Dynamic rule and rule‐field optimisation for improving firewall performance and security

“…It can be deployed on top of any filtering mechanism to prefilter unwanted expensive traffic. Some other work such as [11] perform reordering of rules and rules fields based on the calculation of the histograms of packet matching rules. In [12], a splay tree firewall is proposed to handle packet rejection and acceptance and can perform splay filters reordering based on a statistical model that utilizes traffic characteristic.…”

“…That will cover layer-3 and layer-4 headers and also application layer payload, when l7-filter is used. Indeed, diverse researches on functional enhancements for efficient traffic filtering have already been provided in the state of the art [9][10][11][12]. However, there is still a lack of filtering mechanisms able to perform traffic filtering in multicarrier and mobility scenarios for IoT traffic, being able to deal with the encapsulation requirements imposed by both edge and core network segments of the 5G multitenant networks, capable of performing traffic filtering and deep packet inspection in NB-IoT traffic.…”

5G NB-IoT: Efficient Network Traffic Filtering for Multitenant IoT Cellular Networks

“…It can be deployed on top of any filtering mechanism to prefilter unwanted expensive traffic. Some other work such as [11] perform reordering of rules and rules fields based on the calculation of the histograms of packet matching rules. In [12], a splay tree firewall is proposed to handle packet rejection and acceptance and can perform splay filters reordering based on a statistical model that utilizes traffic characteristic.…”

“…That will cover layer-3 and layer-4 headers and also application layer payload, when l7-filter is used. Indeed, diverse researches on functional enhancements for efficient traffic filtering have already been provided in the state of the art [9][10][11][12]. However, there is still a lack of filtering mechanisms able to perform traffic filtering in multicarrier and mobility scenarios for IoT traffic, being able to deal with the encapsulation requirements imposed by both edge and core network segments of the 5G multitenant networks, capable of performing traffic filtering and deep packet inspection in NB-IoT traffic.…”

5G NB-IoT: Efficient Network Traffic Filtering for Multitenant IoT Cellular Networks

“…The idea of packet filtering optimisation through early packet rejection and acceptance is introduced in [8–13]. In [8, 9], the proposed field value set cover (FVSC) technique builds a number of rejection rules that are examined before normal filtering.…”

“…Thus, policy Boolean expression relaxation (PBER) technique in [10] is introduced, where binary decision diagrams is used to implement the Boolean expression of the policy acceptance space. In our previous works [11–13], we introduced the idea of early rejection through optimising the order of the rule‐fields. At the end of each traffic window, histogram statistics are collected for packet matching rules and packet not matching rule‐fields.…”

“…This is because unwanted traffic may traverse a long path before being rejected by the default rule. It has been proven in [8, 9, 12, 13] that rejection of such unwanted traffic as early as possible would considerably speed up the filtering process. Thus, if the corresponding packet value does not match the node with minimum length in ST k , it will be rejected early by at most two memory accesses (i.e.…”

Hybrid mechanism towards network packet early acceptance and rejection for unified threat management

Enterprise Network: Security Enhancement and Policy Management Using Next-Generation Firewall (NGFW)