Hybrid mechanism towards network packet early acceptance and rejection for unified threat management

• Published in: IET information security Vol. 11; no. 2; pp. 104 - 113
• Main Authors: Trabelsi, Zouheir, Zeidan, Safaa, Masud, Mohammad M
• Format: Journal Article
• Language: English
• Published: The Institution of Engineering and Technology 01.03.2017
• Subjects: Acceptance; blended attacks; Computer information security; computer network performance evaluation; deep packet inspection performance enhancement; digital signatures; DPI signature rules; Filtering; firewall; firewalls; hybrid mechanism; IDS; independent packet manipulation systems; IPS; multiple separate security appliances; network architectures; network packet early acceptance; network packet early rejection; network traffic statistics; Networks; packet filtering enhancement; Packets (communication); pattern matching; pattern‐matching algorithms; Rejection; Research Article; Security; security features; splay tree filters; statistical analysis; telecommunication traffic; Trees; unified threat management system; UTM redundant packet classification problem; UTM system; deep packet inspection performance enhancement; pattern matching; packet filtering enhancement; security features; independent packet manipulation systems; firewalls; IPS; splay tree filters; IDS; multiple separate security appliances; hybrid mechanism; pattern-matching algorithms; network packet early rejection; network architectures; computer network performance evaluation; network packet early acceptance; DPI signature rules; UTM redundant packet classification problem; UTM system; firewall; network traffic statistics; digital signatures; statistical analysis; unified threat management system; telecommunication traffic; blended attacks
• ISSN: 1751-8709; 1751-8717
• DOI: 10.1049/iet-ifs.2015.0246

Recent network architectures utilise many types of security appliances to combat blended attacks. However, managing multiple separate security appliances can be overwhelming, inefficient and expensive. Thus, multiple security features are needed to be integrated into unified security architecture resulting in an unified threat management system (UTM). In most current UTM systems, whenever a security feature is needed, the corresponding module is just ‘attached or added on’. This approach of adding on may reduce the UTM performance dramatically, especially when security features such as IDS/IPS are enabled. In this study, a hybrid mechanism is proposed to solve UTM redundant packet classification problem. The mechanism is based on the use of splay tree filters and pattern-matching algorithms to enhance packet filtering and deep packet inspection (DPI) performance. The proposed mechanism uses network traffic statistics to dynamically optimise the order of the splay tree filters, allowing early acceptance and rejection of network packets. In addition, DPI signature rules are reordered according to their matching frequencies, allowing early packets acceptance. The authors demonstrate the merit of their mechanism through simulations performed on firewall and snort as independent packet manipulation systems compared with the proposed hybrid mechanism that uses unified communication between them.