Printer Friendly

Optimal packet classification techniques for performance enhancement and intrusion detection.


Packet Classification techniques categorize a packet to define a given packet and make it accessible on the network. A router is used to forward data packets between networks of different computers and it creates an overlay internetwork due to the use of two or more data lines from different networks. When a data packet comes from one of the lines, the router uses the information available in its routing table and forwards the packet to the next network. When data packet is forwarded from one router to another through the networks, it may face some security challenges. Packets are classified by using source and destination port numbers, source and destination IP address and protocol type. Using packet classification rules, it is possible to partition network traffic into multiple priority levels or classes of service. Moreover, the number of users, the volume of traffic and the applications are continually changing in the internet scenario. Packet routing decision is based on the destination IP address and provides only the single best matched rule by comparing the packet header fields and classification rules. In applications such as network intrusion detection, it needs to match multiple constraints provided in the packet rule. Packet classification is required to report all the matched rules, including the best matched rule. Network scanning is necessary to secure the network to which the router is connected. Network scanned results can be used as fields of packet classification rules. It is processed with the help of index table storage and single dimensional searches. In this proposed work, scanned results are stored effectively with the help of index table storage and single dimensional searches are used for fast access. In this paper, we propose new method for formation of classification rules for performance enhancement, the main advantage of the proposed algorithm is that it enhances the security and routing performance. The remainder of this paper is organised as follows: Section 2 provides the literature survey. Section 3 explains the architecture of proposed system. Section 4 discuses the proposed algorithm. Section 5 describes about performance analysis. Section 6 gives the conclusions on this work and directions of future work.

Related Work:

There are many works in the literature which discuss about packet classification. Wei et al (2012) proposed a novel technique called Block Permutation to compress the packet classification rules stored in tables. In their work, compression is achieved by performing block-based permutations on the rules represented in Boolean Space. Moreover, they developed an efficient heuristic approach to find the permutations for compression and design its hardware implementation. Yang Xu et al (2014) proposed multi-match packet classification rules formation algorithm with the help of distributed and pipelined hash tables and avoided the use of Ternary Content Addressable Memory and signature tree which consumed large amount of memory and time. Bremler-Barr et al (2009) proposed a new scheme for constructing efficient representations of range rules, their work is based on the simple observation that sets of disjoint ranges can be encoded more efficiently than sets of overlapping ranges, this is due to the fact that ternary content-addressable memories are increasingly used in most schemes for high-speed packet classification. Lakshminarayanan et al (2005) proposed a general methodology for building comprehensive behavior profiles of Internet backbone traffic in terms of communication patterns of end-hosts and services. Recent spates of cyber-attacks and frequent emergence of applications affecting Internet traffic dynamics have helped them to develop effective techniques. Such techniques are capable of extracting, significant communication patterns from Internet traffic data for use in network operations and security management. Papaefstathiou et al (2006) proposed several Quality of Service (QoS) mechanisms which are employed either at the network layer or the Medium Access Control sublayer in order to accommodate the needs of networks. These QoS mechanisms require identification of network flows and the classification of network packets according to certain packet header fields. In this work, they proposed a classification engine which employed either at the MAC sublayer or the network layer. Ganapathy et al (2013) proposed on intelligent techniques for feature selection and classification for intrusion detection in networks based on intelligent software agents, neural networks, genetic algorithms, fuzzy techniques, rough sets, and particle swarm intelligence. These techniques have been useful for effectively identifying and preventing network intrusions in order to provide security to the Internet and to enhance the quality of service. Sindhu et al (2012) developed the lightweight IDS by using a wrapper based feature selection algorithm that maximizes the specificity and sensitivity of the IDS as well as by employing a neural ensemble decision tree iterative procedure. Inspite of the availability of all these methods, the security and performance are not up to the requirements of sensitive applications. Hence, a new secured and efficient packet classification technique is proposed in this paper for effective routing.

System Architecture:

The architecture of the system proposed in this work are used for effective parallel searching consist of four major components namely formation of packet classification rules module, indexing of classifier fields, search modules and result processing module. These components are essential for construction of multi-match packet classification rules.

Packet Classification Fields Extraction:

Packets are forwarded to destined host by routers with the help of header fields by packet classification rules. These rules contains the combination of fields like

1. Source IP address

2. Source port number

3. Destination IP address

4. Destination port number

5. Hop count

6. Maximum number of hops

7. Trust-level

8. Timer

9. Application-type

Figure 1 depicts the index tables and blocks which are used for effective parallel searching.

Table 1 shows sample packet classification rules which is a combination of source IP address, source port number, destination IP address, destination port number etc.

The best matched rules are considered by each router in routing. Moreover this work focus on finding multiple matched rules which help to avoid network traffic and to build an intrusion detection system that detects malicious attacks. Multiple matching rules are formed by tracing the entire network in which the routers are present.

Indexing Table Construction:

Indexing tables are constructed to store the traced IP address and port numbers. Generally index table contains key and value, values from index table are retrieved with the help of key. Index table contains all the combination of rules that is IP address and port numbers. When the IP address to be retrieved is known index table values are processed with search values to give multiple matched packet classification rules. Results of index table are combined with search results.

Search Module:

Search modules are constructed based on number of fields of packet classification rules in routing table. Searches are used to retrieve values from index table. They are named as rule subsystem and the fields obtained in various subsystem are stored in rule base maintained by rule manager. Table 2 shows search result.

Result Processing Module:

Result processing is done by combining output of search results and values of hash table to produce multiple matched rules. Figure 2 shows the construction of results to produce multiple matched rules.

Enhanced Packet Classification Rules Forming Algorithm:

Packet Classification rules are formed to find multi-match options needed by router to transfer the packet efficiently in the network. These rules can be formed with the steps following

Step 1: Calculate the IP address of systems present in that network interface by checking the reachability of systems.

Step 2: Port numbers are also traced along with IP address with the help of socket connection.

Step 3: Calculated output contains IP address and unused port numbers.

Step 4: Store the results with the combination of IP address of system and its free port number in indexing table.

Step 5: Index tables are constructed to store the various combination of values.

Step 6: Index table helps to store key and values, which helps for fast retrieval of values associated with the key. Here packet ID acts as key and its address acts as value

Step 7: Search for IP address which need to act as a source here.

Step 8: Search for port numbers with IP address obtained in first search.

Step 9: Retrieving IP address to where the packet have to be transmitted.

Step 10: All the search results are combined in pipeline to produce multi match packet classification rules.

Step 11: Check the hop count and max hop count.

Step 12: Validate the trust using trust level.

Step 13: Check the timer and current value.

Step 14: Check for application type.

Performance Analysis:

In this paper multi-match packet classification rules are formed with index table storage without signature tree construction. But in the existing system storage of values into index table are performed by signature tree traversal which causes time complexity. Table 3 shows the Efficiency of the system calculated with the help of finding timing complexity.

Figure 3 depicts the time complexity of packet classification rules formation, higher time is taken for construction of index table with signature tree, comparing this with construction of index table without signature tree takes less time. Figure 3 Time Complexity of Index Table Construction


In this work, an algorithm for multi-match packet classification rules has been designed and implemented for routing packets. These rules are formed by retrieving the IP address and free ports of the reachable system by tracing the entire network. The traced results are stored in index table. They are retrieved using key value pair for effective routing. It is implemented using Java network programming. From the experiments conducted in this work, it is observed that the rules formed in this research for classification has enhanced the accuracy and reduces the complexity of signature tree construction and hash table construction for routing packets. Future work of this research involves identification of intrusion and intruders.


Article history:

Received 12 October 2014

Received in revised form 26 December 2014

Accepted 1 January 2015

Available online 25 February 2015


Bremler-Barr, A., D. Hay and D. Hendler, 2009. "Layered interval codes for TCAM-based classification," Proc. IEEE INFOCOM, pp: 1305-1313.

Ganapathy, S., K. Kulothungan, S. Muthurajkumar, M. Vijayalakshmi, P. Yogesh, A. Kannan, 2013. "Intelligent feature selection and classification techniques for intrusion detection in networks: a survey", EURASIP Journal on Wireless Communications and Networking-Springer Open Journal, 271: 1-16.

Lakshminarayanan, K., A. Rangarajan and S. Venkatachary, 2005. "Algorithms for advanced packet classification with ternary CAMS," in Proc.ACM SIGCOMM, New Yok, NY, USA, pp: 193-204.

Papaefstathiou, I. and V Papaefstathiou, 2006. "An innovative low-cost classification scheme for combined multi-gigabit IP and Ethernet networks," in Proc. IEEE ICC, 1: 211-216.

Sindhu, S.S.S., S. Geetha, A. Kannan, 2012. "Decision Tree Based Light Weight Intrusion Detection using a Wrapper Approach", Expert Systems with Applications, 39(1): 129-141.

Wei, R., Y Xu and H. Chao, 2012. "Block permutations in boolean space to minimize TCAM for packet classification," Proc. IEEE INFOCOM, pp: 2561-2565.

Yang Xu, 2014. Member, IEEE, Zhaobo Liu, Zhuoyuan Zhang, and H. Jonathan Chao, Fellow, IEEE "High-Throughput and Memory-Efficient Multimatch Packet Classification Based on Distributed and Pipelined Hash Tables" IEEE/ACM TRANSACTIONS ON NETWORKING, 22(3).

Vanthana, G., Muthurajkumar, S., Sairamesh, L., Rakesh, R., Kannan, A.

Department of Information Science & Technology, College of Engineering Guindy, Anna University, Chennai, India--00025.

Corresponding Author: Vanthana, G., Department of Information Science & Technology, College of Engineering Guindy, Anna University, Chennai, India--600025.


Table 1: Packet Classification Rules.

ADDRESS         NUMBER        IP ADDRESS     PORT NUMBER         RULE       139         445       ...    1
101.21.45.*       498        58804      ...    2      58804       101.21.45.*         498       ...    3       445         139       ...    4
101.21.45.*      19589       115.56.49.*        5455       ...    5

Table 2: Search result showing IP address and port numbers.

ADDRESS         NUMBER      IP ADDRESS    PORT NUMBER      58804      101.21.45.*       498       445       139

Table 3: Time Complexity measurement.

                          (milliseconds)      TREE (milliseconds)

When n=2                       383                    2898
When n=3                       460                    3200
When n=4                       590                    3899
When n=5                       650                    4200
COPYRIGHT 2015 American-Eurasian Network for Scientific Information
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2015 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Vanthana, G.; Muthurajkumar, S.; Sairamesh, L.; Rakesh, R.; Kannan, A.
Publication:Advances in Natural and Applied Sciences
Article Type:Report
Date:Jun 1, 2015
Previous Article:Detection of URL based attacks using reduced feature set and modified C4.5 algorithm.
Next Article:PROXUM: an energy efficient and privacy--aware data aggregation in heterogeneous wireless sensor networks.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters