Packet Flow Histograms to Improve Firewall Efficiency Zouheir Trabelsi, Liren Zhang and Safaa Zeidan Faculty of Information Technology UAE University, Al Ain, UAE Abstract— This paper presents a novel mechanism based on the histograms of packet filtering, which are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the mechanism becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. Keyword: firewall early rejection, packet flow matching histogram, optimization of rules ordering, optimization of rule-fields ordering. I. INTRODUCTION Firewall packet filtering is performed in a sequential order starting from the first rule until a matching rule is found. If no matching rule is found, the packet is processed by the default rule. Likewise, the processing of a packet in each individual rule is also done in a sequential order starting from the first field until a non-matching field is found. Thus, the computational complexity of the filtering process depends on the length of each rule as well as the depth of finding a matched rule in the list. Hence, the order of rules, the order of rule-fields, and the characteristics of the packet flows have a significant impact on packet filtering time. In addition, unwanted traffic targeting the default rule may cause more harm than others by producing an overhead to the system which is proportional to the number of rules used in the security policy. Such unwanted traffic may cause a denial of service (DoS) attack and degrade considerable the firewall’s performance. From this point of view, it is very important to reject such traffic as early as possible. The most early research works focus on the improvement of searching times using various mechanisms including hardware-based solutions [6, 7], specialized data structures [8, 9, 5, 10, 11, 12], and heuristics [5]. Research works in [1, 2, 4, 13 and 14] focus on the statistical filtering schemes to improve the average packet filtering time. The structure of searching by taking into account of packet flow dynamics is introduced by [14] and [15]. Optimization of firewall filtering policies by utilizing the characteristics of packet flow over Internet is presented in [16]. Segments-Based Tree Search (STS) scheme [4] uses bounded depth Huffman trees to enhance the searching based on the statistics collected from segments. However, this scheme may need large overheads for maintaining the tree periodically. To reduce the overheads, Segments-based List Search (SLS) [4] by keeping the segments in a most-recently- used (MRU) order instead of using trees. SLS scheme can only be used when packet flows are in steady state. However, in real network environment, attacks such as denial of service attacks (DoS) usually produce huge burst traffic. From this point of view, SLS is not capable to provide a better performance comparing to STS. The idea of early rejection was introduced in [2, 17, 18]. In [2] a new approach named FVSC is proposed to optimize the rejection path, this technique uses set cover approximation algorithm to construct early rejection rules from the original security policy common field values. PBER technique in [18] is considered as a generalization of FVSC [2] in the sense that FVSC [2] focuses only on rejection path while PBER [18] finds short cuts for both accepted and rejected packets. In [17] a binary search on prefix length algorithm is applied to every policy filtering field along with the property of splaying the search tree nodes to handle the early accepted packets. In this paper, we propose an approach to optimize the early acceptance path as well as the early rejection path. The approach uses histograms of both packet matching rule and packet not matching rule-fields. An algorithm that calculates the histograms in terms of packet matching and non-matching probabilities on real-time segment basis is presented. The proposed approach uses the obtained histograms for predicting the next optimized rules order and rule-fields order. II. HISTOGRAM OF RULE MATCHING PROBABILITY AND FIELD NOT MATCHING PROBABILITY Considering that packet matching test in firewall is based on a security policy with N rules, excluding the default rule. Each rule consists of a maximum number of M fields, excluding the action field. A N×M matrix vector F(i, j) represents the security policy, in which the non-active fields with a zero value are not used for packet filtering. Packet flow inputs into firewall is divided into a sequence of W equal size windows, in which each window consists of S equal size segments with L packets per segment. Let   l w,s i,j a and   l w,s i,j b present the status of the th l packet matching and not matching an active field ) , ( j i F in rule ) (i R ,