towards optimal firewall rule ordering utilizing directed acyclical graphs
DESCRIPTION
Towards Optimal Firewall Rule Ordering Utilizing Directed Acyclical Graphs. Author: Ashish Tapdiya, Errin W. Fulp Publisher: ICCCN 2009 Presenter: Yu-Ping Chiang Date: 2009/09/30. Outline. Related work – Directed Acyclical Graph (DAG) Sub-Graph Merging (SDM) Algorithm - PowerPoint PPT PresentationTRANSCRIPT
Author: Ashish Tapdiya, Errin W. FulpPublisher: ICCCN 2009Presenter: Yu-Ping ChiangDate: 2009/09/30
Towards Optimal Firewall Rule Ordering
Utilizing Directed Acyclical Graphs
1
• Related work – Directed Acyclical Graph (DAG)
• Sub-Graph Merging (SDM)– Algorithm– Non-optimal ordering– Time complexity
• Experimental results– Number of breaks– Percentage improvement
Outline
2
• DAG G = (R,E)– R = rules– E exists if
• .• i < j
Directed Acyclical Graph (DAG)
3
• Related work – Directed Acyclical Graph (DAG)
• Sub-Graph Merging (SGM)– Algorithm– Non-optimal ordering– Time complexity
• Experimental results– Number of breaks– Percentage improvement
Outline
4
• Definition– Sub-graph of rule ri : G(ri)
• Ex: G(r2) = {r1, r2}, G(r4) = {r1, r2, r4}– Sum of probability of G(ri) : X(ri)
• Ex: X(r2) = 0.0645+0.161 = 0.2255– Cardinality of G(ri): C(ri)
• Ex: C(r2) = 2
Sub-Graph Merging (SGM)
5
• Definition– DEP
• Ex: – PROB(ri)– R(π)
•
• Ex: R(π) = 0.0645*1 + 0.161*2 + … + 0.029*5 = 3.5487
Sub-Graph Merging (SGM)
00000
10000
10000
11000
10110
DEP
n
iiitpR
1
')(
6
Sub-Graph Merging - Algorithm
7
0.0645
0.11275
0.14515
0.1614
0.2
Sub-Graph Merging - Algorithm
8
R(π) = 3.5487
R(π) = 3.4839
SGM – non-optimal ordering
9
0.058533
0.072886
0.2
0.09094
0.096061
SGM – time complexity
10
O(n)
O(n) O(n)
• Related work – Directed Acyclical Graph (DAG)
• Sub-Graph Merging (SDM)– Algorithm– Non-optimal ordering– Time complexity
• Experimental results– Number of breaks– Percentage improvement
Outline
11
Edge density versus # of breaks
12
• Average number of rule comparisons was used to evaluate performance
Percentage improvement
13