towards optimal firewall rule ordering utilizing directed acyclical graphs

Author: Ashish Tapdiya, Errin W. FulpPublisher: ICCCN 2009Presenter: Yu-Ping ChiangDate: 2009/09/30

Towards Optimal Firewall Rule Ordering

Utilizing Directed Acyclical Graphs

1

• Related work – Directed Acyclical Graph (DAG)

• Sub-Graph Merging (SDM)– Algorithm– Non-optimal ordering– Time complexity

• Experimental results– Number of breaks– Percentage improvement

Outline

2

• DAG G = (R,E)– R = rules– E exists if

• .• i < j

Directed Acyclical Graph (DAG)

3

• Related work – Directed Acyclical Graph (DAG)

• Sub-Graph Merging (SGM)– Algorithm– Non-optimal ordering– Time complexity

• Experimental results– Number of breaks– Percentage improvement

Outline

4

• Definition– Sub-graph of rule ri : G(ri)

• Ex: G(r2) = {r1, r2}, G(r4) = {r1, r2, r4}– Sum of probability of G(ri) : X(ri)

• Ex: X(r2) = 0.0645+0.161 = 0.2255– Cardinality of G(ri): C(ri)

• Ex: C(r2) = 2

Sub-Graph Merging (SGM)

5

• Definition– DEP

• Ex: – PROB(ri)– R(π)

•

• Ex: R(π) = 0.0645*1 + 0.161*2 + … + 0.029*5 = 3.5487

Sub-Graph Merging (SGM)

00000

10000

10000

11000

10110

DEP

n

iiitpR

1

')(

6

Sub-Graph Merging - Algorithm

7

0.0645

0.11275

0.14515

0.1614

0.2

Sub-Graph Merging - Algorithm

8

R(π) = 3.5487

R(π) = 3.4839

SGM – non-optimal ordering

9

0.058533

0.072886

0.2

0.09094

0.096061

SGM – time complexity

10

O(n)

O(n) O(n)

• Related work – Directed Acyclical Graph (DAG)

• Sub-Graph Merging (SDM)– Algorithm– Non-optimal ordering– Time complexity

• Experimental results– Number of breaks– Percentage improvement

Outline

11

Edge density versus # of breaks

12

• Average number of rule comparisons was used to evaluate performance

Percentage improvement

13