CA2287689A1 - Adaptive re-ordering of data packet filter rules - Google Patents

Adaptive re-ordering of data packet filter rules Download PDF

Info

Publication number
CA2287689A1
CA2287689A1 CA002287689A CA2287689A CA2287689A1 CA 2287689 A1 CA2287689 A1 CA 2287689A1 CA 002287689 A CA002287689 A CA 002287689A CA 2287689 A CA2287689 A CA 2287689A CA 2287689 A1 CA2287689 A1 CA 2287689A1
Authority
CA
Canada
Prior art keywords
rules
ordering
match
packet
filter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002287689A
Other languages
French (fr)
Other versions
CA2287689C (en
Inventor
P. Krishnan
Danny Raz
Binay Sugla
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia of America Corp
Original Assignee
Lucent Technologies Inc.
P. Krishnan
Danny Raz
Binay Sugla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lucent Technologies Inc., P. Krishnan, Danny Raz, Binay Sugla filed Critical Lucent Technologies Inc.
Publication of CA2287689A1 publication Critical patent/CA2287689A1/en
Application granted granted Critical
Publication of CA2287689C publication Critical patent/CA2287689C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Abstract

A packet data filter which stores ordered rules and sequentially applies the rules to received data packets to determine the disposition of the data packet. The packet filter maintains a match count in memory which indicates the number of times each rule matched an incoming data packet. Periodically, at the initiation of a user, or based on operating parameters of the filter, the rules are automatically re-ordered based on the match count. As a result of the re-ordering, rules with higher match counts are moved earlier in the sequential evaluation order and rules with lower match counts are moved later in the sequential evaluation order. As such, rules which are more likely to match incoming data packets are evaluated earlier, thus avoiding the evaluation of later rules. In order to prevent a re-ordering which would change the overall security policy of the packet filter, pairs of rules are compared to determine if they conflict (i.e., the swapping of the two rules would result in a change in the overall security policy).
During reordering, the swapping of conflicting rules is prevented.
CA002287689A 1998-12-03 1999-10-28 Adaptive re-ordering of data packet filter rules Expired - Fee Related CA2287689C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US20446498A 1998-12-03 1998-12-03
US09/204,464 1998-12-03

Publications (2)

Publication Number Publication Date
CA2287689A1 true CA2287689A1 (en) 2000-06-03
CA2287689C CA2287689C (en) 2003-09-30

Family

ID=22757997

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002287689A Expired - Fee Related CA2287689C (en) 1998-12-03 1999-10-28 Adaptive re-ordering of data packet filter rules

Country Status (5)

Country Link
US (1) US6606710B2 (en)
EP (1) EP1006701B1 (en)
JP (1) JP3568850B2 (en)
CA (1) CA2287689C (en)
DE (1) DE69941081D1 (en)

Families Citing this family (108)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6466976B1 (en) * 1998-12-03 2002-10-15 Nortel Networks Limited System and method for providing desired service policies to subscribers accessing the internet
US7107612B1 (en) 1999-04-01 2006-09-12 Juniper Networks, Inc. Method, apparatus and computer program product for a network firewall
US6701432B1 (en) * 1999-04-01 2004-03-02 Netscreen Technologies, Inc. Firewall including local bus
US6779120B1 (en) * 2000-01-07 2004-08-17 Securify, Inc. Declarative language for specifying a security policy
US6871284B2 (en) 2000-01-07 2005-03-22 Securify, Inc. Credential/condition assertion verification optimization
US8074256B2 (en) 2000-01-07 2011-12-06 Mcafee, Inc. Pdstudio design system and method
US7143439B2 (en) 2000-01-07 2006-11-28 Security, Inc. Efficient evaluation of rules
US6789127B1 (en) * 2000-02-15 2004-09-07 Lucent Technologies Inc. Preparation for network interface recognition of network packet portion with declarative notation for field thereof and constraint therefor
US20020010800A1 (en) * 2000-05-18 2002-01-24 Riley Richard T. Network access control system and method
AU2001268491A1 (en) * 2000-06-16 2002-01-02 Securify, Inc. Credential/condition assertion verification optimization
US7917647B2 (en) 2000-06-16 2011-03-29 Mcafee, Inc. Method and apparatus for rate limiting
AU2001268492A1 (en) * 2000-06-16 2002-01-02 Securify, Inc. Efficient evaluation of rules
US8204082B2 (en) 2000-06-23 2012-06-19 Cloudshield Technologies, Inc. Transparent provisioning of services over a network
US7032031B2 (en) * 2000-06-23 2006-04-18 Cloudshield Technologies, Inc. Edge adapter apparatus and method
US9444785B2 (en) 2000-06-23 2016-09-13 Cloudshield Technologies, Inc. Transparent provisioning of network access to an application
US7003555B1 (en) 2000-06-23 2006-02-21 Cloudshield Technologies, Inc. Apparatus and method for domain name resolution
US7346702B2 (en) * 2000-08-24 2008-03-18 Voltaire Ltd. System and method for highly scalable high-speed content-based filtering and load balancing in interconnected fabrics
JP4080169B2 (en) * 2000-09-29 2008-04-23 株式会社リコー Session establishment method
US7970886B1 (en) * 2000-11-02 2011-06-28 Arbor Networks, Inc. Detecting and preventing undesirable network traffic from being sourced out of a network domain
US7437654B2 (en) * 2000-11-29 2008-10-14 Lucent Technologies Inc. Sub-packet adaptation in a wireless communication system
FI20010110A0 (en) 2001-01-18 2001-01-18 Stonesoft Oy Sorting data packets in a gateway network element
FI20010256A0 (en) * 2001-02-12 2001-02-12 Stonesoft Oy Handling of packet data contact information in a security gateway element
US6947983B2 (en) * 2001-06-22 2005-09-20 International Business Machines Corporation Method and system for exploiting likelihood in filter rule enforcement
US7386525B2 (en) 2001-09-21 2008-06-10 Stonesoft Corporation Data packet filtering
US7284269B2 (en) * 2002-05-29 2007-10-16 Alcatel Canada Inc. High-speed adaptive structure of elementary firewall modules
US7337230B2 (en) * 2002-08-06 2008-02-26 International Business Machines Corporation Method and system for eliminating redundant rules from a rule set
US20040059943A1 (en) * 2002-09-23 2004-03-25 Bertrand Marquet Embedded filtering policy manager using system-on-chip
US8141159B2 (en) * 2002-12-31 2012-03-20 Portauthority Technologies Inc. Method and system for protecting confidential information
US7409707B2 (en) 2003-06-06 2008-08-05 Microsoft Corporation Method for managing network filter based policies
KR100548154B1 (en) * 2003-06-11 2006-01-31 (주)엔텔스 Method and apparatus for packet transmission control and packet charging data generation in wired and wireless communication networks
US20050033731A1 (en) * 2003-08-05 2005-02-10 Lesh Neal B. Priority-based search for combinatorial optimization problems
US7451483B2 (en) * 2003-10-09 2008-11-11 International Business Machines Corporation VLAN router with firewall supporting multiple security layers
US7408932B2 (en) 2003-10-20 2008-08-05 Intel Corporation Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing
JP4464655B2 (en) * 2003-11-06 2010-05-19 株式会社野村総合研究所 Computer monitoring apparatus and message processing method related to monitored computer
US7661123B2 (en) * 2003-12-05 2010-02-09 Microsoft Corporation Security policy update supporting at least one security service provider
US7533413B2 (en) * 2003-12-05 2009-05-12 Microsoft Corporation Method and system for processing events
US7430760B2 (en) * 2003-12-05 2008-09-30 Microsoft Corporation Security-related programming interface
US7525958B2 (en) * 2004-04-08 2009-04-28 Intel Corporation Apparatus and method for two-stage packet classification using most specific filter matching and transport level sharing
JP4418302B2 (en) * 2004-05-31 2010-02-17 独立行政法人科学技術振興機構 Relay device, packet filtering method, and packet filtering program
US7475424B2 (en) * 2004-09-02 2009-01-06 International Business Machines Corporation System and method for on-demand dynamic control of security policies/rules by a client computing device
JP2006211533A (en) * 2005-01-31 2006-08-10 Ricoh Co Ltd Network facsimile apparatus
US10015140B2 (en) * 2005-02-03 2018-07-03 International Business Machines Corporation Identifying additional firewall rules that may be needed
US7792775B2 (en) 2005-02-24 2010-09-07 Nec Corporation Filtering rule analysis method and system
AU2006230171B2 (en) * 2005-03-28 2012-06-21 Wake Forest University Methods, systems, and computer program products for network firewall policy optimization
US7644055B2 (en) * 2005-05-02 2010-01-05 Sap, Ag Rule-based database object matching with comparison certainty
JP4747724B2 (en) * 2005-08-05 2011-08-17 日本電気株式会社 Multi-dimensional rule visualization system, method, program, visualization data generation system, method, and program
US8407778B2 (en) 2005-08-11 2013-03-26 International Business Machines Corporation Apparatus and methods for processing filter rules
CN101529518B (en) * 2005-11-01 2013-10-30 晟碟以色列有限公司 Method, system and computer-readable code for testing of flash memory
JP4545085B2 (en) * 2005-12-08 2010-09-15 富士通株式会社 Firewall device
GB2433396B (en) * 2005-12-15 2010-06-23 Bridgeworks Ltd A bridge
US7966655B2 (en) * 2006-06-30 2011-06-21 At&T Intellectual Property Ii, L.P. Method and apparatus for optimizing a firewall
US20080148382A1 (en) * 2006-12-15 2008-06-19 International Business Machines Corporation System, method and program for managing firewalls
US20090138960A1 (en) * 2007-10-26 2009-05-28 University Of Ottawa Control access rule conflict detection
US8046492B1 (en) * 2007-11-06 2011-10-25 Juniper Networks, Inc. Offset independent filtering
US8418240B2 (en) * 2007-12-26 2013-04-09 Algorithmic Security (Israel) Ltd. Reordering a firewall rule base according to usage statistics
US8448220B2 (en) * 2008-04-29 2013-05-21 Mcafee, Inc. Merge rule wizard
EP2294766A1 (en) * 2008-05-22 2011-03-16 Nokia Siemens Networks Oy Adaptive scheduler for communication systems apparatus, system and method
US20090300748A1 (en) * 2008-06-02 2009-12-03 Secure Computing Corporation Rule combination in a firewall
JP5309924B2 (en) * 2008-11-27 2013-10-09 富士通株式会社 Packet processing apparatus, network device, and packet processing method
US20100138893A1 (en) * 2008-12-02 2010-06-03 Inventec Corporation Processing method for accelerating packet filtering
ATE536696T1 (en) * 2009-04-01 2011-12-15 Nokia Siemens Networks Oy METHOD AND DEVICE FOR REORGANIZING FILTERS
EP2256660B1 (en) * 2009-05-28 2015-08-12 Sap Se Computer-implemented method, computer system, and computer program product for optimization of evaluation of a policy specification
JP5258676B2 (en) * 2009-06-12 2013-08-07 Kddi株式会社 Rule information changing method, management apparatus and program in firewall
US8495725B2 (en) 2009-08-28 2013-07-23 Great Wall Systems Methods, systems, and computer readable media for adaptive packet filtering
JP5441250B2 (en) * 2009-09-15 2014-03-12 Kddi株式会社 Policy information display method, management apparatus and program for firewall
US8407789B1 (en) * 2009-11-16 2013-03-26 Symantec Corporation Method and system for dynamically optimizing multiple filter/stage security systems
US8489534B2 (en) 2009-12-15 2013-07-16 Paul D. Dlugosch Adaptive content inspection
US8489581B2 (en) * 2010-07-28 2013-07-16 International Business Machines Corporation Method and apparatus for self optimizing data selection
US8432914B2 (en) * 2010-11-22 2013-04-30 Force 10 Networks, Inc. Method for optimizing a network prefix-list search
US10430775B1 (en) * 2011-11-11 2019-10-01 Amazon Technologies, Inc. Validation and lookup techniques for rule-based data categorization
US8880760B2 (en) * 2012-04-27 2014-11-04 Hewlett-Packard Development Company, L.P. Self organizing heap method includes a packet reordering method based on packet passing rules only reordering packets from a load/unload input signal is asserted
US9137205B2 (en) 2012-10-22 2015-09-15 Centripetal Networks, Inc. Methods and systems for protecting a secured network
US9565213B2 (en) 2012-10-22 2017-02-07 Centripetal Networks, Inc. Methods and systems for protecting a secured network
US8949418B2 (en) 2012-12-11 2015-02-03 International Business Machines Corporation Firewall event reduction for rule use counting
US9203806B2 (en) 2013-01-11 2015-12-01 Centripetal Networks, Inc. Rule swapping in a packet network
US20140250138A1 (en) * 2013-03-04 2014-09-04 Vonage Network Llc Method and apparatus for optimizing log file filtering
US9124552B2 (en) 2013-03-12 2015-09-01 Centripetal Networks, Inc. Filtering network data transfers
CA2907208C (en) * 2013-03-15 2023-10-24 Trans Union Llc System and method for developing business rules for decision engines
US9094445B2 (en) 2013-03-15 2015-07-28 Centripetal Networks, Inc. Protecting networks from cyber attacks and overloading
EP2899920B1 (en) 2014-01-24 2017-09-06 Deutsche Telekom AG System and method for filtering and storing data
JP6193147B2 (en) * 2014-02-17 2017-09-06 Kddi株式会社 Firewall device control device and program
JP5809382B1 (en) * 2014-12-10 2015-11-10 楽天株式会社 Server, display control method, and display control program
US9264370B1 (en) 2015-02-10 2016-02-16 Centripetal Networks, Inc. Correlating packets in communications networks
US9866576B2 (en) 2015-04-17 2018-01-09 Centripetal Networks, Inc. Rule-based network-threat detection
JP6355836B2 (en) 2015-05-15 2018-07-11 三菱電機株式会社 Packet filter device and packet filter method
US9838354B1 (en) * 2015-06-26 2017-12-05 Juniper Networks, Inc. Predicting firewall rule ranking value
EP3144842A1 (en) * 2015-09-15 2017-03-22 Siemens Aktiengesellschaft System and method for analysis of an object
US9917856B2 (en) 2015-12-23 2018-03-13 Centripetal Networks, Inc. Rule-based network-threat detection for encrypted communications
US11729144B2 (en) 2016-01-04 2023-08-15 Centripetal Networks, Llc Efficient packet capture for cyber threat analysis
JP6760110B2 (en) 2017-01-30 2020-09-23 富士通株式会社 Control device, transfer device, and control method
US10503899B2 (en) 2017-07-10 2019-12-10 Centripetal Networks, Inc. Cyberanalysis workflow acceleration
US10284526B2 (en) 2017-07-24 2019-05-07 Centripetal Networks, Inc. Efficient SSL/TLS proxy
US11233777B2 (en) 2017-07-24 2022-01-25 Centripetal Networks, Inc. Efficient SSL/TLS proxy
JP6962239B2 (en) * 2018-03-01 2021-11-05 富士通株式会社 Network management equipment, network management methods, network management programs, and network systems
US10333898B1 (en) 2018-07-09 2019-06-25 Centripetal Networks, Inc. Methods and systems for efficient network protection
US11128602B2 (en) 2018-11-07 2021-09-21 Forcepoint Llc Efficient matching of feature-rich security policy with dynamic content using user group matching
US10965647B2 (en) 2018-11-07 2021-03-30 Forcepoint Llc Efficient matching of feature-rich security policy with dynamic content
US11516228B2 (en) * 2019-05-29 2022-11-29 Kyndryl, Inc. System and method for SIEM rule sorting and conditional execution
US11444921B2 (en) * 2019-07-16 2022-09-13 Lg Electronics Inc. Vehicular firewall providing device
EP3779807A1 (en) * 2019-08-13 2021-02-17 Rohde & Schwarz GmbH & Co. KG Adaptive rule evaluation system as well as method for automatically adapting a rule evaluation
US11711344B2 (en) * 2020-04-30 2023-07-25 Forcepoint Llc System and method for creating buffered firewall logs for reporting
US11539622B2 (en) * 2020-05-04 2022-12-27 Mellanox Technologies, Ltd. Dynamically-optimized hash-based packet classifier
US11782895B2 (en) 2020-09-07 2023-10-10 Mellanox Technologies, Ltd. Cuckoo hashing including accessing hash tables using affinity table
US11362996B2 (en) 2020-10-27 2022-06-14 Centripetal Networks, Inc. Methods and systems for efficient adaptive logging of cyber threat incidents
US11159546B1 (en) 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection
US11917042B2 (en) 2021-08-15 2024-02-27 Mellanox Technologies, Ltd. Optimizing header-based action selection
DE102023104049A1 (en) * 2022-02-18 2023-08-24 Hirschmann Automation And Control Gmbh Conditional filtering for time-deterministic firewalls
US11929837B2 (en) 2022-02-23 2024-03-12 Mellanox Technologies, Ltd. Rule compilation schemes for fast packet classification

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2753254B2 (en) 1988-04-06 1998-05-18 株式会社日立製作所 Packet exchange system
US5493689A (en) 1993-03-01 1996-02-20 International Business Machines Corporation System for configuring an event driven interface including control blocks defining good loop locations in a memory which represent detection of a characteristic pattern
CA2124479A1 (en) 1993-06-30 1994-12-31 Thaddeus Julius Kowalski Methods and apparatus for optimizing decision making
US5446874A (en) * 1993-12-23 1995-08-29 International Business Machines Corp. Automated benchmarking with self customization
US5848393A (en) 1995-12-15 1998-12-08 Ncr Corporation "What if . . . " function for simulating operations within a task workflow management system
US6009475A (en) 1996-12-23 1999-12-28 International Business Machines Corporation Filter rule validation and administration for firewalls
US6173364B1 (en) * 1997-01-15 2001-01-09 At&T Corp. Session cache and rule caching method for a dynamic filter
US6233686B1 (en) * 1997-01-17 2001-05-15 At & T Corp. System and method for providing peer level access control on a network
US5832482A (en) 1997-02-20 1998-11-03 International Business Machines Corporation Method for mining causality rules with applications to electronic commerce
US6038596A (en) 1997-05-23 2000-03-14 International Business Machines Corporation Method and system in a network for decreasing performance degradation triggered by multiple user redundant input events
US6041347A (en) 1997-10-24 2000-03-21 Unified Access Communications Computer system and computer-implemented process for simultaneous configuration and monitoring of a computer network
US6219786B1 (en) 1998-09-09 2001-04-17 Surfcontrol, Inc. Method and system for monitoring and controlling network access

Also Published As

Publication number Publication date
US20030051165A1 (en) 2003-03-13
CA2287689C (en) 2003-09-30
US6606710B2 (en) 2003-08-12
JP2000174808A (en) 2000-06-23
JP3568850B2 (en) 2004-09-22
EP1006701B1 (en) 2009-07-08
EP1006701A2 (en) 2000-06-07
DE69941081D1 (en) 2009-08-20
EP1006701A3 (en) 2000-12-20

Similar Documents

Publication Publication Date Title
CA2287689A1 (en) Adaptive re-ordering of data packet filter rules
WO2003047162A3 (en) Policy co-ordination in a communications network
EP1523138A3 (en) Access control mechanism for routers
AU7406594A (en) Improved packet filtering for data networks
CA2328220A1 (en) Optimizing the transfer of data packets between lans
AU2001250888A1 (en) Service selection in a shared access network using policy routing
WO2002003180A3 (en) Layered defense-in-depth knowledge-based data management
CA2009432A1 (en) Programmable data packet buffer prioritization arrangement
CA2099436A1 (en) Transmission Error Recovery for Digital Communication Systems
EP1344339A4 (en) Multiple access frequency hopping network with interference avoidance
AU2030592A (en) Random access data communication system with slot assignment capability for contending users
AU2001286447A1 (en) Receiver-initiated multiple access for ad-hoc networks (rima)
NO965474L (en) Protocol for packet data, especially for wireless communication
CA2415952A1 (en) Method and apparatus for reducing pool starvation in a shared memory switch
AU2002219088A1 (en) Poly(trimethylene terephthalate) based meltblown nonwovens
AU1580301A (en) Network switch with high-speed serializing/deserializing hazard-free double datarate switching
AU2001266174A1 (en) Packet data communications
HU9603448D0 (en) Matchable, heat treatable, durable ir-reflecting, sputter coated glasses and making same
CA2161725A1 (en) Cordless telephone base unit arranged for operating with multiple portable units
HK1062214A1 (en) Secure network access
TW200501681A (en) Network protocol off-load engine memory management
MA24884A1 (en) LAUNDRY COMPOSITIONS COMPRISING POLY (ALKYLENE-IMINE) ALCOXYL DISPERSANTS
CA2383458A1 (en) Method and apparatus for an interleaved non-blocking packet buffer
AU2002236093A1 (en) Access networks
EP0643503A3 (en) Synchronous time division multiple access interrogate-respond data communication network.

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed