Adaptive conflict-free optimization of rule sets for network security packet filtering devices

Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices

Flow Fair Sampling Based on Multistage Bloom Filters

Network traffic distribution is heavy-tailed. Most of network flows are short and carry very few packets, and the number of large flows is small. Traditional random sampling tends to sample more large flows than short ones. However, many applications depend on per-flow traffic other than just large flows. A flow fair sampling based on multistage Bloom filters is proposed. The total measurement interval is divided into n child time intervals. In each child time interval, employ multistage Bloom filters to query the incoming packet’s flow whether exists in flow information table or not, if exists, sample the packet with static sampling rate which is inversely proportional to the estimation flow traffic up to the previous time interval. If it is a new flow’s first packet, create its flow information and insert it into the multistage Bloom filters. The results show that the proposed algorithm is accurate especially for short flows and easy to extend

The complexity of resolving conflicts on MAC

We consider the fundamental problem of multiple stations competing to transmit on a multiple access channel (MAC). We are given $n$ stations out of which at most $d$ are active and intend to transmit a message to other stations using MAC. All stations are assumed to be synchronized according to a time clock. If $l$ stations node transmit in the same round, then the MAC provides the feedback whether $l=0$, $l=2$ (collision occurred) or $l=1$. When $l=1$, then a single station is indeed able to successfully transmit a message, which is received by all other nodes. For the above problem the active stations have to schedule their transmissions so that they can singly, transmit their messages on MAC, based only on the feedback received from the MAC in previous round. For the above problem it was shown in [Greenberg, Winograd, {\em A Lower bound on the Time Needed in the Worst Case to Resolve Conflicts Deterministically in Multiple Access Channels}, Journal of ACM 1985] that every deterministic adaptive algorithm should take $\Omega(d (\lg n)/(\lg d))$ rounds in the worst case. The fastest known deterministic adaptive algorithm requires $O(d \lg n)$ rounds. The gap between the upper and lower bound is $O(\lg d)$ round. It is substantial for most values of $d$: When $d =$ constant and $d \in O(n^{\epsilon})$ (for any constant $\epsilon \leq 1$, the lower bound is respectively $O(\lg n)$ and O(n), which is trivial in both cases. Nevertheless, the above lower bound is interesting indeed when $d \in$ poly($\lg n$). In this work, we present a novel counting argument to prove a tight lower bound of $\Omega(d \lg n)$ rounds for all deterministic, adaptive algorithms, closing this long standing open question.}Comment: Xerox internal report 27th July; 7 page

Fuzzy-logic-based control, filtering, and fault detection for networked systems: A Survey

This paper is concerned with the overview of the recent progress in fuzzy-logic-based filtering, control, and fault detection problems. First, the network technologies are introduced, the networked control systems are categorized from the aspects of fieldbuses and industrial Ethernets, the necessity of utilizing the fuzzy logic is justified, and the network-induced phenomena are discussed. Then, the fuzzy logic control strategies are reviewed in great detail. Special attention is given to the thorough examination on the latest results for fuzzy PID control, fuzzy adaptive control, and fuzzy tracking control problems. Furthermore, recent advances on the fuzzy-logic-based filtering and fault detection problems are reviewed. Finally, conclusions are given and some possible future research directions are pointed out, for example, topics on two-dimensional networked systems, wireless networked control systems, Quality-of-Service (QoS) of networked systems, and fuzzy access control in open networked systems.This work was supported in part by the National Natural Science Foundation of China under Grants 61329301, 61374039, 61473163, and 61374127, the Hujiang Foundation of China under Grants C14002 andD15009, the Engineering and Physical Sciences Research Council (EPSRC) of the UK, the Royal Society of the UK, and the Alexander von Humboldt Foundation of Germany

On-board B-ISDN fast packet switching architectures. Phase 2: Development. Proof-of-concept architecture definition report

For the next-generation packet switched communications satellite system with onboard processing and spot-beam operation, a reliable onboard fast packet switch is essential to route packets from different uplink beams to different downlink beams. The rapid emergence of point-to-point services such as video distribution, and the large demand for video conference, distributed data processing, and network management makes the multicast function essential to a fast packet switch (FPS). The satellite's inherent broadcast features gives the satellite network an advantage over the terrestrial network in providing multicast services. This report evaluates alternate multicast FPS architectures for onboard baseband switching applications and selects a candidate for subsequent breadboard development. Architecture evaluation and selection will be based on the study performed in phase 1, 'Onboard B-ISDN Fast Packet Switching Architectures', and other switch architectures which have become commercially available as large scale integration (LSI) devices