Enhancing CII firewall performance through hash based rule lookup

It is important to develop defense mechanisms to bolster the cyber-physical security of critical infocomm infrastructure (CII) systems. A basic method of defense for CII systems is a firewall. Since SCADA / ICS systems may be negatively impacted by latencies and delays introduced by firewalls, which will translate to real world impacts, any implemented firewall in the network should attempt to minimize the latency it introduces. The latency in typical firewalls stems from packet classification, i.e. matching network traffic to firewall rules. It is this lookup time that we aim to improve through the development of a hash-based packet classification algorithm.

[1]  Igor Nai Fovino,et al.  Critical State-Based Filtering System for Securing SCADA Network Protocols , 2012, IEEE Transactions on Industrial Electronics.

[2]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[3]  Ehab Al-Shaer,et al.  Adaptive Statistical Optimization Techniques for Firewall Packet Filtering , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[4]  R. G. M. Helali Data Mining Based Network Intrusion Detection System: A Survey , 2008, TeNe.

[5]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.