Sciweavers

TIFS
2016

Condition Factorization: A Technique for Building Fast and Compact Packet Matching Automata

8 years 7 months ago
Condition Factorization: A Technique for Building Fast and Compact Packet Matching Automata
—Rule-based matching on network packet headers is a central problem in firewalls, and network intrusion, monitoring and access-control systems. To enhance performance, rules are typically compiled into a matching automaton that can quickly identify the subset of rules that are applicable to a given network packet. While deterministic automata provide the best performance, previous research has shown that such automata can be exponential in the size and/or number of rules. Nondeterministic automata can avoid size explosion, but their matching time can increase quickly with the number of rules. In contrast, we present a new technique that constructs polynomial size automata. Moreover, we show that the matching time of our automata is insensitive to the number of rules. The key idea in our approach is that of decomposing and reordering the tests on packet header fields so that the result of performing a test can be utilized on behalf of many rules. Our experiments demonstrate major re...
Alok Tongaonkar, R. Sekar
Added 11 Apr 2016
Updated 11 Apr 2016
Type Journal
Year 2016
Where TIFS
Authors Alok Tongaonkar, R. Sekar
Comments (0)