Skip to main content

Advertisement

Springer Nature Link
Log in

Packet filter optimization techniques for high-speed network monitoring

Optimiser le filtrage des paquets pour la surveillance du réseau à grande vitesse

  • Published:
Annales Des Télécommunications Aims and scope Submit manuscript

Abstract

Effective network monitoring is vital for a growing number of control and management applications typically found in present-day networks. The ever-increasing link speeds and the complexity of monitoring applications’ needs have exposed severe limitations of existing monitoring techniques. A majority of the current monitoring tasks require only a small subset of all observed packets, which share some common properties such as identical header fields or similar patterns in their data. In order to capture only these useful packets, a large set of expressions needs to be evaluated. This evaluation should be done as efficiently as possible when monitoring multi-gigabit networks. To speed up this packet classification process, this article presents different packet filter optimization techniques. Complementary to existing approaches, we propose an adaptive optimization algorithm which dynamically reconfigures the filter expressions based on the currently observed traffic pattern. The performance of the algorithms is validated both analytically and by means of the implementation in a network monitoring framework. The various characteristics of the algorithms are investigated, including their performance in an operational network intrusion detection system.

Résumé

Aujourd’hui, l’analyse du trafic des réseaux est essentielle pour la gestion de nombreuses applications. La croissance de la vitesse des réseaux et la complexité des besoins en analyse de trafic ont révélé des limitations sévères des méthodes et des outils existants. La plupart des tâches d’analyse n’exige qu’une partie de tous les paquets observés. Ces paquets partagent typiquement quelques propriétés comme des champs d’entêté identiques ou des séquences de caractères similaires dans leurs données. Pour capturer seulement ces paquets utiles, il faut évaluer une grande collection d’expressions. Cette évaluation doit être aussi performante que possible pour analyser des réseaux multi-gigabit. Cet article présente plusieurs techniques d’optimisation pour accélérer la procédure de classification des paquets. En complément des approches existantes, nous proposons un algorithme d’optimisation adaptif qui réorganise dynamiquement les expressions de filtrage à partir de l’observation du trafic. La performance des algorithmes est validée analytiquement et par une implémentation dans un système de surveillance du réseau. Les caractéristiques des algorithmes sont évaluées, y compris leur performance dans une application de détection d’intrusion opérationnelle.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Baboescu F., Varghese G., Scalable packet classification, IEEE/ACM Transactions on Networking, 13, no 1, pp. 2–14, February 2005.

    Google Scholar 

  2. Bailey M., Gopal B., Pagels M., Peterson L., Sarkar P., PathFinder: A Pattern-Based Packet Classifier, Operating Systems Design and Implementation, pp. 115–123, 1994.

    Google Scholar 

  3. Begel A., McCanne S., Graham S., BPF: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture, In the Proceedings of the ACM Sigcomm, August 1999.

    Google Scholar 

  4. Boyer R., Moore J., A fast string searching algorithm, Communications of the ACM, 20, nno 10, pp. 762–772, October 1977.

    MATH  Google Scholar 

  5. Breslau L., Cao P., Fan L., Phillips G., Shenker S., Web Caching and Zipf-like Distributions: Evidence and Implications, In the Proceedings of the IEEE Infocom, March 1999.

    Google Scholar 

  6. Coppens J., De Smet S., Van den Berghe S., De Turck F., Demeester P., Performance Evaluation of a Probabilistic Packet Filter Optimization Algorithm for High-speed Network Monitoring, In Proceedings of the 7th IEEE International Conference on High Speed Networks and Multimedia Communications, June 2004.

    Google Scholar 

  7. Coppens J., Markatos E., Novotny J., Polychronakis M., Smotlacha V., Ubik S., SCAMPI — A Scaleable Monitoring Platform for the Internet, In the Proceedings of the 2nd International Workshop on Inter-Domain Performance and Simulation, March 2004.

    Google Scholar 

  8. Coppens J., Van den Berghe S., Bos H., Markatos E., De Turck F, Oslebo A., Ubik S., SCAMPI: A scalable and Programmable Architecture for Monitoring Gigabit Networks, In the Proceedings of the 1st Workshop on End-to-End Monitoring Techniques and Services, September 2003.

    Google Scholar 

  9. Engler D., Kaashoek M., DPF: fast, flexible message demultiplexing using dynamic code generation, In the Proceedings of the ACM SIGCOMM, August 1996.

    Google Scholar 

  10. Gupta P., McKeown N., Packet classification on multiple fields, In the Proceedings of the ACM SIGCOMM, August 1999.

    Google Scholar 

  11. Gupta P., McKeown N., Packet classification using hierarchical intelligent cuttings, In the Proceedings of Hot Interconnects VIL, August 1999.

    Google Scholar 

  12. Gupta P., McKeown N., Algorithms for packet classification, ieee Network, 15, no 2, pp. 24–32, March 2001.

    Google Scholar 

  13. Horspool R., Practical fast searching in strings, Software Practice and Experience, 10, no 6, pp. 501–506, June 1980.

    Google Scholar 

  14. Jacobson V., Leres C., McCanne S., TCPDUMP manual page, 2001.

  15. Lakshman TV., Stiliadis D., High-speed policy-based packet forwarding using effcient multi-dimensional range matching, In the Proceedings of sigcomm, August 1998.

    Google Scholar 

  16. Malan G., Jahanian F., An extensible probe architecture for network protocol performance measurement, In the Proceedings of the ACM SIGCOMM, September 1998.

    Google Scholar 

  17. Markatos E., Antonatos S., Polychronakis M., Anagnostakis K., Exclusion-based Signature Matching for Intrusion Detection, In proceedings of IASTED International Conference on Communications and Computer Networks, October 2002.

    Google Scholar 

  18. Mogul J., Rashid R., Accetta M., The Packet Filter: An Efficient Mechanism for User-Level Network Code, In Proceedings of the 11th ACM Symposium on Operating Systems Principles, November 1987.

    Google Scholar 

  19. Ranum M., Landfield K., Stolarchuk M., Sienkiewicz M., Lambeth A., Wal E., Implementing a Generalized Tool for Network Monitoring, In Proceedings of the Eleventh Systems Administration Conference, October 1997.

    Google Scholar 

  20. Defcon, http://www.defcon.org/.

  21. Ethereal, http://www.ethereal.com!.

  22. IETF PSAMP Working Group, http://www.ietf.org/html.charters/psamp-charter.html.

  23. IST-Scampi, A Scaleable Monitoring Platform for the Internet, http://www.ist-scampi.org/.

  24. Snort, The Open Source Network Intrusion Detection System, http://www.snort.org/.

Download references

Author information

Authors and Affiliations

  1. Department of Information Technology (INTEC), Ghent University 3, Gaston Crommenlaan 8, bus 201, B-9050, Gent, Belgium

    Jan Coppens, Stijn De Smet, Steven Van Den Berghe, Filip De Turck & Piet Demeester

Authors
  1. Jan Coppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stijn De Smet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Steven Van Den Berghe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Filip De Turck
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Piet Demeester
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Coppens, J., De Smet, S., Van Den Berghe, S. et al. Packet filter optimization techniques for high-speed network monitoring. Ann. Telecommun. 62, 387–407 (2007). https://doi.org/10.1007/BF03253267

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03253267

Key words