• Title/Summary/Keyword: Packet Filtering Rule

Search Result 9, Processing Time 0.03 seconds

An Efficient Central Queue Management Algorithm for High-speed Parallel Packet Filtering (고속 병렬 패킷 여과를 위한 효율적인 단일버퍼 관리 방안)

  • 임강빈;박준구;최경희;정기현
    • Journal of the Institute of Electronics Engineers of Korea TC
    • /
    • v.41 no.7
    • /
    • pp.63-73
    • /
    • 2004
  • This paper proposes an efficient centralized sin91e buffer management algorithm to arbitrate access contention mon processors on the multi-processor system for high-speed Packet filtering and proves that the algorithm provides reasonable performance by implementing it and applying it to a real multi-processor system. The multi-processor system for parallel packet filtering is modeled based on a network processor to distribute the packet filtering rules throughout the processors to speed up the filtering. In this paper we changed the number of processors and the processing time of the filtering rules as variables and measured the packet transfer rates to investigate the performance of the proposed algorithm.

Design and Implementation of Packet Filtering System for IPv4/IPv6 Tunneling Environment (IPv4/IPv6 터널링 환경에 적합한 패킷 필터링 기능 설계 및 구현)

  • Heo, Seok-Yeol;Lee, Wan-Jik;Kim, Kyung-Jun;Jeong, Sang-Jin;Shin, Myung-Ki;Kim, Hyoung-Jun;Han, Ki-Jun
    • Journal of KIISE:Information Networking
    • /
    • v.33 no.6
    • /
    • pp.407-419
    • /
    • 2006
  • As substituting IPv6 network for all IPv4 network in a short time seems unattainable due to high cost and technical limitation, IPv4 and IPv6 are expected to coexist for a certain period of time. Under the co]existing environment of IPv4 and IPv6, interworking brings a number of extra security considerations even if it may have no security problem for each protocol respectively. Thus, the analysis and solutions for those various attacks toward IPv4/IPv6 interworking-related security are inevitably required for the sake of effective transition and settlement to IPv6. In this paper we carried out a proper rule of packet filtering for IPv6-in-IPv4 tunneling interworking environment to protect the IPv4/IPv6 interworking-related security attacks. Design and implementation of the packet filtering system suitable for IPv4/IPv6 tunneling environment in the form of Linux netfilter and ip6tables are also shown. Thru this study, the packet filtering system was found operating correctly ill the tunneling mechanism.

A Study on data cache locking policy for Packet Filtering System's performance improvement (패킷 여과 시스템의 성능 향상을 위한 데이터 캐쉬 잠금 방안 연구)

  • Cho, Hak-Bong;Choi, Chang-Seok;Moon, Jong-Wook;Jung, Gi-Hyun;Choi, Kyung-Hee
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2003.11a
    • /
    • pp.435-438
    • /
    • 2003
  • 오늘날 네트워크 보호를 위해 firewall 과 같은 패킷 여과 시스템이 많이 보급되어 있다. 이러한 시스템에서는 해당 패킷의 생사 및 진행방향을 정할 수 있는 Rule 이 다수 존재하며, 각 패킷에 해당하는 Rule 을 검색하는 시간은 전체 네트워크의 응답시간을 지연시킨다. 더불어 해당 네트워크의 병목현상을 일으키는 주범이 될 수 있다. 본 논문에서는 데이터 캐쉬 잠금 방법을 활용한 네트워크 프로세서를 모델로, 캐쉬 잠금을 이용해 패킷 여과 Rule 의 접근 시간을 줄일 수 있는 파라미터를 찾고 수식화하며 Simulation 을 통해 효용성을 검토해 본다.

  • PDF

Using the Rule to Combination Commands and Arguments in Packet Filtering (패킷 필터링에서 명령어와 인자 결합 규칙을 이용한 로그 데이터의 감축 방법)

  • 서현진;박성인;이재영
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 1999.10c
    • /
    • pp.321-323
    • /
    • 1999
  • UNIX 시스템에서 로그 시스템은 공격시 쉽게 변경 및 삭제되는 위험성이 있고 제한된 시스템 및 네트워크 정보를 제공하므로, 보다 안전하고 풍부한 정보의 제공을 위해 패킷 필터링을 이용한 로그 시스템 등이 제안되어 왔다. 그러나 기존의 패킷 필터링을 이용한 로그 시스템에서는 모든 패킷을 기록하여 많은 양의 데이터가 발생하였으므로, 관리자가 그 정보를 분석하기란 어려웠다. 본 논문에서는 패킷을 처리하는 과정에서 각종 유형의 침입에 대한 사전 조사와 분석으로 얻은 명령어와 인자들의 결합에 의한 판정 규칙을 적용하여, 위험가능성이 내재된 패킷만을 수집, 기록함으로서 데이터의 양을 줄이고 보다 효율적인 로그 정보를 기록할 수 있었다.

  • PDF

A Study of the Intelligent Connection of Intrusion prevention System against Hacker Attack (해커의 공격에 대한 지능적 연계 침입방지시스템의 연구)

  • Park Dea-Woo;Lim Seung-In
    • Journal of the Korea Society of Computer and Information
    • /
    • v.11 no.2 s.40
    • /
    • pp.351-360
    • /
    • 2006
  • Proposed security system attacks it, and detect it, and a filter generation, a business to be prompt of interception filtering dates at attack information public information. inner IPS to attack detour setting and a traffic band security, different connection security system, and be attack packet interceptions and service and port interception setting. Exchange new security rule and packet filtering for switch type implementation through dynamic reset memory by real time, and deal with a packet. The attack detection about DDoS, SQL Stammer, Bug bear, Opeserv worm etc. of the 2.5 Gbs which was an attack of a hacker consisted in network performance experiment by real time. Packet by attacks of a hacker was cut off, and ensured the normal inside and external network resources besides the packets which were normal by the results of active renewal.

  • PDF

Study on the mechanism for the dynamic traversing of multiple firewalls using the concept of one-time master key (일회용 마스터 키 개념을 이용한 다중 방화벽 동적 통과 메커니즘 연구)

  • Park, Hyoung-Woo;Kim, Sang-Wan;Kim, Jong-Suk Ruth.;Jang, Haeng-Jin
    • The Journal of Korean Association of Computer Education
    • /
    • v.13 no.5
    • /
    • pp.103-110
    • /
    • 2010
  • If an exterior computer wants to join the Grid/cloud computing platform for a while, all of the related firewalls' filtering rule should be immediately updated. As the platform of Internet application is gradually evolving into the Grid/Cloud environment, the R&D requirement for the dynamic traversing of the multiple firewalls by a single try is also increasing. In this paper, we introduce the new mechanism for the dynamic traversing of the multiple firewalls using the concept of the one-time master key that can dynamically unlock the tiers of firewalls simultaneously instead of the existed filtering rule based method like a lock management at each firewall. The proposed master keys are like one-time password, consisted of IP addresses, port numbers, and TCP's initial sequence numbers, and generated by end users not administrators. They're exchanged mutually in advance and used to make a hole at local-side firewalls for the other's packet incoming. Therefore, the proposed mechanism can function regardless of the number or type of firewalls.

  • PDF

A Study on Link Travel Time Prediction by Short Term Simulation Based on CA (CA모형을 이용한 단기 구간통행시간 예측에 관한 연구)

  • 이승재;장현호
    • Journal of Korean Society of Transportation
    • /
    • v.21 no.1
    • /
    • pp.91-102
    • /
    • 2003
  • There are two goals in this paper. The one is development of existing CA(Cellular Automata) model to explain more realistic deceleration process to stop. The other is the application of the updated CA model to forecasting simulation to predict short term link travel time that takes a key rule in finding the shortest path of route guidance system of ITS. Car following theory of CA models don't makes not response to leading vehicle's velocity but gap or distance between leading vehicles and following vehicles. So a following vehicle running at free flow speed must meet steeply sudden deceleration to avoid back collision within unrealistic braking distance. To tackle above unrealistic deceleration rule, “Slow-to-stop” rule is integrated into NaSch model. For application to interrupted traffic flow, this paper applies “Slow-to-stop” rule to both normal traffic light and random traffic light. And vehicle packet method is used to simulate a large-scale network on the desktop. Generally, time series data analysis methods such as neural network, ARIMA, and Kalman filtering are used for short term link travel time prediction that is crucial to find an optimal dynamic shortest path. But those methods have time-lag problems and are hard to capture traffic flow mechanism such as spill over and spill back etc. To address above problems. the CA model built in this study is used for forecasting simulation to predict short term link travel time in Kangnam district network And it's turned out that short term prediction simulation method generates novel results, taking a crack of time lag problems and considering interrupted traffic flow mechanism.

A Study on the Efficient Algorithm for Converting Range Matching Rules into TCAM Entries in the Packet Filtering System (패킷 필터링 시스템에서 범위 규칙의 효율적 TCAM 엔트리 변환 알고리즘 연구)

  • Kim, Yong-Kwon;Cho, Hyun-Mook;Choe, Jin-Kyu;Lee, Kyou-Ho;Ki, Jang-Geun
    • Journal of IKEEE
    • /
    • v.9 no.1 s.16
    • /
    • pp.19-30
    • /
    • 2005
  • Packet classification is defined as the action to match the packet with a set of predefined rules. One of classification is to use Ternary Content Addressable Memory hardware search engine that has faster than other algorithmic methods. However, TCAM has some limitations. One of them is that TCAM can not perform range matching efficiently. A range has to be expanded into prefixes to fit the boundary. In general, the number of expansion could be up to 2w-2, where w is the width of the field. For example, if two range fields with 16 bits are used, there could be up to $30\;{\times}\;30\;=\;900$ expansions for a single rule. In this paper, we describe the novel algorithm for converting range matching rules into TCAM entry efficiently. The number of maximum entry is 2w-4 when using the algorithm. Furthermore, it has also benefit about the negation range. In the result of experimentation, the new scheme practically reduces 14 percent in case that searched fields are source port and destination port number.

  • PDF

A study on about a Exclusive Firewall for operation the efficient network security (효율적인 네트워크 보안운영을 위한 Exclusive Firewall 관한 연구)

  • Jeon, Jeong-Hoon;Jeon, Sang-Hoon
    • Journal of the Korea Society of Computer and Information
    • /
    • v.12 no.2 s.46
    • /
    • pp.93-102
    • /
    • 2007
  • Firewall system is a security system for protect the network and is needed for constructing the trusted network. However, these firewall systems deteriorate the performance of whole network in about 60% because of Inefficiency policy establishment and unnecessary traffic occurrence. Therefore, there is a strong needs to establish the network performance elevation, efficient operation and reassignment of the firewall system. In this dissertation, we will analyze how each functionalities of the firewall system affect to the network performance via using a simulation result according to functionality of the firewall system and propose a exclusive firewall system for the efficient network operation.

  • PDF