Cross-Product Packet Classification in GNIFS based on Non-overlapping Areas and Equivalence Class

Packet filtering and forwarding are the core issues of gigabit network intrusion forensics system (GNIFS), which requires network forensics machine to classify IP packets and then process the packets according to the classification results. With the existing cross-product methods, the classification of each dimension is based on the difference display of IP packet addresses. It classifies the addresses into several classes, and then cross-product these classes. According to this method, no matter how many dimensions are involved, these classes are overlapping in an address space and can’t be looked up using fast one-dimensional searching algorithms. This paper presents an improved cross-product. A set of non-overlapping areas are divided in the address space. This method enables the use of fast onedimensional looking up algorithm and decreases the searching time. To compress the size of crossproduct table, this paper uses an equivalent class to combine repeating rows or columns. Run-length encoding (RLE) and Bit Array compression algorithm are applied for further compression. To evaluate the performance of the proposed method, we used the Internet routing table of reality autonomous systems to simulate a classifier. By using classifiers with different sizes, we proved the validity of this method.