Fengjun Shang,Xuezeng Pan

2007-01-01

Journal of Computational Information Systems

Abstract:The process of categorizing packets into 'flows' in an Internet router is called packet classification. All packets belonging to the same flow obey a pre-defined rule and are processed in a similar manner by the router. In general, packet classification on multiple fields is a difficult problem. In this paper, an algorithm is proposed called Hash Packet Classification based on Non-collision Hash and XOR Hash (NHXH). The NHXH algorithm introduces XOR operation to obtain a hash key value. The computation of an NHXH algorithm key value consists of three steps. Firstly, the non-collision hash function is structured, which is constructed mainly based on destination/source port and protocol type field so that the hash function usually can avoid space explosion problem. Secondly, the source/destination IP pairs are concatenated and then dividing the packet header into 4 chunks, each of which has 16bits in size. Thirdly, each chunk is mapped into stochastic space and XOR operation on the random number mapped 4 chunks. Because the stochastic space follows even distribution after XORing operation so that its collision rate is limitary. Lastly, every rule index is found in order to ensure the validity so that the final rule index is acquired. The test results show that the classification rate of NHXH algorithm is up to 2 million packets per second and the maximum memory consumed is 8MB for 10000 rules.

XUAN Qi,WU Tie-jun

DOI: https://doi.org/10.3785/j.issn.1008-973X.2011.06.001

2011-01-01

Abstract:With the reason that there still lacks of a systematical method to design scheduling rules,a framework to systematically design heuristic scheduling rules based on complex network theory was proposed.Through describing complex open shop(COS) objects by complex scheduling networks,the related complex scheduling problems can be transferred to node executing problems on complex scheduling networks,then complex scheduling problems can be studied under the background of complex network theory.Then through node executing experiments on different complex scheduling networks,it is found that the network average executing time increases logarithmically as the average degree characteristic of the complex scheduling network rises.This fact provides the theoretical basis for designing the scheduling rule based on node degree,that is,minimize the average degree of the remaining complex scheduling network by priorly executing those nodes with large degree.Computer simulations show that,compared with other scheduling rules,the proposed node degree based scheduling rule can indeed produce better maximum finish time(MFT) properties.

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

Ren Anxi,Yang Shoubao,Li Hongwei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.04.050

2006-01-01

Abstract:In order to decrease the rule-matching time and enhance the performance of firewall,this paper presents a statistic-analysis method,which adjust the order of firewall rules dynamically according to the analytic results obtained through analyzing the network flow.The simulation proves that it can improve the performance of firewall in some extent.

HX Duan,JP Wu,X Li

DOI: https://doi.org/10.1109/icon.2000.875800

2001-01-01

Journal of Software

Abstract:This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.

ZHANG Guo-bing,ZENG Wu,HUANG Hao

2005-01-01

Abstract:Too many memory accesses slow down the process of high-speed data streams in NP-based firewalls significantly.Hash table is one of the most important data structures in firewall designing.The average memory access is in direct proportion to the length of chain if we resolve hash collision with separate chaining.To divide one chain into a pair can improve system performance by reducing total number of memory access.A method to handle hash collision with dual chain was introduced,and its affection on performance was analyzed,The design and implementation was given based on network processor IXP2400.

Feilu Hang,Linjiang Xie,Zhenhong Zhang,Yuting Liu,Jian Hu

DOI: https://doi.org/10.12694/scpe.v25i4.2904

2024-06-16

Abstract:Compared with traditional computer network security identification techniques, deep learning algorithms are based on their own distributed network structure for storage, processing, classification, comparison, and automatic identification functions. The distribution and dynamism of cloud databases increase the difficulty of route prediction and recognition in the cloud, affecting the efficiency of cloud computing. In response to the above issues, the author proposes a dynamic path optimization process for cloud databases based on adaptive immune grouping polymorphic ant colony algorithm. By setting up two states of ant colony, reconnaissance ant and search ant, and introducing an adaptive polymorphic ant colony competition strategy, the defect of general ant colony algorithms being prone to falling into local optima is improved; On this basis, an artificial immune algorithm with fast global search capability is further integrated to improve the search ant path optimization process, improving search speed and accuracy. Simulation experiments show that the IPANT algorithm outperforms the other three algorithms, maintaining a throughput of 1000 kbps and relatively stable; The data of OSPF, SPF, and FR are not significantly different, significantly lower than IPANT. The immune polymorphic ant colony algorithm (IPANT) has the lowest time delay for packet routing and performs better than the other three algorithms, with FR and SPF having higher latency. It has been proven that this algorithm can better solve convergence speed and global optimization problems, and can quickly and reasonably find the database to be accessed in the cloud.

Dingmin Wang,Qing Li,Yong Jiang,Mingwei Xu,Guangwu Hu

DOI: https://doi.org/10.1109/icccn.2017.8038395

2017-01-01

Abstract:In Software Defined Networking (SDN), the severe conflict between rule number and memory size has attracted considerable academic attention. Ternary Content Addressable Memory (TCAM), generally used to guarantee the query speed, is a scarce and expensive resource, which limits the number of rules that the switch can support. However, the table miss may increase processing burden of the controller and cause latency issues. Therefore, it is significantly important to improve the efficiency of TCAM in SDN switches. In this paper, we propose BALANCER, a traffic-aware hybrid rule allocation scheme. In BALANCER, we logically split TCAM into two parts: reactive and proactive, which can be dynamically adjusted according to network traffic behavior. Also, we propose an algorithm to generate proactive rules with high entropy in the proactive part, and for the reactive part, we provide a rule caching approach and an efficient rule replacement algorithm, Multi-Bucket. To evaluate BALANCER, we conduct comprehensive experiments with both synthetic and real-world routing policies. Compared with the reactive mode and the proactive mode, results show that BALANCER achieves the least update costs while the number of table misses is extremely close to that in the proactive mode.

Yang Xu,Zhaobo Liu,Zhuoyuan Zhang,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2013.2270441

2014-01-01

IEEE/ACM Transactions on Networking

Abstract:The emergence of new network applications, such as the network intrusion detection system and packet-level accounting, requires packet classification to report all matched rules instead of only the best matched rule. Although several schemes have been proposed recently to address the multimatch packet classification problem, most of them require either huge memory or expensive ternary content addressable memory (TCAM) to store the intermediate data structure, or they suffer from steep performance degradation under certain types of classifiers. In this paper, we decompose the operation of multimatch packet classification from the complicated multidimensional search to several single-dimensional searches, and present an asynchronous pipeline architecture based on a signature tree structure to combine the intermediate results returned from single-dimensional searches. By spreading edges of the signature tree across multiple hash tables at different stages, the pipeline can achieve a high throughput via the interstage parallel access to hash tables. To exploit further intrastage parallelism, two edge-grouping algorithms are designed to evenly divide the edges associated with each stage into multiple work-conserving hash tables. To avoid collisions involved in hash table lookup, a hybrid perfect hash table construction scheme is proposed. Extensive simulation using realistic classifiers and traffic traces shows that the proposed pipeline architecture outperforms HyperCuts and B2PC schemes in classification speed by at least one order of magnitude, while having a similar storage requirement. Particularly, with different types of classifiers of 4K rules, the proposed pipeline architecture is able to achieve a throughput between 26.8 and 93.1 Gb/s using perfect hash tables.

WANG Weiping,CHEN Wenhui,ZHU Weiwei,CHEN Huaping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.11.049

2007-01-01

Abstract:As enterprises’ network security barrier,firewalls play a very important role.Since enterprises configurate firewalls according to its need;the rule table will be included.However,problems may occur during configuration.On one hand,the administrator himself may make some mistakes during initial configuration.On the other hand,possibility of conflicts among different rules increases with rule numbers in the table growing.This paper analyzes possible mistakes in the configuration process.It introduces several familiar types of mistakes in configuration,puts forward the algorithm which can find mistakes.The paper improves the algorithm according to the characteristics of the firewall rule table,which increases efficiency of detecting configuration mistakes.

Jinyuan Zhang,Xuanbo Huang,Jian Li,Kaiping Xue,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/hpsr54439.2022.9831366

2022-01-01

Abstract:In Software-Defined Networking (SDN), the controllers implement flexible and scalability networking policies by installing different flow rules. Each rule matches a specific class of flows, instructs the switches to execute actions, and then expires when they finish their tasks. OpenFlow introduces the timeout mechanism to manage these flow rules. However, finding a reasonable timeout value becomes a difficult problem for the network managers. When a relatively small timeout value is given to an elephant flow, the rule expires early, introducing extra cost for the controller and long latency for the matching flow, respectively. On the contrary, a large timeout value for a mice flow makes a rule occupy the switch memory too long, wasting the caching memory and causing the flow table prone to overflow. Therefore, it is necessary to allocate appropriate timeouts for different flows dynamically. In this paper, we achieve this goal with real-time traffic monitoring and heuristic algorithms. By considering different network loads and designing corresponding dynamic timeout algorithms for different scenarios, we make full use of the advantages of SDN to improve the utilization rate of the switch memory and save the controller resources. Further, we implement our scheme in a simulation SDN platform and evaluate the algorithms with the public datasets. Experiments show that our scheme has low control overhead and is memory efficient compared with current mechanisms.

LI Xin,JI Zhen-zhou,LIU Wei-chen,HU Ming-zeng

DOI: https://doi.org/10.3969/j.issn.1007-5321.2006.04.022

2006-01-01

Abstract:To improve the efficiency and scalability of conflict detection for multi-dimensional classifiers,a new algorithm,based on grid of trie(GoT) algorithm,was proposed.The new algorithm uses Patricia trie,constricts the length of Internet protocol(IP) prefix in order to use Hash technology,and improves the performance of the algorithm by adding ingress and egress of firewall for each filter.

Wang Jie,Ji Zhen-Zhou,Hu Ming-Zeng

2009-01-01

Abstract:Along with development of network techniques and firewall techniques, multipattern matching for content filtering, virus detection and other network security measures is emphasized in the field of hardware firewall. Principles of multi-pattern matching on network firewall based on FPGA (Field Programmable Gate Array) are presented: low latency, supporting non-fixed-length pattern and forward matching. And architecture of high-performance matching on data link layer forming pipeline with frame transmission is proposed especially for multi-port scheduling. By academic analysis and experimental validation it can support applications of high-performance hardware network firewall and effectively reduce additional delays by expand logics.

Mohit Wadhwa,Ambar Pal,Ayush Shah,Paritosh Mittal,H.B. Acharya

DOI: https://doi.org/10.48550/arXiv.1510.07880

2015-10-27

Abstract:A fundamental component of networking infras- tructure is the policy, used in routing tables and firewalls. Accordingly, there has been extensive study of policies. However, the theory of such policies indicates that the size of the decision tree for a policy is very large ( O((2n)d), where the policy has n rules and examines d features of packets). If this was indeed the case, the existing algorithms to detect anomalies, conflicts, and redundancies would not be tractable for practical policies (say, n = 1000 and d = 10). In this paper, we clear up this apparent paradox. Using the concept of 'rules in play', we calculate the actual upper bound on the size of the decision tree, and demonstrate how three other factors - narrow fields, singletons, and all-matches make the problem tractable in practice. We also show how this concept may be used to solve an open problem: pruning a policy to the minimum possible number of rules, without changing its meaning.

Networking and Internet Architecture

Wenhui Chen,Weiping Wang,Zhepeng Li,Huaping Chen

DOI: https://doi.org/10.1109/iccias.2006.295436

2006-01-01

Abstract:To improve the filtering speed of firewall, researchers have proposed many expression tools for firewall policy. However, these tools share a limitation: not compatible with dynamic updating of firewall policy. Therefore, this paper suggests marked firewall decision trees (MFDT) model. MFDT can handle not only the package filtering but also dynamically response to the updating of original policies. First of all, it is given the definition of MFDT. For three situation of policy change: adding, modifying and deleting of rules, corresponding updating algorithms of MFDT are given. In the end, MFDT's integrality and complexity are proved

Chang Zhi-xian

DOI: https://doi.org/10.1007/s12083-020-00979-2

2020-09-11

Abstract:When facing some emergency situations, such as fires, traffic accidents, etc., it is necessary for the network to use the available information to provide the best and fastest access routes. In these cases, it is important to centrally manage all devices throughout the network, so a software-defined network (SDN) -based architecture is used to manage and control emergency service actions and evacuation plans. At this time, differentiated services are provided to customers in emergency and non-emergency situations through network slicing, and resource allocation is performed for network slicing such as delay and bandwidth parameters. In this paper, the first resource management plan is the merit of quick converging to the global optimal solution which was used to design the evaluation function of the network resource management; the second is monitors and analyzes access traffic and centralizes control and management to meet the bandwidth requirements of tenants to counter the tidal effect. The ability of fast random search of particle swarm optimization was used to realize the update and optimization. The simulation results show that can reduce the energy consumption of the network and improve the utilization rate of cyber source at the same time.

computer science, information systems,telecommunications

Qin Xin,Jianping Wu,Ke Xu,Shu Yang,Jisheng Pei

2015-01-01

Abstract:Routers must perform packet filtering at high speeds to implement critical functions in todays networked computing systems, i.e., firewalls. With serious security situations, and more and more kinds of validation and filter-ing rules emerging, the routers and firewalls now undertake more burden than ever. In routers for large networks, the filtering table, e.g., access control list, gets larger and larger, which easily exceed the limited capacity and brings high power consumption and financial cost. Therefore we are motivated to seek a kind of effective mechanism to solve these problems, which needs to be very easy for deployment, and has strong and proven ability for security filtering. We propose a distributed and cooperative mechanism of software filtering based on finite state machine in which the filtering tasks are split and shared by all the routers rather than relying only on the ingress routers for computation.

Meitian Huang,Weifa Liang,Zichuan Xu,Wenzheng Xu,Song Guo,Yinlong Xu

DOI: https://doi.org/10.1109/INFOCOM.2016.7524613

2016-01-01

Abstract:Software-Defined Networking (SDN) has emerged as the paradigm of the next-generation networking through separating the data control plane from the data plane. The forwarding routing table at each of its switch nodes is usually implemented by expensive and power-hungry Ternary Content Addressable Memory (TCAM) that only has limited number of entries, and the bandwidth at each of its links is bounded too. Under this new network architecture, providing a quality service to users by admitting user requests to meet their resource demands is challenging, and very little attention has ever been paid in this regard. In this paper, we will study online unicast and multicast request admissions in SDNs with the aim to maximize the network throughput under both critical network resources and user bandwidth demand constraints, for which we first propose a novel model to characterize the usage costs of node and link resources. We then devise efficient online algorithms for unicast and multicast requests. We also analyze the competitive ratios of the proposed online algorithms, which are O(log n) and O(K-epsilon log n) for unicasting and multicasting, respectively, where n is the network size, K is the maximum number of members in a multicast request, and. is a constant with 0 < epsilon <= 1. We finally evaluate the proposed algorithms empirically through simulations. The simulation results demonstrate that the proposed algorithms are very promising.

JIANG Wenbao,HAO Shuang,DAI Yiqi,LIU Tinghua

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.01.028

2006-01-01

Abstract:The performance of high-speed network intrusion detection systems(nIDSs) is improved by load balancing algorithms developed for high-speed nIDSs.Three load balancing policies were analyzed to develop a flow-based dynamic load balancing algorithm based on nIDSs using multiple detection engines.The algorithm divides the data stream according to the current value of each detection engine's load using a dynamic feed and prediction mechanism.The incoming data packets for a new session are forwarded to the engine that currently has the lightest load.Test results show that the algorithm performs better than the Round Robin algorithm,especially when a large number of concurrent detection engines are used in heavy network traffic environments.

Huawei Huang,Peng Li,Song Guo,Baoliu Ye

DOI: https://doi.org/10.1109/iwqos.2014.6914313

2014-01-01

Abstract:Software-Defined Network (SDN) is a promising network paradigm that separates the control plane and data plane in the network. It has shown great advantages in simplifying network management such that new functions can be easily supported without physical access to the network switches. However, Ternary Content Addressable Memory (TCAM), as a critical hardware storing rules for high-speed packet processing in SDN-enabled devices, can be supplied to each device with very limited quantity because it is expensive and energy-consuming. To efficiently use TCAM resources, we propose a rule multiplexing scheme, in which the same set of rules deployed on each node apply to the whole flow of a session going through but towards different paths. Based on this scheme, we study the rule placement problem with the objective of minimizing rule space occupation for multiple unicast sessions under QoS constraints. We formulate the optimization problem jointly considering routing engineering and rule placement under both existing and our rule multiplexing schemes. Finally, extensive simulations are conducted to show that our proposals significantly outperform existing solutions.