Firewall performance optimization using data mining techniques

This paper presents a novel approach to improve firewall performance using data mining techniques. A traditional packet filtering firewall compares a packet against each filtering rule until a match is found. The filtering rules are stored as a rule list. Therefore, the time required to process a packet depends linearly on the number of filtering rules. This time can be prohibitively large for a firewall containing hundreds of rules and the firewall can be a bottleneck for the network if high bandwidth is required. To enhance the firewall performance, we propose a data mining solution. In this approach, instead of comparing the packet with each of the filtering rules, the firewall predicts which rule is most likely going to match the packet. This significantly reduces the processing time taken by the firewall to filter each packet and thus improves its performance. Comparisons were made between the cumulative processing time taken by a standard firewall and the enhanced firewall with data mining to process millions of packets. Compared to the standard firewall, the enhanced firewall took 40% less time in processing the packets.

[1]  Thomas Y. C. Woo A modular approach to packet classification: algorithms and results , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[2]  Zouheir Trabelsi,et al.  Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement , 2012, 2012 IEEE International Conference on Communications (ICC).

[3]  Paul Francis,et al.  Fast routing table lookup using CAMs , 1993, IEEE INFOCOM '93 The Conference on Computer Communications, Proceedings.

[4]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[5]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[6]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[7]  Ehab Al-Shaer,et al.  Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks , 2009, IEEE INFOCOM 2009.

[8]  Stephen Northcutt Inside Network Perimeter Security , 2005 .

[9]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[10]  Pankaj Gupta,et al.  Packet Classification using Hierarchical Intelligent Cuttings , 1999 .

[11]  Lior Rokach,et al.  Data Mining with Decision Trees - Theory and Applications , 2007, Series in Machine Perception and Artificial Intelligence.

[12]  Lukas Kencl,et al.  Traffic-adaptive packet filtering of denial of service attacks , 2006, 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06).

[13]  John Heidemann,et al.  On the correlation of Internet flow characteristics , 2003 .

[14]  George Varghese,et al.  Scalable packet classification , 2001, SIGCOMM 2001.

[15]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[16]  Jian Pei,et al.  Classification: Basic Concepts , 2012 .

[17]  Liren Zhang,et al.  Packet flow histograms to improve firewall efficiency , 2011, 2011 8th International Conference on Information, Communications & Signal Processing.

[18]  Stephen P. Boyd,et al.  Near-optimal routing lookups with bounded worst case performance , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[19]  Lior Rokach,et al.  An Introduction to Decision Trees , 2007 .

[20]  Nick McKeown,et al.  Classifying Packets with Hierarchical Intelligent Cuttings , 2000, IEEE Micro.

[21]  Yongrui Qin,et al.  An Efficient Bulk Updating Method for Finite Automaton Based XML Filtering Systems , 2007, The First International Symposium on Data, Privacy, and E-Commerce (ISDPE 2007).

[22]  Bo Chen,et al.  Firewall Rules Sorting Based on Markov Model , 2007, The First International Symposium on Data, Privacy, and E-Commerce (ISDPE 2007).

[23]  Martin J. Reed,et al.  Optimising Rule Order for a Packet Filtering Firewall , 2011, 2011 Conference on Network and Information Systems Security.

[24]  Albert G. Greenberg,et al.  OPTWALL: A Hierarchical Traffic-Aware Firewall , 2007, NDSS.

[25]  Ehab Al-Shaer,et al.  On Dynamic Optimization of Packet Matching in High-Speed Firewalls , 2006, IEEE Journal on Selected Areas in Communications.

[26]  Carsten Lund,et al.  Packet classification in large ISPs: design and evaluation of decision tree classifiers , 2005, SIGMETRICS '05.

[27]  Ehab Al-Shaer,et al.  Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[28]  Weiping Wang,et al.  Firewall Rule Ordering Based on Statistical Model , 2009, 2009 International Conference on Computer Engineering and Technology.

[29]  Adel Bouhoula,et al.  Dynamic Scheme for Packet Classification Using Splay Trees , 2008, CISIS.