MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY VŨ DUY NHẤT PROPOSAL ALGORITHMS FOR PACKET CLASSIFICATION AND CONFLICT DETECTION IN RULE SET TO DEVELOP HIGH-PERFORMANCE FIREWALL Major: Mathematical foundation for informatics Major code: 46 01 10 SUMMARY OF PH.D THESIS HA NOI – 2019 The dissertation has been accomplished at: Academy of Military Science and Technology – Ministry of Defense Supervisor: Ph.D Nguyen Manh Hung Ph.D Thai Trung Kien Reviewer 1: Assos Prof PhD Nguyễn Long Giang Information Technology Institute Vietnam Academy of Science and Technology Reviewer 2: Assos Prof PhD Ngô Thành Long Military Technical Academy Reviewer 3: Assos Prof PhD Nguyễn Ngọc Hóa VNU University of Engineering and Technology The thesis will be defended in front of PhD thesis examination Committee at Academy of Military Science and Technology in … hour on … The thesis could be found at: - The Library of Academy of Military Science and Technology - The National Library of Vietnam INTRODUCTION Dissertation's necessity Today, computer networks have a strong development in terms of connectivity, types of services, and number of users Along with that development is the introduction of advanced transmission technologies, resulting in huge amounts of data being exchanged on the network A firewall is an access control device that is located at the connection point between the networks that needs to be protected with an external network to ensure security for that network Security is done by checking all packets going through the firewall in both directions in and out according to a security policy set by the administrator With the function and location deployed, the firewall will become a barrier between the networks to be protected with other networks This device will affect the network system in two aspects: Ensuring the security of the system with the function of controlling the legality of the passing packets; Reduces the speed of exchanging information between protected networks with external networks The high firewall's performance enhances the ability to protect the internal network and limit the degradation of the speed of information exchange through it Until now, researchers both at home and abroad have had many research projects to improve the performance of firewalls to meet usage requirements Each solution has its own advantages and disadvantages and often only solves a small problem in improving the performance of the device, no solution is really optimal and general The firewall's performance has been and will still need to be enhanced to allow it to meet actual demands That is the reason why we select this research problem in the thesis Objects of the research The thesis includes the following objectives: Proposing new techniques in packet classification and detection of conflicts in rules to improve the speed of packet classification, thereby developing high-performance firewall Scope, object and method of research The scope of the thesis focuses on studying software improvements More details are packet classification algorithms to improve the throughput of the firewall The object to be directly studied in the thesis is: Data structure of rules and classification algorithms based on that structure; Techniques to minimize the average sorting time for each packet on the firewall The thesis uses a combination of theoretical research and experimental simulation The meaning of the research topic Improving performance is an indispensable requirement for firewalls to meet actual demands Analyzing, evaluating and proposing solutions to improve the performance of firewalls is an area that has been concerned by domestic and foreign researchers The research contents of the thesis will be the basis for us to master and develop firewalls to meet the security demands of network systems in general and especially the network systems of national security The composition of the thesis The dissertation consists of chapters along with the introduction, conclusion, list of published scientific papers and articles of PhD students and appendices CHAPTER OVERVIEW OF PACKET CLASSIFICATION ON FIREWALL 1.1 Concepts about the firewall This section includes some contents: Definition and development history of the firewall; the features and types of firewalls 1.2 Performance and relationship to the packet classification process of the firewall The performance of a firewall is evaluated according to the criteria of "RFC3511: Methodology for Firewall Performance", in which criterion for IP throughput are determined first This criterion is directly related to the speed of packet classification in a firewall device Improving the speed of packet classification on firewalls is also about improving the performance of this device 1.3 Research fields to improve packet classification speed on the firewall 1.3.1 Researches in the field of hardware Latest hardware technology solutions which are divided into basic forms: Using FPGA technology; ASIC technology; Take advantage of GPU computing power; Developing specialized network microprocessors; parallel processing techniques (Fig 1.4) FPGA technology ASIC technology Improve hardware performance Take advantage of GPU computing power Developing specialized network microprocessors Parallel processing techniques Figure 1.4 Researches in the field of hardware Each proposed approach using hardware technology to enhance firewall performance has its advantages and disadvantages However, building a highperformance firewall based entirely on the use of the above hardware improvements is very difficult in practice 1.3.2 Researches in software field Participants in the classification process of firewalls include Classification Algorithms and Rule sets for classification The properties of these two components will directly affect the speed of packet classification Studies in the field of software to improve the speed of packet classification are also aimed at the two objects above Two research directions in this area are shown in Figure 1.5 Improve Software performance Develop algorithms, classification techniques Optimize on the classifing time, memory storage in the worst case Early packet rejection Optimize the rule set Optimize the way of checking in the classification process Detect and resolve conflicts Figure 1.5 Researches in software field 1.3.3 Domestic researches Development of high-performance firewalls has not been studied in Vietnam, research on firewalls only includes: Mastering and developing firewalls with basic features and crypto integration; Deploying the firewalls in network models to ensure system security 1.3.4 Determine the research directions in the thesis New proposals are implemented in all steps and stages of the packet classification process (Figure 1.10) Optimizing the rule set: Detect and resolve conflicts Package has been classified Improved classification algorithm PACKET CLASSICATION MODULE Technical proposal for early packet rejected Input packets Rule set Figure 1.10 Improvements in the packet classification of the thesis 1.4 Conclusion of Chapter Improving the performance of firewalls is an important requirement to ensure network security in the context of increasing demand for information exchange today With the goal of "Proposing new techniques in packet classification and detection of conflicts in firewall rules to improve the speed of packet classification from which to develop high-performance firewalls", the thesis will focus on Data structure of rules and classification algorithms based on that structure; Techniques to minimize the average sorting time for each packet on the firewall The solution is designed to improve the performance of firewalls with new suggestions associated with each step of the packet classification process: Detecting and handling conflicts in firewall rule set (optimizing input parameters for classification problem); Early packet rejected against DoS attacks on default rules (Reducing average classification time in case of attack); Improve the efficiency of the classification process with new data structures and algorithms New proposals will be presented by the PhD student in the next chapters of the thesis CHAPTER CLASSIFICATION ALGORITHM ON FIREWALL 2.2 The basic concepts Rule set: Each rule set consists of many rules, each of which consists of three main parameters (Filter F; Action A; Rule index) Filter: Each F filter contains the value of the fields to be satisfied Each field can be represented as a range or tube of pair (address / mask) 2.3 Proposed packet classification algorithm based on Multi-Way Priority – MWP trie 2.3.3 Main ideas and definitions 2.3.3.1 Main ideas Based on Priority Trie - PT [43] and JA-trie [10], we build Multi-Way Priority trie – MWP with the following characteristics: - The MWP trie is built into a one-dimensional packet classification (source or destination IP address), data stored on the trie is given as a prefix - Result of classification on MWP returns the longest prefix (BMP – Best Matching Prefix) matching the input packet - Length of the prefix which is stored at a node is always greater than or equal to length of prefixes which is stored in its child nodes The search will end as soon as it matches the prefix at a node - MWP is a multi-way trie Each node on the MWP consists of multiple child nodes, where the ith child node contains a prefix with the first i bit coinciding with the first i bit contained in its parent node 2.3.3.2 Definitions and theorems DEFINITIONS 2.1 Degree of a prefix Consider prefixes P and Q; length of P is l; length of Q is t Q is called n degree prefix of P if and only if the following three conditions are satisfied:  t ≤ l;  The first n bits of Q coincide with the first n bits of P  The (n +1)th bit of Q is different from (n+1)th bit of P Denote Q = Ln(P) DEFINITIONS 2.2 Degree of a set of prefixes Let G be the set of prefixes, G is nth degree of prefix P if and only if every prefix Q of G is satisfied Q = Ln(P) Denote G = Sn(P) DEFINITIONS 2.3 The biggest prefix Let G be the set of prefixes, P is the biggest prefix of G if and only if ∀Q ∈ G (Q ≠ P), length of Q is less than or equal to length of P THEOREM 2.1 Let G be a set of prefixes (G does not contain two identical prefixes) and P is the biggest prefix of G: If an IP address matches P then P will be the Best Match Prefix of the IP THEOREM 2.2 We have two sets of prefixes G1, G2 and prefix P, in which G1 = Si(P), G2 = Sj(P) and i ≠ j: If an IP address matches with prefix P1 (P1 ∈ G1) then it will not exist any prefix P2 ∈ G2 so that P2 matches with the IP 2.3.4 Structure of MWP trie 2.3.4.1 Node structure Each node on the MWP trie is shown as Figure 2.1 and has the following characteristics:  Each N node stores a prefix P  The N button has a Backtrack field used when there is a Q prefix that is prefix of P In this case, we not need to create a node to store Q and then simply set the Backtrack field to length of Q  Each node has a maximum of k child nodes (k = 32 with IPv4, k = 128 with IPv6)  The length of the prefix stored in the child node is always less than or equal to the prefix length stored in its parent node  The mth child of node N is a node that contains the biggest prefix of m degree prefix set of P N node Max(S0(P)) Backtrack-0 P prefix Backtrack Max(S1(P)) Backtrack-1 Figure 2.1 N-node structure of the MWP trie Max(Sw(P)) Backtrack-w 2.3.4.2 Node construction algorithm The procedure for building the node on the trie is done with the input being a prefix set in which prefixes have the same degree of the prefix stored at its parent node Start Set of prefix G; The length in bit of IP address: W + G is empty Prefixlongest = Max(G); i = W; node.key = [Value of Prefixlongest] Left shift (W–length of Prefixlonggest) bits; node.len = length of Prefixlonggest; Gi = Si(Prefixlongest); BuildNode(node.children[i], Gi); i + i = i -1; UpdateBacktrack(node); Finish Figure 2.4 Node building algorithm on MWP trie 2.2.4.3 Packet classification algorithm Algorithm 2.2 performs classification of packets with IP address input The idea of classification is done as follows:  The classification process starts from the root node of the trie  In each node, the IP address is compared to the stored prefix: o If matched, the search process ends and the longest matching prefix is the prefix stored in the button o Else:  If the node does not have a child node, the largest matching prefix will be equal to the Backtrack value  In contrast, compare the first bits of the IP address with the first bit of the prefix stored in the node to branch for the next 11 CHAPTER EARLY PACKET REJECTION ON THE FIREWALL 3.2 Proposed early packet rejection technique based on the combination of fields 3.2.1 The idea of early packet rejection by combining fields Observation points:  The rules in the firewall can be divided into two groups: Rules have action be prohibit – "DENY", Rules have action be allow – "ACCEPT" A packet that satisfies a rule of the "DENY" group will not satisfy any of the "ACCEPT" rules and vice versa Calling CAccept as a condition for the packet to be "ACCEPT" (built from the set of "ACCEPT" rules) the packet that does not meet CAccept will be "DENY" Thus, for reject the packet, we can build NOT(CAccept) condition and check the packet according to that condition The problem is how we build and use NOT(CAccept) conditions to be effective in packet classification on firewalls  In packet classification algorithms, checking must be performed on all fields used for the classification process Checking on those fields can be done in parallel or sequentially However, in any form, the classification on each field will require the cost of resources and time The dimension of classification is proportional to the classification time If we reduce the number of dimensions we need to check, we can reduce the cost for the classification process Based on the above observation, we give the idea for the proposed new early packet rejection technology as follows:  Reduce the number of check dimensions for each packet arriving at the early filter module Instead of having to check on multiple fields, combine the original fields into one field based on combinations  Develop a rule set for early packet rejection on combined fields (build NOT(CAccept) conditions)  Use balanced tree structure (B tree, AVL tree, red-black tree) to store the early packet rejection rules and filter incoming packets 3.2.2 Early packet rejection using COM combining operations in two dimensions 3.2.2.1 Combining COM operations COM is the combination of the source address field and the destination 12 address field of a firewall`s rule into a single field according to association rules we propose and it is called a COM combination Source IP address prefix s bits Destination IP address prefix d bits COM s bits Suppose s < d Figure 3.1 How to create a COM prefix COM operation: Rule Ri has a source IP prefix with length s bits, the destination IP prefix has a length of d bits with d > s (Figure 3.1) The preCOM prefix consists of s values generated by combining the s bits of the source IP prefix with the s bits of the destination IP prefix: the jth bit of the source IP prefix is associated with the jth bit of the destination prefix to form the value j of the preCOM field (j = s-1) according to the rules in Table 3.1 Table 3.1 COM association rules Source IP prefix Destination IP prefix COM prefix Case 0 Case 1 Case Case 1 3.2.2.2 Use the COM field in packet classification  Definition 3.1: The value range of the COM prefix The value range of the COM prefix - preCOM has length l, defined as the v a l u e  Definition 3.2: COM field of the packet Let the Pkt packet have the source IP address of sIP and the destination IP r address is dIP, then the COM field of the Pkt is denoted by fCOM and calculated a follows: as n fCOM = [sIP] COM [dIP] (3.1) g  Theorem 3.1: If the Pkt packet has source IP address - sIP that matches ethe source IP prefix - preSIP and the destination IP address - dIP matches the o 13 destination IP prefix preDIP of Ri rule, then the value of the fCOM field of the Pkt will belong to the range of PreCOM prefix  Theorem 3.2: If the packet Pkt has a fCOM field which does not belong to the range of the preCOM of Ri rule, then the Pkt has at least sIP that does not satisfy the preSIP prefix of Ri or dIP which does not satisfy the preDIP prefix of Ri  Definition 3.3: Relationship between value ranges Suppose there are two separate or overlap ranges [a, b] and [x, y] Then:  [a, b] < [x, y] if b < x  [a, b] = [x, y] if a = x and y = b  [a, b] > [x, y] if a > y  [a, b] ∈ [x, y] if x ≤ a and b ≤ y  [a, b] [x,y] v [a,b] | [x,y] Action Remove N node from the tree; Insert [x,a-1], [b+1,y] into the tree ; Remove N node from the tree ; Insert [x,y] into the right child node of N; Insert [x,y] into the left child node of N; Replace the [a, b] on the N with the [a, x-1] range; Insert [b+1,y] into the right child node of N; Replace the [a,b] on the N with the [y+1, b] range; Insert [x,a-1] into the left child node of N; Step 4: Go back to Step until the final rule 3.2.2.5 Early packet rejection with fCOM field With the Pkt packet arriving, the fCOM field of the packet is calculated from the source IP address and the destination IP, converting fCOM to a P-value, and performing a search on the balanced tree with P key If the P value is found to be within the value range of a node on the tree, the Pkt is rejected immediately, else the Pkt will have to be classified by the original classification module 3.2.3 Early packet rejection using XOR operation combining multiple fields This technique differs from the COM technique at points:  Can be done in multiple fields  Use XOR operation to improve of classification speed 15 3.2.3.1 XOR combination The fXOR field is constructed as a formula: 𝑓𝑋𝑂𝑅 = preSIP(𝑛) 𝐗𝐎𝐑 preDIP(𝑛) 𝐗𝐎𝐑 preDPort(𝑛) (3.4) In which n is: (3.5) 𝑛 = MIN {length(𝑝𝑟𝑒𝑆𝐼𝑃), length(𝑝𝑟𝑒𝐷𝐼𝑃), length(𝑝𝑟𝑒𝐷𝑃𝑜𝑟𝑡)} Source IP prefix XOR Destination IP prefix XOR (a) = Source port Xor prefix Source IP prefix XOR Destination IP prefix XOR (b) = Source port Xor prefix Figure.3.9 Combining fields with XOR 3.2.3.2 Use fXOR field in early packet rejection  Definition 3.4: XOR field of packet For the Pkt packet with the source IP address is sIP, the destination IP address is dIP and the source port is dPort then the XOR field of Pkt is denoted by fXOR and calculated as follows: fXOR = [sIP] XOR [dIP] XOR [dPort adds m bits ‘0’ to the right] (3.6) In which m = len(sIP) – len(dPort)  Definition 3.5: Range the values of the XOR prefix Suppose preXOR has length l The range of values of the preXOR prefix is d e f ined the range ofthe thevalues valueofofnumber the binary preXOR in the base system We as denote (xyz)2 as xyz instring the base a n 16 of (32 - l) number ‘1’ Let V be the value of the preXOR binary string, then preXOR has a range of base 10 values: [V × 232−𝑙 , V × 232−𝑙 + 232−𝑙 − 1]  Theorem 3.3: If a packet Pkt with fXOR field (calculated according to formula 3.6) does not belong to the range of the preXOR field in rule R, the Pkt does not match R  Definition 3.6: Early packet rejection rule set Call Q the set of all values in the value space of the field fXOR, A is the set of values that is the combination of all the values defined by the XOR prefix of “ACCEPT” rule The early packet rejection rule set will be values of D set that is determined by the formula: 𝑫 = 𝑸/𝑨 (3.7)  Theorem 3.4: When a packet Pkt with fXOR field belongs to set D, it will not satisfy any “ACCEPT” rules Building the set D and using it during the build process is similar to the process of building and using the set Ф with COM operations In addition to being able to use the fXOR field in early packet rejection, this field can also be used directly during the packet classification This is researched and presented in the thesis 3.2.4 Evaluate the effectiveness of using a combined field in early packet rejection 3.2.4.2 Conditions for effective use of combined fields Calling T1 is the average time to classify a packet in the early rejection module when using the combined field, T2 is the average time to classify a packet in the original classifier module of the firewall, M is the total the packet goes through the firewall and P is the percentage of packets that are rejected early Then we have: Time to classify M packets with the original classification module of the firewall is T2M Time to classify M packets when passing through the firewall with both 17 early rejection module and the original module is T1M + T2(1-P)M The condition for early packet rejection to be effective (in terms of time) is: 𝑇1 𝑀 + 𝑇2 (1 − 𝑃)𝑀 < 𝑇2 𝑀 ↔ 𝑇1 𝑀 < 𝑇2 𝑀𝑃 𝑇 ↔ 𝑃 > 𝑇1 (3.8) According to formula 3.8 the effect of early packet rejection with combined field depends on the rate of packet be rejected early P has only practical meaning when T1 < V2  Theorem 4.1: Given the field values V1 and V2 of the field fn:  Condition needed to V1 ∈ V2 is |V1| > |V2|  Condition needed to V1 ≈ V2 is |V1| = |V2|  Theorem 4.2: Given a set of field values V=(V1, V2, …, Vm ) of the field fn, if Vk is the field with the largest detail in V, then ∀𝑉𝑖 ∈ 𝑽 (𝑖 ≠ 𝑘, ≤ 𝑖 ≤ 𝑚) we have 𝑉𝑖 ∉ 𝑉𝑘 In order to store rules in the CDT trie structure, the thesis rebuilds the rule structure including the list of field data and Action Each field is stored in a unit record containing information about the field type, detail of field, index of rule and value of field  Definition 4.3: Relationship between two units u1 and u2 (Only used when u1 and u2 have the same type of field): Coincidentally: u1 coincides with u2, denoted u1 ≈ u2; Include: u1 includes u2, denoted 𝑢1 ∈ 𝑢2 ; Intersection: u1 intersects u2, denoted u1 § u2 4.3.2 The idea of the algorithm The proposed algorithm includes building a CDT trie from rules to determine their rule spaces relationship The construction of the CDT trie follows the main principles including: i The relationship between the two rule spaces is examined in each dimension in that space ii At each rule space dimension, the rule with the highest level of detail will be considered in relation to the remaining rules The rule or group of rules under consideration will only have relations with other rules of the following types: Match; Subset; Overlap; Disjoin iii For a rule under consideration, at (i+1) dimension: The set of matching rules (Match) with it will be checked in the Match set of the ith dimension; The set of rules containing (Super) is checked in Match, Super sets of the ith dimension; The set of rules for intersect (Overlap) is checked in Match, Super and Overlap sets of the ith dimension The rule transfer rules from the set are as 21 follows: 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑚𝑎𝑡𝑐ℎ (𝑀𝑎𝑡𝑐ℎ)𝑖 → 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑠𝑢𝑝𝑒𝑟 (𝑀𝑎𝑡𝑐ℎ)𝑖 → 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑠𝑢𝑝𝑒𝑟 (𝑆𝑢𝑝𝑒𝑟)𝑖 → (𝑀𝑎𝑡𝑐ℎ)𝑖+1 (4.2) (𝑆𝑢𝑝𝑒𝑟)𝑖+1 (4.3) (𝑆𝑢𝑝𝑒𝑟)𝑖+1 (4.4) 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑜𝑣𝑒𝑟𝑙𝑎𝑝 (𝑀𝑎𝑡𝑐ℎ)𝑖 → 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑜𝑣𝑒𝑟𝑙𝑎𝑝 (𝑆𝑢𝑝𝑒𝑟)𝑖 → (𝑂𝑣𝑒𝑟𝑙𝑎𝑝)𝑖+1 (4.5) (𝑂𝑣𝑒𝑟𝑙𝑎𝑝)𝑖+1 (4.6) 𝑂𝑣𝑒𝑟𝑙𝑎𝑝𝑖𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑜𝑣𝑒𝑟𝑙𝑎𝑝𝑂𝑣𝑒𝑟𝑙𝑎𝑝𝑖+1 (4.7) In which, "condition_x" is a condition for a rule to move from a set of step i to a set of (i + 1) steps Let R be the rule under consideration, R(fm) is the mth field value of R, then the condition "condition_x" so that P rule is passed in the above formulas as follows: condition_match: R(fi+1) ≈ P(fi+1) condition_super: R(fi+1) ∈ P(fi+1) condition_overlap: R(fi+1) § P(fi+1) 4.3.3 CDT trie structure The CDT is a multi-way trie built from built from the unit set of rules The root node contains a list of all the rules in the rule set In the trie, the path from the root node to the leaf node represents the complete one or a set of rules that meet specific conditions on that path The N node carries information about the field type fn and the detail of that field, the children of N are constructed according to the field value fn and the detail of field stored in N is always greater than or equal to the detail of the field stored in its child nodes 4.2.3.1 Node structure The node of the CDT trie has the structure described in Figure 4.2 22 TOF DETAIL M S O Childs Lables Other Child List of labels corresponding to child nodes The child node contains rules that not meet the DETAIL condition The list of rules with rule space has areas intersected with the rule space of the rules of the set M List of child nodes List of matching rules The list of rules with rule space contains the rule space of the rules of the set M Detail of field Type of field Figure 4.2 Structure of the CDT trie node 4.2.3.2 Building node Algorithm 4.1: BuildNode Input: List of unit Unit-matchs; List of unit Unit-supers; List of unit Unit-overlaps; Output: CDTNode N; Begin UMAX = GetMaxUnit(Unit-matchs); lstUnit = GetUnits(UMAX, Unit-matchs); N.TOF = UMAX.type; N.DETAIL = UMAX.detail; For each u of lstUnit Begin ulable=CreateLable(u); If ulable not in N.Labels Begin 10 N.Lables.add(ulable); 11 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑚𝑎𝑡𝑐ℎ (Unit-matchs)→ (uMatchs); 23 12 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑠𝑢𝑝𝑒𝑟 (Unit-matchs)→ 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑠𝑢𝑝𝑒𝑟 13 (Unit-supers)→ 14 (Unit-matchs)→ 15 (uSupers); (uSupers); 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑜𝑣𝑒𝑟𝑙𝑎𝑝 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑜𝑣𝑒𝑟𝑙𝑎𝑝 (Unit-supers)→ (uOverlaps); (uOverlaps); 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛_𝑜𝑣𝑒𝑟𝑙𝑎𝑝 16 (Unit-overlaps)→ (uOverlaps); 17 CDTNode M; 18 BuildNode(M,uMatchs, uSupers, uOverlaps); 19 N.Childs.add(M); 20 RemoveUnit(Unit-matchs, uMatchs); 21 End 22 End 23 BuildNode(N.OtherChild, Unit-matchs, Unit-supers, Unit-overlaps); End 4.3.4 Conflict detection on CDT trie Information about the rule space relationship between rules contained in trie leaf nodes Specifically, at leaf node N: rules of N.M set have identical rule spaces; the rules of the N.S set have the rule space containing the rule space of rules in N.M; The rules of N.O set have rule space overlap with the rule space of rules in N.M 4.3 Conclusion of chapter In this chapter, the thesis has studied the problem of optimizing the rule set of the firewall to increase the device's performance In particular, the focus is on the detection and resolving of conflicts in the rule set Based on the analysis and evaluation of the strengths and limitations of the existing techniques, I have proposed a technique to detect and resolving conflicts on rule set of firewall rules with CDT trie In this study, the PhD student concentrates on solving the problem of how to effectively determine the relationship of rule space between the two rules, thereby serving as a basis for determining conflicts in the rule set The CDT structure can be applied in building a tool that support for system administrators to build new security policies or check the security policies deployed on firewalls 24 CONCLUSION A The results of the dissertation The dissertation has done an overview study of the problem of improving the firewall's performance through improving the speed of packet classification on this device In particular, the thesis has focused on researching algorithms, techniques to improve the speed of classifying packets in the software field New studies and proposals of the thesis are systematic to provide a total solution to develop a high-performance firewall B New contributions of the thesis Proposed one-way packet classification algorithm with MWP priority multi-branch trie structure Proposed early packet rejection technology against DoS attack on default rules on firewalls with combined fields (fCOM or fXOR) based on balanced tree structure Proposed CDT trie structure to detect conflicts in rule set of the firewall C Research direction Studies in the thesis only focus on developing algorithms and techniques in the field of software Therefore, research on hardware design to effectively implement those proposed algorithms should be further studied 25 PUBLICATIONS OF SCIENTIFIC WORKS [1] Vũ Duy Nhất, Nguyễn Mạnh Hùng (2014), “B-tree based twodimensional early packet rejection technique against DOS traffic targeting firewall default secutity rule”, The 2014 Seventh IEEE Symposium on computational Intelligence for Security and Defense Applications [2] Vũ Duy Nhất, Nguyễn Mạnh Hùng (2015), “Early packet rejection based on combining multiple fields using XOR operator with balanced tree”, IJCSNS International Journal of Computer Science and Network Security Journal (ISSN: 1738-7906), p22-29, VOL.15 No.10, October 2015 [3] Vũ Duy Nhất, Nguyễn Mạnh Hùng(2016), “Proposed conflict detection algorithms in two-dimensional filters in network devices”, 19th National Conference "Selected issues of IT and communication" [4] Vũ Duy Nhất, Nguyễn Mạnh Hùng(2017), “A packet classification algorithm on multi-way priority trie”, Journal of computer science and cybernetics – 4/2016 [5] Vũ Duy Nhất, Nguyễn Mạnh Hùng(2018), “Proposed conflict detection trie structure in rule set of the firewall”, Research and Development on Information and Communication Technology Journal – 12/2018 ... computing power; Developing specialized network microprocessors; parallel processing techniques (Fig 1.4) FPGA technology ASIC technology Improve hardware performance Take advantage of GPU computing... classification process: Detecting and handling conflicts in firewall rule set (optimizing input parameters for classification problem); Early packet rejected against DoS attacks on default rules (Reducing... advantages to deploy MWP in practice The firewall performs the function of protecting the intranet from external attacks Proposing packet classification algorithm on MWP tree structure in this