Dynamic Rule and Rule-Field Optimization for Improving Firewall Performance and Security

Zouheir Trabelsi, Liren Zhang and Safaa Zeidan Faculty of Information Technology

UAE University Al-Ain, UAE

{trabelsi, lzhang, safaa.z}@uaeu.ac.ae

Abstract. This paper presents a novel approach to improve firewall packet filtering through optimizing the order of

firewall rules for early packet acceptance as well as the order of rule-fields for early packet rejection. The proposed approach is based on the calculation of the histograms of packet matching rules and of packet not matching rule-fields. These histograms are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the proposed approach becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. The numerical results obtained by simulations demonstrate that the proposed approach is able to significantly improve the firewall efficiency in terms of cumulative processing time compared to other conventional approaches. Furthermore, the proposed scheme also has capability to significantly reduce the effect of many common network attacks on firewall performance.

Keywords: firewall early rejection, packet flow matching histogram, optimization of rules ordering, optimization of rule-fields ordering.

1. Introduction

Firewall is considered as one of the most important components in today's IP network security architectures. In

general, packet filtering in firewall is based on a security policy, which consists of a set of filtering rules, each

rule is defined by a set of filtering fields and associated with an action either to block or forward a packet to its

destination. The last rule in the security policy is the default rule which is assumed to be “Deny”.

Packet filtering in a firewall is performed in a sequential order starting from the first rule until a matching rule

is found. If no matching rule is found, the packet is processed by the default rule. Likewise, the packet filtering

in each individual rule is also done in a sequential order starting from the first field until a non-matching field is

found. If a packet matches all the fields in a rule, then the packet is said to match that rule. In this case, the

processing for this packet filtering is completed. Otherwise, the packet goes to the next rule until a match rule is

found. It is clear that, the computational complexity of packet filtering process depends on the number of fields

defined in each rule as well as the depth of finding a matched rule in the policy. Hence, the order of rules, the

order of rule-fields, and the characteristics of the packet flows have a significant impact on firewall’s efficiency.

In addition, unwanted traffic targeting the default rule may cause more harm than others by producing an

overhead to the system through increasing the overall filtering time. This overhead is proportional to the number

of rules used in the security policy. Such unwanted traffic may cause a denial of service (DoS) attack and

degrade considerable the firewall’s performance. From this point of view, it is very important to reject such

traffic as early as possible.

With the rapid development of broadband IP network infrastructure, it is important to support high-bandwidth

services over the Internet, such as voice over IP, video streaming, Internet TV, interactive on-line game, high

quality multimedia service as well as delay sensitivity. From end-to-end connectivity point of view, packet

flows of such services may need to pass through a number of firewalls between source and destination. In this

case the cumulative delay due to multiple firewall packet filtering may become significant. Furthermore, the

burst nature of such applications may make this problem even more critical, especially when application-level

filtering policy is used in firewall. Thus, packet filtering techniques need to be dynamically adjusted to match

the characteristics of packet flows in order to reduce the processing time of packet filtering. Efficient yet easy to

implement packet filtering techniques by taking into account both the characteristics of traffic flow and the

order of rules as well as the order of rule-fields is a crucial issue in the design of firewalls.

In this paper, we propose an approach to optimize packet early acceptance and rejection by dynamically

adjusting the rule and rule-fields orders using the histograms of both packet matching rule and packet not

matching rule-fields. A novel algorithm to calculate the histograms in terms of packet matching and non-

matching probabilities on real-time segment basis is presented. The proposed approach uses the obtained

histograms for predicting the next optimized rules order and rule-fields order. Compared to previous related

work, the major contribution of this paper is that the approach for early acceptance and rejection is to

dynamically adjust both rules and rule-fields orders to match the statistics of packet flows, which are measured

by histograms.

The paper is organized as follows: Section 2 discusses the related work. Section 3 presents the algorithm for

calculating the histograms of packet rule matching process and packet rule-fields matching process. Section 4

describes the optimization of the rules and rule-fields orders. Section 5 presents numerical results obtained from

experiments based on simulations, in order to evaluate the firewall performance for the proposed mechanism.

Finally, Section 6 concludes the paper.

2. Related Work

Since packet filtering in firewall is done by sequentially searching the rule list until a matching is found, the

scalability of such searching approach is generally poor due to the searching time is proportional to the policy

size as well as the order of rules and the order of fields contained in each rule. Packet filtering optimization is

studied extensively. The most relevant research works focus on the improvement of searching times using

various approaches, including hardware-based solutions [6, 7], specialized data structures [8, 9, 5, 10, 11, 12],

and heuristics [5]. Although these research have significant contributions to the packet classification, but their

major objectives focus on improving the worst-case matching performance rather than the optimization for the

best performance. This is because these approaches only exploit the characteristics of filtering rules rather than

the effects of packet flow characteristics on searching time in firewall.

There are several research works as [1, 2, 4, 13 and 14] focusing on the statistical firewall packet filtering

approaches to improve the average packet filtering time. In [13], a technique, called depth-constrained

alphabetic trees, is used to reduce the lookup time by only searching packet destination IP addresses rather than

the entries of routing table. However, its significance is limited by only searching of a single field with arbitrary

statistics. By contrast, research presented in [1, 2] maximize the early rejection of unwanted flows without

impacting other flows. This is done through a number of rejection rules that are examined before the real

firewall policy these rejection rules utilize the important traffic characteristics and minimize the average packet

matching time The candidate rejection rule list is built using a set cover approximation algorithm, and then these

rules are periodically added/removed according to the performance gain/loss of each rule. This technique can be

used to search packet flow that eventually hit the default rule after a mismatch with every single rule in the

policy. However, its weakness is not scalable with the number of fields and rules if they are used for Intrusion

Detection Systems (IDSs) because we will end up with a large set of rejection rules to be checked before

proceeding with normal filtering process.

The searching structure by taking into account of packet flow dynamics is introduced by [14] and [15]. In

order to optimize firewall filtering policies by utilizing the characteristics of packet flow over Internet [16], an

approach timely and actively calculates statistics based on traffic conditions and dynamically adjusts the order

of packet filtering rules, in which both rule matching patterns and dependency between rules are considered.

However, this work does not use histogram statistics of packet flows, which makes the approach hardly to

handle the burst nature of packet flows.

Segments-Based Tree Search (STS) approach [4] uses bounded depth Huffman trees to enhance the filtering

process according to statistics collected from segments. However, this scheme may need large overheads for

maintaining the tree periodically. To reduce the overheads, Segments-based List Search (SLS) [4] has been

introduced. SLS will suffer the most from DoS attack due to the fact that its worst case is much higher than its

average. So, SLS can be used only when traffic is in a steady state. But if the firewall or IDS is close to its full

computational capacity, then STS will be safer to use if the traffic behavior is highly dynamic. According to the

numerical results presented in [4] and [1] which demonstrate that both SLS and STS are superior in performance

and scalability with respect to some other traffic awareness techniques such as Linear, Alpha-tree, DRO and

DT-CB.

Other tightly related traffic aware techniques are presented in [17, 18, 20, 22]. The idea of early rejection was

introduced in [2, 17, 18]. In [2] a new approach named FVSC is proposed to optimize the rejection path, this

technique uses set cover approximation algorithm to construct early rejection rules from the original security

policy common field values, which makes it suitable for smaller security policies, with low diversity of field

values. PBER technique in [18] is considered as a generalization of FVSC [2] in the sense that FVSC [2]

focuses only on rejection path while PBER [18] finds short cuts for both accepted and rejected packets. In [18]

the Boolean expression representing the policy acceptance space is implemented using BDD tree and according

to traffic statistics a depth is chosen to truncate the BDD tree for faster evaluation. In [17], a binary search on

prefix length algorithm is applied to every policy filtering field along with the property of splaying the search

tree nodes handling the early accepted packets. The packets early rejection is done through maintaining the

position of the minimum node to the root.left position. Even though SA-BSPL [17] uses the splay tree data

structure that can change dynamically to traffic flows, no traffic statistics were involved in this technique.

The non-heuristic general framework for rule based firewall optimization proposed in [20] captures the

semantics of an ACL in terms of whether each packet is forwarded or denied instead of profiling the rules to

determine their importance as in [1]. In [21] the authors propose an architecture algorithm to automatically adapt

packet filtering devices configuration according to traffic behavior. The ACO algorithm provides adaptive

conflict free optimization in the security policy, in which each rule is given a probability rate and cost weight.

Both [16 and 22] propose mechanisms to perform rules reordering. In a Firewall security policy, rules may

not be disjoint. So packets may match multiple rules, but the rule with higher precedence will be executed. In

this case, these rules are said to be dependent and their order must be preserved, with smaller rule order means

higher precedence. In [16], the authors presented a heuristic optimized rule ordering technique based on rule

frequency and recency that derived from traffic characteristics. This optimized rule ordering changes

dynamically according to the traffic flows. While, in [22] the proposed statistical model rebuilds the firewall

security policy using the FDT algorithm. As a result, the newly derived security policy contains only disjoint

rules. These rules are ordered according to their frequencies under a certain threshold qualification.

As indicated by the research works presented in [1 – 4], it is important to take into account the effects of

traffic statistics in firewall performance improvement.

3. Histogram of rule matching probability and field not matching probability

Considering that packet matching test in firewall is based on a security policy with N independent rules,

excluding the default “Deny” rule which has the order N+1. Each rule consists of a maximum number of M

fields, excluding the action field. A N×M matrix vector F represents the security policy, that is:

21

21

222212

112111

2

1

2

1

⎥⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

=

⎥⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

=

)F(N,M...F(N,j)...)F(N,)F(N,

..................

)F(i,M...F(i,j)...)F(i,)F(i,

..................

),MF(...,j)F(...),F(),F(

),MF(...,j)F(...),F(),F(

N

i

N

i

R

...

R

...

R

R

F

(1)

where { }Ni ,,2,1 !∈ and { }iMj ,,2,1 !∈ are indices of rule and field, respectively. Since the number of

active fields defined by security policy can be varied from rule to rule, we assume that the non-active fields have

a zero value and are not being used for packet filtering. We consider that packet flow input into a firewall is

divided into a sequence of W equal size windows, denoted as w ( { }Ww ,,2,1 !∈ }), in which each window

consists of S equal size segments with L packets per segment.

The packet flow assembled using a two-layer structure in terms of segments and windows is based on the

following considerations. (1) The window defined here consists of a large population space of LS × packets,

which is able to guarantee the accuracy of histogram. (2) The mechanism proposed in this paper is focusing on

real-time adjustment of both rule order and field order using histogram statistics. From practice point of view,

such real-time adjustment needs a relative large time scale. (3) The reason to divide each window

into S segments is to match the burst nature of packet flow in terms of rule order and field order.

Let aw,s(i,j)l and bw,s(i,j)l present the status of the lth packet matching and not matching an active field F(i,j) in

rule R(i), respectively. Where w, s and l are the window, segment and packet indices, respectively. We define

aw,s(i,j)0 =0 and bw,s(i,j)0 =0 be the values of the initial state at the beginning of the sth segment. During the

process, when the lth packet matches the field F(i,j) in the rule R(i), the state value of aw,s(i,j)l is incremented by

“1”, while bw,s(i,j)l remains unchanged. That is:

),( ),(

1),( ),(

1,,

1,,

⎩⎨⎧

=

+=

−

−

lswlsw

lswlswjibjibjiajia

.

(2)

By contrast, when the lth packet does not match the field F(i,j) in the rule R(i), the state of bw,s(i,j)l is

incremented by “1”, while aw,s(i,j)l remains unchanged. That is:

1),( ),(

),( ),(

1,,

1,,

⎩⎨⎧

+=

=

−

−

lswlsw

lswlswjibjibjiajia

(3)

Note that if the lth packet is not tested for the field F(i,j) in the rule R(i) due to either the lth

packet is rejected

by the field F(i,j-1) or the field F(i,j) is a non-active field, the state value of aw,s(i,j)l and bw,s(i,j)l remain

unchanged. That is:

Therefore, for a given rule i, a packet is compared with field F(i, j) for j = 1, 2,…, k,…,Mi until a k is found

such that the packet is not matching F(i, k), then the filtering process for this packet against rule R(i) is

completed eq. (3) and the packet starts its filtering process in rule R(i+1). Otherwise, if the packet matches all

fields defined in rule R(i), then the packet matches rule R(i) eq. (2) and the filtering process for this packet at the

firewall is completed.

Lemma 1. When all L packets in the sth (s �{1,2,…,S}) segment complete the processing in firewall based on

the algorithm presented in eq. (2) and (3) , the accumulated value of aw,s(i,Mi)L represents the number of packet

in the sth segment matching the rule R(i). Likewise, the accumulated value of bw,s(i,j)L represents the number of

packets in the sth segment not matching the field F(i, j) in rule R(i).

Proof: At the beginning of the sth segment, we have initial value of aw,s(i,j)0 =0 and bw,s(i,j)0 =0. All L packets

contained in the sth segment is tested in a sequential order based on the algorithm defined in eq. (2) and (3). If

the lth packet matches the field F(i,j)|j=1,2,…,Mi contained in the rule R(i)|i=1,2,…,N , then we have

⎩⎨⎧

=

+=

),( ),(1),( ),(

,,

,,

jibjibjiajia

swsw

swsw and the thl packet continuous to be tested by the next field F(i, j+1) in the same rule,

where j+1≤Mi , until the field F(i,Mi). On the other hand, if the field F(i,j)|j=1,2,…,Mi contained in the rule

R(i)|i=1,2,…,N is a non-active field, then we have ⎩⎨⎧

=

=

−

−

1,,

1,,

),( ),(),( ),(

lswlsw

lswlsw

jibjibjiajia

and the lth packet continuous to be

tested by the next field F(i, j+1), where j+1≤Mi, until the field F(i,Mi). Since the condition of the lth packet

matching the rule R(i)|i=1,2,…,N is that, the packet must match all the active fields contained in the rule. Also, Note

that if the lth packet matches the rule R(i), its processing in the firewall is completed, i.e., the lth packet is not

tested by the rule R(i+1), where i+1≤N. Therefore, we can conclude that when all L packets in the sth segment

complete their processing in the firewall, the accumulated value of aw,s(i,Mi)L represents the number of packets in

the sth segment matching the rule R(i).

On the other hand, if the lth packet does not match the field F(i,j) then we have⎩⎨⎧

=

+=

lswlsw

lswlsw

jiajiajibjib),( ),(

1),( ),(

,,

,, . In

this case, the lth packet is rejected by the rule R(i) and the accumulative value of aw,s(i,j+k)l and bw,s(i,j+k)l for the

rest fields F(i,j+k) in the rule R(i) remain unchanged, that is⎩⎨⎧

+=+

+=+

lswlsw

lswlsw

kjiakjiakjibkjib

),( ),(),( ),(

,,

,, , where

jMk i −= ,...,2,1 . On the other hand, the lth packet rejected by the rule R(i) continuous to be tested by the rule

R(i+1) unless )()( NRiR = .

Therefore, we can conclude that when all L packets in the sth segment complete their processing in the

firewall, the accumulated value of bw,s(i,j)L represents the number of packets in the sth segment not matching the

field F(i,j) in the rule R(i) .

From Lemma 1, it can be seen that both aw,s(i,Mi)L and bw,s(i,j)L are discrete random processes, with a state

space of integers between 0 and the maximum number of L on segment basis. let Cw,s(i) and Dw,s(i,j) be the

values of aw,s(i,Mi) and bw,s(i,j) at the end of segment s of window w, respectively. Then the probability of

packet matching rule R(i) on segment basis can be defined as:

⎪⎪

⎩

⎪⎪

⎨

⎧

=

∑−

=

=−

=

NikCL

iC

iL

C

iPi

ksw

sw

sw

sw ,...,2 )(

)(

1 )1(

)(1

1,

,

,

,

(4)

where term ∑ )(1-

1=,

i

ksw kC-L is the number of packets in the segment being tested for rule R(i)|i=1,2,…,N .

Likewise, the probability of packet not matching field F(i,j)|j=1,2,…,Mi in the rule R(i) on segment basis can be

defined as:

2,2for ),(),1(

),(

1,2for ),1(

)1,(

2 1,ifor ),1(

),1(

1,1for )1,1(

),(

1

1

1

1,,

,

1

1,

,

11

1,

,

,

,

⎪⎪⎪⎪⎪⎪⎪

⎩

⎪⎪⎪⎪⎪⎪⎪

⎨

⎧

≤≤≤≤

∑ ∑−−

=≤≤

∑ −

≤≤=

∑−

==

=

−

=

−

=

−

=

−

=

iiM

k

j

kswsw

sw

iM

ksw

sw

j

ksw

sw

sw

sw

MjNikiDkiD

jiD

jNikiD

iD

MjkDL

jD

jiL

D

jiq

(5)

where term ∑−

=

1

1, ),1(

j

ksw kD is the number of packets in the ths segment are rejected by the F(1,j-1)|j=2,…,M1 in

the rule R(1), term ∑ −−

=

1

1, ),1(

iM

ksw kiD is the number of packets in the sth segment rejected by the fields contained

in the rule R(i-1) due to not matching, and term ∑−

=

1

1, ),(

j

ksw kiD is the number of packets rejected by the field

F(i,k)|k=1,2,…,j-1 in the rule R(i)|i=1,2,…,N due to not matching.

The histogram, denoted as wψ , is defined as the statistics of packets matching the rule R(i) on window basis,

in which we assume that both the rule order and field order in each rule are unchanged during the window time.

The histogram wψ consists of a set of probabilities )(, iP sw corresponding to the Cw,s(i) in sth segment for the rule

R(i)|i=1,2,…,N , that is:

)(,...,)(,...,)(...

)(,...,)(,...,)(

...

)1(,...,)1(,...,)1(

,,1,

,,1,

,,1,

⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

=

NPNPNP

iPiPiP

PPP

Swsww

Swsww

Swsww

wψ

(6)

Likewise, the histogram of packet not matching field F(i,j)|i=1,2,…,N ,j=1,2,…,Mi on window basis, denoted as sw,ξ ,

consists of a set of probabilities ),(, jiq sw corresponding to Dw,s(i,j) in sth segment, where we assume that both

the rule order and rule-field order in each rule are unchanged during the window time. Therefore, sw,ξ can be

presented as:

[ ] ),(ξ...),(ξ...),(ξ ,1, jijiji w,Sw,swsw =ξ (7)

Where element Ssjiξw,s 1,2,...,=

),( is presented as:

),(...),(...)1,(

...............

),(...),(...)1,(

...............

),1(...),1(...)1,1(

,,,

,,,

1,,,

⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

=

Nswswsw

iswswsw

swswsw

w,s

MNqjNqNq

Miqjiqiq

Mqjqq

jiξ ),(

(8)

Both histograms defined in eq. (6) and (7) are measured under the condition that packet flows are presented in

a format of grouped probability distributions (GFD) on window basis.

4. Optimization of rule and Rule-field orders on window basis

In this section, we present a novel mechanism to predict the order of rules and the order of rule-fields based on

the statistics of histogram patterns defined by eq. (6) and (7).

4.1 Optimization of rule order on window basis

Let )(wQ represent the number of packets waiting for processing in a firewall at the end of the thw )1( − window.

We assume that the packet flow arriving at the firewall is stationary if the pending packets convergence to a

finite value. The processing of packets in the firewall is on first come first served basis. Then Q(w) can be

expressed using a recurrence eq. as:

{ })w(D)w(A)w(Q,max)w(Q 1--1-+1-0= (9)

where )1( −wQ is the cumulative number of packets waiting for processing at the beginning of the

thw )1( − , )1( −wA is the number of packets arriving during the thw )1( − window and )1( −wD is the

number of processed packets during the thw )1( − window.

Note that in eq. (9), when 1)-<1)-+1- w(Dw(A)w(Q , the number of packets waiting at the firewall

decrease. In this case, the effects of rule order and rule-field order on the firewall performance

become insignificance. By contrast, when 1)-≥1)-+1- w(Dw(A)w(Q , the number of packets waiting

in the firewall increases until the buffer is full. Especially, when 1)->>1)-+1- w(Dw(A)w(Q , the

effects of rule order and rule-field order on the efficiency of firewall performance become significant.

Therefore, in the following analysis, we focus on the situation of 1)->>1)-+1- w(Dw(A)w(Q and K

>> Q(w) where K is the firewall buffer capacity. In this case, the probability that segments in the

thw window are matching rule )(iR can be estimated by applying the histogram obtained from the (w-1)th

window to eq. (9), that is

∑ )(1))((1

,1S

sswwr iP

SiQP

=−=

(10)

where S is the number of segments in the (w-1)th window and term ( ))(,1 iCP swr − can be obtained from eq. (6).

Hence, the results obtained from eq. (10) for Ni ,...,2,1= indicate the statistical pattern of packet matching the

rule R(i) for the wth window, denoted as:

)(1...

)(1

)1(1

~

1,1

1,1

1,1

⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

∑

∑

∑

=

=−

=−

=−

S

ssw

S

ssw

S

ssw

w

NPS

iPS

PS

ψ

(11)

Furthermore, the statistical pattern of packet matching the rule R(i)|i=1,2,…,N as shown in eq. (11), which is

estimated using the histogram in the (w-1)th window. Therefore, the rule order in the wth window can be

optimized as:

)(ˆ

)(ˆ

)1(ˆ

ˆ

⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢

⎣

⎡

=

N

i

w

w

w

w

R

R

R

ψ!

!

by organizing the elements in eq. (11) in a decreasing order, that is

)(ˆ...)(ˆ...)(ˆ NRRR www ≥≥≥≥ i1 (12)

Likewise, for a given histograms 1−wξ of packet not matching field F(i,j)|i=1,2,…,N, j=1,2,…,Mi obtained from the (w-

1)th window, we are able to estimate the statistical patterns of packet not matching field F(i,j)|i=1,2,…,N, j=1,2,…,Mi in

the wth window, that is:

⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

∑∑∑

∑∑∑

∑∑∑

=

=−

=−

=−

=−

=−

=−

=−

=−

=−

S

sNsw

S

ssw

S

ssw

S

sisw

S

ssw

S

ssw

S

ssw

S

ssw

S

ssw

MNψS

jNψS

NψS

MiψS

jiψS

iψS

MψS

jψS

ψS

w

1,1

1,1

1,1

1,1

1,1

1,1

11,1

1,1

1,1

,1...1...1

...............

1...1...1

...............

1...1...1

~

)(),(,1)(

),(),(,1)(

)(1,)(1,(1,1)

ξ

(13)

Hence, the field order for the wth window can be optimized by organizing the elements in eq. (13) in a

decreasing order, that is:

⎥⎥⎥⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢⎢⎢⎢

⎣

⎡

≥≥≥≥≥

≥≥≥≥≥

≥≥≥≥≥

=

),(ˆ...),(ˆ...)2,(ˆ)1,(ˆ

...............

),(ˆ...),(ˆ...)2,(ˆ)1,(ˆ

...............

),1(ˆ...),1(ˆ...)2,1(ˆ)1,1(ˆ

ˆ

,,,,

,,,,

,,,,

Nswswswsw

iswswswsw

iswswswsw

w,s

MNjNNN

Mijiii

Mj

ξξξξ

ξξξξ

ξξξξ

ξ

(14)

4.2 Optimization of segment size

In this paper, we emphasize the advantages of using such statistical histograms. First, both (i)ψw and j)(i,ξw

can be calculated in real-time on segment basis. On the other hand, these histograms can be also shared among

multiple segments within the same window to trace the traffic behavior. Second, the accuracy and complexity of

histogram calculation are relevant to the number of packets contained in the segment. When segment size is

very large, the histograms convergence to a complete trace of the statistics of packet matching rule R(i)|i=1,2,…,N

and packet not matching field F(i,j)|i=1,2,…,N, j=1,2,…,Mi. However, the corresponding observation time is also large,

which may not be suitable for practical implementation. Therefore, it is necessary to properly select the size of

segment with the trade-off between accuracy and complexity to meet requirement for practical use. Third, the

burst nature of packet flows has effects on the trade-off between the mean and the corresponding variance. From

this point of view, we define the average histogram of packet matching rule R(i) over the wth window, which

consists of S segments. That is:

Ssw,s

w,s

w,s

w

N

i

,...,2,1

...

...

=⎥⎥⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢⎢⎢

⎣

⎡

=

)(ψ

)(ψ

(1)ψ

ψ

(15)

where S

iPi

S

ssw

w,s

∑= =1

, )()(ψ and w is the window index. Likewise, the variance histogram of packet matching

rule R(i)|i=1,2,…,N is defined as:

[ ] ψψ∑1

1))(ψ( 2

1)(-)( ii

NiVar ww

N

iw

=− (16)

where wψ is defined in eq. (6). Furthermore, the optimum window size with minimum variance can be

obtained from eq. (16) to find the suitable value of S matching the following equation:

[ ] 0)()(

2

=⎪⎭

⎪⎬⎫

⎪⎩

⎪⎨⎧

⎥⎦

⎤⎢⎣

⎡ ∑−

=dx

Sxxd

iψdiψVard

w

w)()(

(17)

where [ ] [ ]NiiP...iP...iPx Swsww ,...,2,1 ,)()()( ,,1, ∈= Clearly, the solution of eq. (17) is:

[ ]NiiPiψSsw

wopt ,...,2,1

)()

,∈

⎥⎥⎥

⎤

⎢⎢⎢

⎡=

)( (18)

Eq. (18) indicates that the optimum size of observation window is to find a suitable value S that satisfies eq.

(11). That is, we need to keep the segment histogram to be varied within a pre-defined margin of the average

value of histograms over a number of consecutive windows. If the segment histogram is significantly out the

limited margin, we need to start a new window run.

5. Performance evaluation

5.1 Evaluation of the effect of dynamic rule and rule-field orders on firewall performance

The performance gain of the proposed optimization scheme is measured through simulation in terms of the

reduction in packet matching processing time compared to the use of static rule and dynamic rule ordering

schemes. In the simulation, the histograms of packet flows are computed using eq. (6) and (7).

Multiple simulation runs are carried out independently. In this case, the results obtained from each single

simulation run depend on the particular stream of pseudorandom numbers to drive the simulation. Hence, the

obtained results may typically vary from one run to another. To ensure the accuracy of simulation results, the

confidence intervals are calculated using independent replication method as follows [23]:

1. Simulation is independently repeated by M times, and M groups of data are thus obtained. Each

simulation run has a length of 108 slots excluding a warm-up period of 1000 slots, which is set up to

ensure that the results are estimated on the basis of a steady simulation process, each simulation run

starts with an empty firewall system. Actually, before we decided to 1000 slots as the warm-up period,

we compare the results, which were obtained from the simulations using different warm-up period of

100, 500, 1000, 2000 and 5000 slots, respectively. The comparison shows that a warm-up period of

1000 slots is adequate.

2. The confidence margin is calculated as that at least of 90% of estimated values, denoted as ρ from

those M simulation runs fall in a margin ).( ),( ρδδρδρ <<+−

3. We note that this paper is mainly devoted to the statistics of packet filtering under high traffic load

conditions. This is applicable for relatively high cumulative processing time. In this case, the

confidence margin of the simulations is not difficult to implement. However, when traffic load is low,

the simulations require an excessive amount of computing resources, and we have not addressed that

condition in this paper.

The security policy used in simulation is implemented by 500 TCP, UDP, and ICMP rules. TCP rules have six

types of fields, including Protocol, Source-IP, Destination-IP, Source-Port, Destination-Port, and TCP flags.

ICMP rules have the following fields: Protocol, Source-IP, Destination-IP, Type and Code. The UDP rules have

5 types of fields, including Protocol, Source-IP, Destination-IP, Source-Port, and Destination-Port. The number

of active fields in each individual rule is a combination of different types of available fields in random order,

while the number of fields is also randomly and independently selected.

Figure 1. Burst-silence packet flow source model.

TABLE I. PARAMETERS ARE USED TO GENERATE INDEPENDENT TCP, UDP AND ICMP PACKET FLOWS

Ton Ts

TCP 10ms 2ms

UDP 0.8ms 0.5ms

ICMP 0.07ms 0.045ms Hence, in our simulation experiments, parameters, as shown in Table 1, are independently used to generate

TCP, UDP and ICMP packet flows. These three packet flows are multiplexed as a stream of 200 equal size

windows with 10 segments per window. Each segment consists of 1000 packets. We note that the packet

filtering occurs in bursts, especially under the condition of heavy traffic loading with burst arrivals. This is

important to understand the histograms of packet filtering and their statistical dependency when the cumulative

processing time is evaluated.

Figure 2 shows the characteristics of packet flows including TCP, UDP and ICMP, which are generated by

three independent discrete-time burst-silence sources with different parameters.

Figure 2. Characteristics of packet flows using burst-silence sources.

Figure 3 shows the accumulated packet processing time for static rule order, dynamic rule order and

optimized dynamic rule and rule-field orders. It is clear that the average gain in cumulative processing time uses

the rule and rule-field ordering scheme is about 61% compared to the static rule ordering scheme. On the other

hand, the proposed scheme saves about 56% compared to dynamic rule ordering scheme.

Figure 4 shows the percentages of packet processing time gain saved when using dynamic rule order and

dynamic rule and rule-field orders mechanisms versus static rule order mechanism. It can be seen that in average

11% and 67% of packet processing time are gained using dynamic rule order and rule and rule-field orders,

respectively.

Figure 3. Accumulated packet processing time for different mechanisms.

Figure 4. The percentages of matching processing time gain.

5.2 Evaluation of the effect of dynamic rule and rule-field order in defending against DoS attacks

In this section, we investigate the effect of implementing static rule ordering, dynamic rule ordering and

dynamic rule and rule-field ordering approaches on the firewall performance in defending against common DoS

attacks.

5.2.1 DoS attack classification

DoS attacks are commonly divided in the following categories: flood attacks, amplification attacks, protocol

exploit attacks and malformed packet attacks [19].

In a flood attack, the zombies send large volumes of IP traffic to a victim system in order to congest the

victim system’s bandwidth. Some of the well-known flood attacks are UDP flood attacks, ICMP flood attacks

and Port scanning.

In amplification attacks, the attacker exploit the broadcast IP address feature found on most routers to amplify

and reflect the attack and send messages to a broadcast IP address. This instructs the routers servicing the

packets within the network to send them to all the IP addresses within the broadcast address range. This way the

malicious traffic that is produced reduces the victim system’s bandwidth. Some well known amplification

attacks are Smurf and Fraggle attacks.

Protocol exploit attacks exploit a specific feature or implementation bug of some protocol installed at the

victim in order to consume excess amounts of its resources. A representative example of protocol exploit attacks

is TCP SYN flood attacks. Other examples of protocol exploit attacks are PUSH+ACK attacks, CGI request

attacks and the authentication server attacks.

Malformed packet attacks rely on incorrectly formed IP packets that are sent from agents to the victim in

order to crash the victim system. A representative example of malformed packet attack is the Land attack.

DoS attacks are generated usually using either a flooding non-matching traffic, or a flooding matching traffic.

Non-matching DoS traffic includes packets that do not match any filtering rule, and consequently it is filtered by

the default security policy. However, matching DoS traffic includes packets that match the filtering rules.

5.2.2 Firewall performance

A packet generator is used to generate DoS attacks. The firewall uses the same set of filtering rules, described in

Section 4.

Two experiments have been performed using non-matching and matching DoS attack traffics, respectively. In

the first DoS attack experiment, most packets received by the firewall do not match any filtering rule, and these

packets are finally rejected by the default security policy. UDP flood, ICMP echo flood and Port scanning are

examples of such attacks.

To investigate the effect of the proposed optimization approaches, we generated a special packet flow

consisting of only 10% of packets matching the filtering rules, and the other 90% of packets not matching any

filtering rule. Figure 5 shows the cumulative packet filtering processing time for static rule order approach,

dynamic rule order only approach and dynamic rule and rule-field order approach. It can be seen that the

cumulative processing time for the static rule order approach and the dynamic rule order only approach are very

close to each other. That means that the improvement provided by dynamic rule order only approach is very

limited. By contrast, gain provided by dynamic rule and rule-field orders approach is significant. This is because

the filtering process may have to check most of the rule fields to reach a decision regarding a given packet when

the firewall is heavily loaded with the filtering of the non-matching malicious packets. However, by applying

dynamic rule and rule-field ordering approach, the position order of the fields in each filtering rule is optimized

to make the matching process much faster, especially for malicious packets, compared to the ones related to

static rule ordering approach and dynamic rule ordering only approach.

Figure 5. Cumulative processing time for DoS attack with high non-matching traffic.

In the second DoS attack experiment, the firewall is flooded by matching packets, such as SYN flood attack,

in which TCP SYN packets are accepted by the firewall in order to allow external hosts to establish TCP

connections on particular ports with internal servers. If the external hosts are allowed to access an internal web

server, then for the particular HTTP port (80), the security policy should include a filtering rule allowing the

firewall to accept SYN packets to that web server. However, flooding the network with SYN packets that have

spoofed source IP addresses may damage the firewall performance and create a congestion situation. Special

packet flows with 90% of the packets matching the filtering rules, and 10% of the packets not matching any

filtering rule are used in the experiment.

Figure 6 shows the cumulative processing time for static rule ordering approach, dynamic rule ordering only

approach and dynamic rule and rule-field ordering, respectively. It can be seen that the dynamic rule and rule-

field ordering approach is able to improve the processing time significantly compared to the other two

approaches.

In conclusion, this investigation shows that once dynamic rule and rule-field ordering is implemented, the

effect of many common DoS attacks on the firewall performance may be reduced significantly. In contrast,

firewalls that use Static rule ordering or Dynamic rule only ordering are more vulnerable to common DoS

attacks, especially when the malicious traffic includes mostly non-matching packets.

Figure 6. Cumulative processing time for DoS attack with high matching traffic.

6. Conclusion

Histogram is an effective stochastic function to describe the characteristics of packet filtering in firewall.

Furthermore, the algorithm to calculate histograms on segment basis presented in this paper is efficient and

deployable in practice for effectively monitoring traffic flow and optimizing firewall performance in real-time.

These histograms can be shared over multiple segments to estimate the optimum rules and rule-fields orders for

early packet acceptance and rejection, especially when firewall is heavily loaded with burst traffic flows. The

simulation results demonstrated that the proposed mechanism improved significantly the firewall performance

compared to related conventional mechanisms, in terms of packet filtering processing time. Also the numerical

results demonstrated that the proposed approach reduced significantly the effect of common DoS attacks on the

firewall performance.

Acknowledgment

The authors acknowledge the support of Emirates Foundation through Research Grants (21T010 and 2011/161)

References

[1] H. Hamed, A. El-Atawy, and E. Al-Shaer. On Dynamic Optimization of Packet Matching in High-Speed Firewalls, IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 10, OCTOBER 2006.

[2] H. Hamed, A. El-Atawy, and E. Al-Shaer. Adaptive statistical optimization techniques for firewall packet filtering. In IEEE INFOCOM’06, April 2006.

[3] K. Lan and J. Heidemann. On the correlation of internet flow characteristics. Technical Report ISI-TR-574, USC/ISI, 2003.

[4] A. El-Atawy, T. Samak, E. Al-Shaer and H.Li. Using online traffic statistical matching for optimizing packet filtering performance. IEEE INFOCOM’07, pages 866-874, 2007.

[5] P. Gupta and N. McKeown. Algorithms for packet classification. IEEE Network, 15(2):24–32, 2001. [6] F. Baboescu and G. Varghese. Scalable packet classification. In ACM SIGCOMM’01, 2001. [7] A. J. McAulay and P. Francis. Fast routing table lookup using CAMs. In IEEE INFOCOM’93, March 1993. [8] V. Srinivasan, Subhash Suri, and George Varghese. Packet classification using tuple space search. In Computer ACM

SIGCOMM Communication Review, pages 135–146, October 1999. [9] A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In IEEE INFOCOM’00, March 2000. [10] P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In Interconnects VII, August

1999. [11] E. Cohen and C. Lund. Packet classification in large isps: design and evaluation of decision tree classifiers. In

SIGMETRICS ’05: Proceedings of the 2005 ACM SIGMETRIC international conference on Measurement and modeling of computer systems, pages 73–84, New York, NY, USA, 2005. ACM Press.

[12] Thomas Y. C. Woo. A modular approach to packet classification: Algorithms and results. In IEEE INFOCOM’00, pages 1213–1222, March 2000.

[13] P. Gupta, B. Prabhakar, and S. Boyd. Near optimal routing lookups with bounded worst case performance. In IEEE INFOCOM’00, 2000.

[14] L. Kencl and C. Schwarzer. Traffic-adaptive packet filtering of denial of service attacks. In WOWMOM’06: The 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, pages 485–489, Washington, DC, USA, 2006.

[15] S. Acharya, M. Abliz, B. Mills and T.F. Znati, Optwall: a hierarchical traffic-aware firewall, Proceedings of 14th Annual Network & Distributed System Security Symposium (NDSS), San Diego, US, February 2007 .

[16] H. Hamed and E. Al-shear: Dynamic Rule-ordering optimization for High-speed Firewall Filtering. In ASIACCs’ 06, March 21-24, 2006, Tuipei, Taiwam.

[17] N. Neji, A. Bouhououla: Dynamic Scheme for Packet Classification Using Splay trees, Information Assurance and Security, pp. 1-9, 2009.

[18] E. Al-Shear, A. El-Atawy, T. Tran: Adaptive Early Packet filtering for Defending firewalls against DoS Attack. In Proceeding of IEEE INFOCOM, pp. 1-9, 2009.

[19] C. Douligeris, A. Mitrokotsa. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 44 Issue 5, 5 April 2004.

[20] G. Misgherghi, L. Yuan, Z. Su, C-N. Chuah, and H. Chen. A General Framework for Benchmarking Firewall Optimization Techniques. IEEE Transactions on Network and Service Management (TNSM), vol. 5, no. 4, pp. 227-238, December, 2008. Downloaded (2009).

[21] G. Maiolini, A. Nicotra, P. Tornari, A. Baiocchi. Automated framework for policy optimization in firewalls and security gateways. Journal of Information Assurance and Security (ISSN 1554-1010), vol. 4, no. 4, pp. 301-310, 2009.

[22] Weiping Wang, Heran Chen, Jiayao Chen, Bowen Liu. Firewall Rule Ordering Based On Statistical Model. International Conference on Computer Engineering and Technology (ICCET 2009), Singapore, 22-24 January 2009.

[23] T. Gan, K. Ma and L. Zhang. Dual-Plan Bandwidth Smoothing for Layered-Encoded Video. IEEE Transaction of Multimedia, Vol. 7, No. 2, pp. 379 – 392, 2005.