刘正蓝,朱淼良,董亚波

2004-01-01

Abstract:Researchers found unfairness in DiffServ network. To solve this problem, a TSW-based marker is proposed, which is called TCP-friendly fair packet marking algorithm (TFPM). With this marker, proportional fair sharing of excess bandwidth among aggregate can be achieved, and so the better fairness between TCP and UDP flows in an aggregate. The validation of this marking algorithm through simulation experimentation is made, and the simulation result is compared with some other marking algorithms, which verifies that the TFPM algorithm has better fairness than other algorithms.

Ming Jiang,Chunming Wu,Min Zhang,Hao Bian

DOI: https://doi.org/10.23919/cje.2010.10168773

IF: 1.019

2010-01-01

Chinese Journal of Electronics

Abstract:To solve the problem of fair bandwidth sharing between responsive flows and unresponsive flows, this paper proposes a new algorithm named CSa-XCHOKe, which identifies unresponsive flows by using CHOKe hits history records In this algorithm, the number of picked packets from queue is decided by the congestion level, and the picked packets are compared with the arrival packet to judge whether they belong to the same flows If they hit, the packet drop probability is calculated based on congestion level and link load, otherwise, CSa XCHOKe uses MRED scheme to process the arrival packet The performance of CSa-XCHOKe is compared with other main schemes like XCHOKe, CSFQ and CHOKe, and the simulation results show that CSa-XCHOKe performs better than other schemes in bandwidth sharing fairness issues

平玲娣,郭行波,潘雪增,陈晓峰

DOI: https://doi.org/10.3785/j.issn.1008-973x.2007.12.008

2007-01-01

Abstract:An improved algorithm named modified fair random early detection(MFRED) was presented to treat with the problem that fair random early detection(FRED) algorithm rises many misidentifications with adaptive flows in congested network.In MFRED,strike counter rises fast when identification condition is met,and falls slowly when packets leave.A mechanism for misidentification correcting was added without markedly increase in computing complexity.Simulation showed that compared with FRED,MFRED identifies non-adaptive flows and balances the bandwidth allocation effectively while misidentifications are greatly reduced.

Xiaofeng Lv,Deyun Zhou,Yongchuan Tang,Ling Ma

DOI: https://doi.org/10.1155/2018/3942723

IF: 2.3

2018-01-01

Complexity

Abstract:Sensor data-based test selection optimization is the basis for designing a test work, which ensures that the system is tested under the constraint of the conventional indexes such as fault detection rate (FDR) and fault isolation rate (FIR). From the perspective of equipment maintenance support, the ambiguity isolation has a significant effect on the result of test selection. In this paper, an improved test selection optimization model is proposed by considering the ambiguity degree of fault isolation. In the new model, the fault test dependency matrix is adopted to model the correlation between the system fault and the test group. The objective function of the proposed model is minimizing the test cost with the constraint of FDR and FIR. The improved chaotic discrete particle swarm optimization (PSO) algorithm is adopted to solve the improved test selection optimization model. The new test selection optimization model is more consistent with real complicated engineering systems. The experimental result verifies the effectiveness of the proposed method.

Xin Li,Zhenzhou Ji,Mingzeng Hu

DOI: https://doi.org/10.1007/11576235_34

2005-01-01

Abstract:Packet filters are rules for classifying packets based on their header fields. A filter conflict occurs when two or more filters overlap, creating an ambiguity in packet classification. There has been prior works on conflict detection for multi-dimensional classifiers, but their efficiency and scalability are not good. A new algorithm is proposed, which uses hashing-based PATRICIA trie. The new algorithm can fast detect conflicts in classifiers and have high scalability. The technology of processing transport-level ports can bring more security than existed algorithms.

Qinghua Xiao,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/wcica.2004.1340889

2004-01-01

Abstract:With the emergence of network real time application, the need for quality of service (QoS) in the Internet has been given a rise. IETF has proposed a service model - DiffServ, which for its extensibility, has been widely accepted as a promising model. However, researchers found unfairness in DiffServ network. To solve this problem, this paper analyzed the inherent shortcomings of marker based on token bucket (TB) and time sliding window (TSW) in DiffServ, and proposed a new traffic rate estimator algorithm. This algorithm can tolerate the short-term burst of IP flows as well as reflecting the flows' temporal-behavior. Afterwards, a modified fair aggregate marking (MFAM) algorithm was presented based on the traffic rate estimator algorithm mentioned above. It contributes to fair sharing of excess bandwidth among aggregates. The author validated MFAM algorithm through simulation experimentation, and compared its performance with some other marking algorithms. The results show that MFAM algorithm has better fairness than others.

Xin Lu

2008-01-01

Abstract:To solve the problem that current algorithms for detecting firewall filters conflicts had poor performance,this paper proposed a fast algorithm called FRCD for detecting conflicts.FRCD constructed two binary trees for every dimension.Experiments verify its good performance.

LI Xin,JI Zhen-zhou,LIU Wei-chen,HU Ming-zeng

DOI: https://doi.org/10.3969/j.issn.1007-5321.2006.04.022

2006-01-01

Abstract:To improve the efficiency and scalability of conflict detection for multi-dimensional classifiers,a new algorithm,based on grid of trie(GoT) algorithm,was proposed.The new algorithm uses Patricia trie,constricts the length of Internet protocol(IP) prefix in order to use Hash technology,and improves the performance of the algorithm by adding ingress and egress of firewall for each filter.

WANG Wei-Ping,CHEN Wen-Hui,LI Zhe-Peng,CHEN Hua-Ping

DOI: https://doi.org/10.3969/j.issn.1002-1175.2007.03.017

2007-01-01

Abstract:As a traditional technique of information security,firewall has played a very important role.Security administrators frequently have to compare firewall policies looking for inconsistence,while it is not a smooth process to choose a platform for the comparison.To realize the comparison between firewalls' policies,this paper provides FPT(firewall policy tree) model,and the construction algorithm which can turn a firewall policy into a policy tree,as well as the comparison algorithm,and finally presents the procedures of comparing firewalls' policies.Combination of the two algorithms can be used to perform a comparison between firewalls' policies.By doing this,the paper can obtain the set of data packages on which different firewalls have made inconsistent filter decisions,so as to find out the inconsistency in firewalls' policies.

Yuyang Du,Soung Chang Liew

2023-01-01

Abstract: This paper reexamines and fundamentally improves the Schmidl-and-Cox (S&C) algorithm, which is extensively used for packet detection in wireless networks, and enhances its adaptability for multi-antenna receivers. First, we introduce a new "compensated autocorrelation" metric, providing a more analytically tractable solution with precise expressions for false-alarm and missed-detection probabilities. Second, this paper proposes the Pareto comparison principle for fair benchmarking packet-detection algorithms, considering both false alarms and missed detections simultaneously. Third, with the Pareto benchmarking scheme, we experimentally confirm that the performance of S&C can be greatly improved by taking only the real part and discarding the imaginary part of the autocorrelation, leading to the novel real-part S&C (RP-S&C) scheme. Fourth, and perhaps most importantly, we utilize the compensated autocorrelation metric we newly put forth to extend the single-antenna algorithm to multi-antenna scenarios through a weighted-sum approach. Two optimization problems, minimizing false-alarm and missed-detection probabilities respectively, are formulated and solutions are provided. Our experimental results reveal that the optimal weights for false alarms (WFA) scheme is more desirable than the optimal weights for missed detections (WMD) due to its simplicity, reliability, and superior performance. This study holds considerable implications for the design and deployment of packet-detection schemes in random-access networks.

王永纲,石江涛,戴雪龙,颜天信

DOI: https://doi.org/10.3969/j.issn.0253-2778.2004.04.004

2004-01-01

JUSTC

Abstract:After investigating the variety of algorithms based on tries structure and computational geometry, the software testing platform for their performance evaluation was implemented. The platform consists of network traffic simulation, algorithms and output parameters statistics. With the main performance curves, including time complexity curves and space complexity curves presented in the paper, the behaviors of algorithms can be recognized deeply. This is necessary as a good starting point to do further research on the new algorithms for packet classification and it is also possible to satisfy the most current application requirements by the combination of the present algorithms.

Yahui Li,Han Zhang,Jilong Wang,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu

DOI: https://doi.org/10.1109/tpds.2023.3241433

IF: 5.3

2023-03-11

IEEE Transactions on Parallel and Distributed Systems

Abstract:The correctness and reliability of modern networks are often the greatest concerns. A myriad network events like software update, device crash and resource exhaustion, inevitably lead to liveness errors on data plane. This paper focuses on fault detection of the network data plane using test packets. Existing test packet generation techniques are limited in two aspects: i) it is difficult to collect the input data plane snapshot through SNMP or terminals ii) it may rise false negatives due to inconsistent snapshot. In this paper, we propose a new framework, SWIFT, that automatically generates test packets with network configurations. SWIFT minimizes the number of test packets by allowing a packet to go through multiple links or interfaces. For network updates, SWIFT updates test packets in an incremental way to revalidate the network. We evaluate its performance using hundreds of benchmark network configurations. The results show that it takes few seconds to generate test packets to exercise all links and interfaces, and updates the test packets in few seconds for configuration changes. We also deployed a SWIFT prototype in a university network, and successfully detected many network outages.

computer science, theory & methods,engineering, electrical & electronic

Bo Xu,Guangyu Zhou,Yibo Xue,Jun Li

2008-01-01

Abstract:Packet filtering plays an important role in network devices such as firewalls, routers, security gateways and intrusion detection systems. Numerous schemes have been proposed to improve packet filtering techniques. Many previous works struggled to utilize the characteristics of filtering rule-sets as optimization heuristics. However, there are rarely efforts excavating network traffic characteristics. This paper focuses on analyzing the statistical characteristics of network traffic and imposing it to optimize packet filtering algorithms. Contribution of the paper includes two aspects: first, the skewness and time correlation in real-life traffic is presented to illustrate network traffic statistics; second, an adaptive packet filtering algorithm, AHSM, is proposed based on HSM algorithm for improving average packet filtering speed. AHSM takes traffic statistics as heuristics and constructs statistical search trees for single field searching. Experimental results show that the optimized algorithm reduces 20%∼50% of the single field matching overhead compared with the HSM algorithm and improves the overall performance by 35%∼45%, while retaining the same memory usage.

S. Pesic,A. Baiocchi,Livia Trazza,Simone Ferraresi

DOI: https://doi.org/10.1109/ICC.2007.220

2007-06-24

Abstract:Firewalls and Security Gateways are core elements in network security infrastructure. As networks and services become more complex, managing access-list rules becomes an error-prone task. Conflicts in a policy can cause holes in security, and can often be hard to find while performing only visual or manual inspection. First, we have defined a methodology to systematically classify the severity of rule conflicts; secondly, we have proposed two different solutions to automatically resolve conflicts in a firewall. For one of them we found an algebraic proof of the existence of the solution and the convergence of the algorithm, and then we have made a software implementation to test it.

Computer Science

JeeHyun Hwang,Tao Xie,Fei Chen,Alex X. Liu

DOI: https://doi.org/10.1109/srds.2008.34

2012-01-01

IEEE Transactions on Network and Service Management

Abstract:Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the firewall policy under test. To achieve high structural coverage effectively, we have developed four automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), the one based on global constraint solving (considering multiple rules globally in a policy), and the one based on boundary values.We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.

Yx Qi,B Xu,J Li

DOI: https://doi.org/10.1109/ICAS-ICNS.2005.74

2005-01-01

Abstract:Packet classification is crucial to implementation of several advanced services require the capability to distinguish traffic in flows, such as firewalls, intrusion detection systems, and many QoS implementations. Although hardware solutions, such as TCAMs, provide high search speed, they do not scale to large rulesets. Instead, some of the most promising algorithmic research embraces the practice of leveraging the data redundancy in real-life rulesets to improve high performance packet classification. In this paper, we provide a general framework for discerning relationships distinctions of the design-space of existing packet classification algorithms. Several best-known algorithms, such as RFC and HiCuts/HyperCuts, are carefully analyzed based on this framework, and an improved scheme for each algorithm is proposed. All algorithms studied in this paper, along with their variations, are objectively assessed using both real-life and synthetic rulesets. The source codes of these algorithms are made publicly available on web-site.

Hongyi Zeng,Peyman Kazemian,George Varghese,Nick McKeown

DOI: https://doi.org/10.1109/TNET.2013.2253121

2014-04-01

IEEE/ACM Transactions on Networking

Abstract:Networks are getting larger and more complex, yet administrators rely on rudimentary tools such as and to debug problems. We propose an automated and systematic approach for testing and debugging networks called "Automatic Test Packet Generation" (ATPG). ATPG reads router configurations and generates a device-independent model. The model is used to generate a minimum set of test packets to (minimally) exercise every link in the network or (maximally) exercise every rule in the network. Test packets are sent periodically, and detected failures trigger a separate mechanism to localize the fault. ATPG can detect both functional (e.g., incorrect firewall rule) and performance problems (e.g., congested queue). ATPG complements but goes beyond earlier work in static checking (which cannot detect liveness or performance faults) or fault localization (which only localize faults given liveness results). We describe our prototype ATPG implementation and results on two real-world data sets: Stanford University's backbone network and Internet2. We find that a small number of test packets suffices to test all rules in these networks: For example, 4000 packets can cover all rules in Stanford backbone network, while 54 are enough to cover all links. Sending 4000 test packets 10 times per second consumes less than 1% of link capacity. ATPG code and the data sets are publicly available.

Weiping Wang,Wenhui Chen,Zhepeng Li,Huaping Chen

DOI: https://doi.org/10.1007/978-3-540-37275-2_67

2006-01-01

Abstract:As a traditional technique of information security, distributed firewall has taken very important position, while problems remain. Correct configuration of distributed firewall policies and keeping individual firewall filter decisions compatible to each other are quite inconvenient for administrators. To realize the comparison between firewalls’ policies, this paper provide FPT(firewall policy tree) model, and the construction algorithm which can turn a firewall policy into a policy tree, as well as the comparison algorithm. Combination of the two algorithms can be used to perform a comparison between distributed firewalls’ policies. By doing this, the paper can obtain the set of data packages on which different firewalls have made inconsistent filter decision, and find out the inconsistency in distributed firewall policies. Besides, this model could be extended to package classification systems for policies comparison.

Jianyu Zhang,Tao Wei,Wei Zou

DOI: https://doi.org/10.1360/crad20060202

2006-01-01

Journal of Computer Research and Development

Abstract:An applicable and easy-to-implement packet classification algorithm CSAC (classification on self-adaptive cache) with high performance is presented. It caches the searching path of the packet set within a field subspace, reuses the searching result for the classification of the subsequent packets in the same field subspace, and reduces the cache hit-miss penalty. According to state changes of the cache by the fluctuation of network traffic, the algorithm introduces a self-adaptive cache scheme to guarantee effectively the cache hit ratio, which adjusts dynamically the granularity and structure of the cache, and locations of cache items in hash buckets. Furthermore, CSAC does not need the preprocessing phase required by most of heuristic algorithms, and it supports multi-field complex rules (such as layer 4-7 fields, logic match operation, etc.) and increment update of rule set. It is suitable for applications with various packet classification requirements, such as network edge security, traffic audit and load balancing, etc. Some firewall and IDS appliances using CSAC have favorable performance in actual network environment.