survey on Firewalls Early Packet Rejection

Techniques.Innovations in information security.pp 203 208,2011.


25/25

Queries?

a search for effective firewall packet rebuff technique

Documents