KR100594755B1 - The packet classification method through hierarchial rulebase partitioning - Google Patents

Abstract

A packet classification method through hierarchical rulebase partitioning is disclosed. In the packet classification method using hierarchical rulebase partitioning according to the present invention, after finding a rule having the highest priority among a plurality of rules included in a plurality of packets input from an external network in a predetermined rulebase, the rule is followed by this rule. A packet classification method for processing a packet, the method comprising: dividing a rulebase into a plurality of independent sub-rulebases based on a predetermined condition, and generating a hash table based on the preprocessing step; and extracting from a packet header of an input packet. A packet classification step of retrieving a hash table using the hashed hash and classifying the packet accordingly by mapping the packet to a corresponding sub-rulebase. According to the present invention, there is an advantage in that packet classification can be accelerated by classifying an input packet only within a sub-rulebase associated with it.

Packet, firewall, protocol, port, IP address, entropy

Description

Packet classification method through hierarchial rulebase partitioning

1 is a diagram illustrating a concept of a packet classification method through hierarchical rulebase partitioning according to the present invention;

2 is a graph illustrating the maximum and average sizes of a sub-rulebase when the first hashing step is applied;

3 is a graph showing an average number of rules according to the size of a sub-rulebase after applying a second hashing step using various hashing selection algorithms.

4 is a graph showing the maximum number of rules according to the size of a sub-rulebase after applying a second hashing step using various hashing selection algorithms.

5 is a diagram illustrating a rule base and a hash table created using a hashing algorithm extracting the most significant 8 bits from the source and destination IP addresses, respectively; and

6 is a graph showing classification performance in terms of average number of rules referenced to find a matching rule.

The present invention relates to a packet classification method. In particular, the rule base is divided into independent sub-rule bases through a plurality of hashing steps, so that the packet can be classified only in an associated sub-rule base. The present invention relates to a packet classification method through hierarchical rulebase partitioning to greatly reduce the search time required for classification.

The development of the internet network has been shown to increase the bandwidth in quantity and to provide various services in quality. Looking at the quantitative development of the Internet network, the bandwidth has doubled in six months since the Internet network was deployed, OC-768 (40 Gbps) is implemented in the center of the network, Ethernet with Gigabit speed in the periphery of the network . In addition, in terms of the quality of the Internet network, as the number of Internet users increases, the services provided vary. This means that packets exchanged through the network require different processing, and are applied to Diff-Serv, firewalls, and virtual private networks (VPNs). As such, as the size of the network increases, the necessity of the task of classifying packets at high speed becomes important.

The conventional packet classification method is performed based on a header rather than a payload. In general, packet classification is performed by referring to five fields of a three-layer protocol, an IP address, and a four-layer port number. The five fields are called 5-tuple. In the practical method of packet classification, the rule base is determined and the packets are matched to perform classification.

When a packet enters a gateway or firewall that performs a sorting operation from the outside, the packet classifier extracts five fields of the packet header and checks the matching sequentially from rule 0 above. IP has a variable length mask by CIDR (Classless Inter Domain Routing), and the port number is represented by an area. Here, the CIDR method refers to a method in which one IP class is assigned and divided into several subnets according to an organization's size.

The above characteristics make the packet classification more difficult. Each rule in a rulebase is prioritized, so when it finds the first matching rule, it no longer finds it and processes the packet accordingly. Generally, rule bases are made up of hundreds of small organizations or organizations, and thousands of rules of large organizations or companies.

As the types of services increase and the rules become more sophisticated, and when multiple network networks are managed together, the rule base becomes larger in size because multiple rule bases are also integrated into one.

Conventional packet classification methods include the following methods.

1) Hardware processing using TCAM, 2) Simplification of pattern matching packet to rule using RFC, 3) Representation of rulebase as bit vector and segmented to match matching rule Finding method, 4) The rule base is expressed as a tree, and then the matching rule is found.

Among them, 1) TCAM method and 2) RFC method have disadvantages of severe limitation in storage space and preprocessing time during rule reorganization. For this reason, the conventional packet classification method makes it difficult to process a rule base having a larger number of rules with 5000 (= 5K) rules as a threshold. 3) The ABV method is the only method that can handle 10,000 rulebases. However, due to its poor utility, there is a problem in that packet classification takes a long time because an average of 140 search table references is required to classify approximately 20,000 rule bases.

In addition, most of the conventional packet classification methods have a problem that it is difficult to apply two or more packet classification algorithms because a process of reorganizing the rule base is required as a preprocessing method.

Accordingly, an object of the present invention is to provide an efficient hash selection algorithm and hierarchically divide a rulebase into small independent sub-rulebases to improve search efficiency. This is to provide a packet classification method.

To this end, the present invention proposes a variety of hashing algorithms, and suggests the maximum entropy hashing that selects the hashing that maximizes the hashing algorithm with the most efficient algorithm.

Another object of the present invention is to provide a packet classification method that can be applied to a classifier having a large rule base that is difficult to process by the existing packet classification method in keeping with the tendency of increasing the size of the rule base.

Extensible packet classification method using the maximum entropy hashing according to the present invention for achieving the above object is a packet for classifying a plurality of packets input from the external network to match each of a plurality of rules included in a predetermined rule base In the classification method, using a preprocessing step of dividing a rule base into a plurality of independent sub-rule bases based on a predetermined condition, and generating a hash table based on the rule base, and using hashing extracted from a packet header of an incoming packet. And a classification step of classifying the packet by retrieving a hash table and thus mapping the packet to a sub-rulebase corresponding to the packet.

Here, the preprocessing step preferably includes a first partitioning step of dividing the rulebase into a plurality of sub-rulebases based on a predetermined protocol and a predetermined port number, and generating a hash table based thereon.

Here, it is preferable that a specific application be determined according to the protocol and the port number.

Here, in the preprocessing step, when the number of rules belonging to a predetermined sub-rulebase among the plurality of sub-rulebases exceeds a predetermined threshold value, the predetermined sub-rulebase is set in a predetermined manner from the source and destination IP addresses. It is preferable to further include a second partitioning step of repartitioning the sub-rulebase using the extracted hashing and generating a hash table based on the sub-rulebase.

Here, the predetermined method is preferably any one of an MSB pattern, an exponential growing pattern, a mask distribution pattern, and an entropy-maximizing pattern.

Here, the MSB pattern method selects a predetermined number of bits from the most significant bits of the destination IP address and the source IP address.

Here, the exponential growing pattern method selects a bit position corresponding to an exponential function of 2 from a destination IP address and a source IP address.

Here, the mask distribution pattern method, at each bit position bi, sums the number of bits that are not money-care bits in all defined rules belonging to the rule base, and calculates an accumulation value at each bit position. After the value is added up from the most significant bit to the least significant bit to calculate the total accumulated value, the predetermined bit position is selected whenever the accumulated value at the predetermined bit position becomes a multiple of the total accumulated value divided by K.

Here, K is preferably a bit value of the hash to be generated.

Here, the Entropy-maximizing pattern method selects a predetermined number of bits that maximize the entropy from the destination IP address and the source IP address, respectively.

Hereinafter, the present invention will be described with reference to the accompanying drawings.

The packet classification method according to the present invention is based on the assumption that only a few rules are likely to match a given packet in one rulebase. It demonstrates with reference to following Table 1.

Table 1 shows the rule base of a typical firewall.

 Rule  protocol  Departure Port  Destination port  Origin IP  Destination IP  ACTION  Rule purpose  R0  *  *  *  inside  inside  Deny Protection against Spoofing Attacks  R1  TCP  1024-65535  80  Out  inside  Accept  HTTP Service  R2  TCP  1024-65535  23  Out  inside  Accept  Telnet service  R3  TCP  1024-65535  21  Out  inside  Accept  FTP Service  D  *  *  *  *  *  Deny  Default Rule

In Table 1, 'inside' refers to a local network protected by a firewall, and 'outside' refers to a network separated from the internal network by a firewall.

The internal network performs various application services such as HTTP, Telnet, FTP, and so on. The first to third rules R1, R2, and R3 accept connection requests of various application services under predetermined conditions, and the 0th rule R0 protects the internal network from spoofing attacks. Spoofing is a technique that tricks one's own identifying information into attacking another target system. Meanwhile, D is a default rule for excluding all communication with the outside. In Table 1, it is meant that packets using the UDP protocol can only match R0 or D. Thus, R1 through R3 do not need to match UDP packets.

1 is a diagram illustrating a concept of a packet classification method through hierarchical rulebase partitioning according to the present invention. Referring to FIG. 1, the packet classification method through hierarchical rulebase division according to the present invention is performed in two stages of preprocessing and classification.

First, in the preprocessing step, the original rule base is hierarchically partitioned into small independent sub-rule bases by hashing the bit fields selected from the classification field. The degree of partitioning depends on the density of the sub-rulebases in the classification space. The higher the density of the sub-rulebase in the classification space, the more segmentation is required. If all the sub-rulebases are small enough, this split stops.

Next, in the classification step, the packet classifier examines the incoming packet using the same hashing used in the preprocessing step, identifying the sub-rulebase associated with the packet, thereby matching the incoming packet to the corresponding rule. Let's do it. The search to find matching rules is performed only in the last sub-rulebase, and existing search algorithms can be used.

Hereinafter, the pretreatment step will be described in detail, and then the classification step will be described.

1. Pretreatment Step

1-1. First partitioning step

First, in the first partitioning step of the preprocessing step, the rule base is divided into a large number of independent sub-rule bases based on the protocol type and the port number. For example, rules governing HTTP, FTP, and SMTP traffic can be split into separate, independent sub-rulebases. Then, by searching the header field of the incoming packet, only the sub-rulebase having the same protocol field as the protocol field of the incoming packet is searched.

In the preprocessing step, a hash of a predetermined bit is selected in the classification space for partitioning the rule base. In the preprocessing stage, the classification space consists of 40 bits. Here, 40 bits are extracted from the protocol field 8 bits, the source port 16 bits, and the destination port 16 bits. That is, only protocol number and port number are considered as a solution for partitioning the rule base. This is because the protocol number and the port number can naturally classify the rules based on the Internet service controlled by the rules. For example, the HTTP service corresponds to protocol 6 and server port 80.

If 8-bit hashing is selected, you can create a hash table with 2 ⁸ (= 256) entries. Here, each entry means a sub-rule base. On the other hand, in order to limit the size of the hash table, one subset is selected as a hash from the classification space. At this time, it is preferable to select hashing so that the size of the hash table is not too large. For example, using a hash of 17 bits, this produces a hash table with 128K entries. On the other hand, the depth of the partition hierarchy, which depends on the memory space and the size of the hash, is in a trade-off relationship.

When using 17-bit hashing, the first 6 bits are extracted from the protocol field using a key selection algorithm that maximizes entropy. Since only two protocols, TCP and UDP, are needed to specify the port number, we select 11 additional bits from the port number for these protocols.

The port number uses one bit to select either the source or the destination. It is generally desirable to choose a denser server port. If the selected port is a server port, select additional 10 LSBs (Least Significant Bits) from that port field. If the selected port is a client port specified by the upper and lower bounds, then the additional port is selected from that port field. It is preferable to select 6 MSBs (Most Significant Bits).

Typically, dense server ports specify specified port numbers between 0 and 1023. Low density client ports, on the other hand, use random port numbers from 1024 to 65536. Therefore, the lower 10 bits are used for the server port and the upper 6 bits are used for the client port.

Namely, the protocol field, direction bits, and the lower 10 bits of the server port or the upper 6 bits of the client port. The server port has higher partitioning efficiency than the client port, so if the rule can specify a server port belonging to either the source port or the destination port, the server port is used regardless of the direction. If the rule can specify the client port belonging to the source port and the destination port, 6MSBs are used to distribute the rules belonging to the hash table of the source and destination.

Intuitively, if two rules map to the same sub-rulebase, the two rules may overlap each other, but if two rules match the other sub-rulebase, the two rules will never overlap. This means that the two rules are independent. For sub-rulebases that are larger than the threshold, they may be split with a hash key different from the first hash. Here, the threshold means the number of rules per sub-rule base.

This hierarchical partitioning continues until all sub-rulebases are small enough. However, we found that the rule base with less than 500,000 rules is sufficient to divide the two steps. The spatiotemporal complexity of this packet classification method depends on the depth of partition layer and the number of nodes.

Therefore, in order to reduce the spatiotemporal complexity, the rule base needs to be partitioned and the rule base should be divided into sub-rule bases as evenly as possible. Therefore, the number of empty rulebases should be minimized, and the number of rules belonging to the sub-rulebase should be equally distributed. The partitioning of such a rulebase depends on the efficiency of the selection algorithm.

FIG. 2 is a diagram showing a result of division in the first step, and shows the average size and the maximum size of the sub-rulebase after the division. After partitioning, the average size of the rule base is substantially reduced. In rulebases with 10,000 (10K), 100,000 (100K), and 500,000 (500K) rules, the reduction ratios of rulebases are 0.0028, 0.0014, and 0.0014, respectively. However, as can be seen from the maximum size of the rule base in this figure, the rules are not evenly distributed in the divided rule base.

The largest sub-rulebase in all rulebases used in the experiment has rules that are about 24 percent of the original rulebase. As expected, these rules relate to HTTP services corresponding to protocol 6 and port number 80. In rulebases with 10,000 (10K), 100,000 (100K), and 500,000 (500K) rules, the number of sub-rulebases above the threshold (16 rules per sub-rulebase) is 141, 192, 1114. The second stage division is performed on these subrule bases.

1-2. Second partitioning step

The second splitting step applies only to buckets larger than the threshold after the first splitting step is completed. Since the resolution of the second partitioning step is derived from the hashing of the first partitioning step, the second partitioning step splits the rule base based on only the source IP address and the destination IP address. The IP address is composed of 64 bits by combining the source and destination addresses, and selects the appropriate number of bits to partition the rule base. Preferably, the source and destination are combined to select and divide about 16 bits. At this time, since the bit selected for division has a direct influence on the final result, the present invention proposes the following four hash selection algorithms to find the optimal bit pattern.

1) MSB Pattern

A 16-bit hash is generated by extracting 8 MSBs (Most Significance Bits) from the source and destination IP addresses. This algorithm uses the concept that most prefix masks select the first few meaningful bits from the IP address field. This simple hashing algorithm is used as a reference to compare the performance of other hashing algorithms. The time complexity of this hashing algorithm is O (1), which means that it is independent of the number of rules in the rulebase.

2) Exponential growing pattern (EXP)

In this algorithm, a 12-bit hash is generated by selecting a bit position corresponding to an exponential function of two, b1b2b4b8b16b32, from the source and destination IP addresses.

That is, the distance between the bits from the most significant bit is selected to be doubled. The lower the bit position of the IP address field is based on the concept that there will be more bits masked out. Preferably, two bits b6b11 are added to generate a 16-bit hash. The time complexity of this key selection algorithm is also 0 (1).

3) Mask distribution pattern (MASK)

This algorithm takes advantage of the notion that money-care bits do not provide any information in the classification space. Therefore, each bit bi in the classification space has information according to the inverse ratio of the number of money-care bits.

The procedure for finding this solution is as follows. At each bit position bi, sum the number of non-money-care bits in all defined rules belonging to the rule base, and add the numbers from the MSB to the LSB. To generate a K-bit hash, one bit is selected whenever the accumulated value of the bit position is a multiple of the total accumulated value divided by K. If the total number of rules in the rule base is n, the time complexity of this algorithm is 0 (kn). The K used in the experimental results is 16.

4) Entropy-maximizing pattern (Ent)

To find a good harm, the preferred embodiment of the present invention uses the concept of entropy. In order to minimize the difference between the number of null entries and the number of objects in each sub-rulebase, we need to distribute the rules in the hash table evenly. As is well known, entropy is maximized when the probability of occurrence of all entries is the same. Therefore, we need to find a good solution to divide the rulebase evenly through entropy calculation. The following describes the maximum entropy calculation to find the appropriate solution.

This method starts with a case where the length of the hash is one. An entropy calculation of each bit of the field to be hashed is performed to determine the bit position having the maximum entropy among these bits. After that, if the length of the hashing is 2, the above process is repeated again. That is, entropy calculation is performed for all cases of 2-bit hashing, including the selected 1-bit hash, to determine another bit position with the largest entropy among the added bits.

This iteration continues until the length of the hash reaches L or the entropy no longer increases. In this manner, 16-bit hashes are generated by selecting 8-bit hashes from the source IP address and the destination IP address, respectively. The time complexity of this algorithm is O (n [s (2w-s + 1) / s]). Here, w is the length of the classification space, s is the length of the hash, n is the total number of rules belonging to the rule base.

3 and 4 illustrate the results after performing the second stage division using various hash selection algorithms. FIG. 3 shows the average number of rules per sub-rulebase, and FIG. 4 shows the size of the largest rulebase. In the case of using the maximum entropy resolution algorithm, the second stage partitioning is 0.054 respectively than the first stage partitioning for rulebases having 10,000 (10K), 100,000 (100K), and 500,000 (500K) rules, respectively. , 0.054, 0.052.

After completing the first and second stage splits, rulebases with 10,000 (10K), 100,000 (100K), and 500,000 (500K) rules each average 1.6 per sub-rulebase, respectively. It has been split into a sub-rule base with 7.6, 36.6 rules. This means that the ratio is reduced by 0.00016, 0.000076, and 0.000073.

The second stage partitioning is effective to reduce the huge sub-rulebase that includes 24 percent of the original rulebase after the first stage partitioning. After the second stage segmentation using the maximum entropy hashing algorithm, 31, 258, and 1281 in rulebases with 10,000 (10K), 100,000 (100K), and 500,000 (500K) rules, respectively. The size of the largest rulebase can be reduced to include three rules.

This corresponds to 0.31, 0.26, 0.26 percent of the original rule base. This means that for a rulebase with 100K rules, you should check 256 rules for one packet in the worst case. The second stage partitioning is more effective than the first stage partitioning in reducing the size of the largest rule base. This is expected because the first step partitioning divides the original rule base according to the Internet service controlling the rule.

Thus, the largest sub-rulebases controlling HTTP services are grouped into one single sub-rulebase. In contrast, the second stage partitioning can reduce the largest sub-rulebase by considering the distribution of rules in the classification space using a maximum entropy solution.

3 and 4, the efficiency of different hashing algorithms can be compared in the division of the second stage. As expected, the optimal partitioning results were obtained by selecting the maximum entropy key. In particular, this method can reduce the size of the largest sub-rulebase, compared to other key selection algorithms. The maximum entropy selection algorithm is more effective than the MSB pattern key algorithm by a factor of 2.38, 3.42, 3.49 for a rulebase with 10K, 100K, and 500K rules. Comparison results are shown for the average size of the sub-rulebases for all key selection algorithms. However, the maximum entropy algorithm is most efficient in all cases, especially in rulebases with more than 100K rules.

It is difficult to determine scalability from the rulebase partitioning results shown in FIGS. 3 and 4. This is because the size of the rule base does not increase linearly on the horizontal axis. However, the experiments proved that the maximum and average size of the sub-rulebase increases linearly as the size of the rulebase increases. The result is only a two-step split. If necessary, more steps of partitioning may be performed to further reduce the size of the sub-rulebase. As such, we examined the memory requirements for this algorithm in terms of the total number of rules, the total number of buckets, and the rate of increase of the total number of buckets above the threshold, and the total number of rules, the total number of buckets, and the thresholds. We have seen that the total number of buckets shows good scalability.

1-3. Adaptive algorithm for prefix mask and range specification

Until now, the exact value that matches the packet classification has been assumed. However, rule definitions often include prefix masks or fields with specific ranges. The following describes how the present invention can handle these other field specifications.

1) Prefix Mask Field

This is commonly used to specify the IP address field. Table 2 shows an example of a rule base with a prefix mask.

 Rule  Field Description (b0b1b2b3b4b5b6b7)  R0  0000 0000  R1  0110 0000  R2  1000 0000  R3  1 * 10 0000

The money-care bit is marked with an *. The problem here is that if a rule contains a specific field with a mask, we need to increment one rule by a multiple of the entries in the hash table.

Table 3 shows two different hash tables that can be configured for the rule base shown in Table 2.

 Index  Hash Key b0b1  Hash Key b0b2  00  R0  R0  01  R1  R1  10  R2, R3  R2  11  R3  R3

If b0b1 is chosen as the hash, R3 can be distributed into two entries with indices of 10 and 11. This is because b1 in R3 is a money-care term. Hereinafter, this phenomenon is referred to as 'rule spreading'. Rule distribution can lead to the size of the hash table as rules are duplicated.

However, if b0b2 is selected as the hash, rule dispersion as shown in Table 3 can be avoided. In order to prevent such rule distribution as much as possible, a modification of the maximum entropy key selection algorithm is required. In other words, when calculating a bit of entropy, the algorithm must ignore rules defined to specify money-care conditions for the selected bit. This is because money-care bits do not give any information to the system in terms of entropy.

2) Range Field

This is generally used to specify a TCP or UDP port. As described above, generally the server port points to a particular port number from 0 to 1023. In contrast, the client port points to an arbitrary port number from 1024 to 65536. Here, the basic concept is to convert range specification to prefix mask specification.

We can use a range of prefix changes that divides any given range into a group of prefix masks. For example, [1024, 65535] in the 16-bit range may be divided into six prefix masks such as 000001 *, 00001 *, 0001 *, 001 *, 01 *, 1 *. However, this method leads to excessive rule distribution in the present algorithm, which is undesirable.

A preferred embodiment of the present invention proposes a direct precision-directed grouping method. It is desirable to correctly divide a rule having a specific range into a multiple of the rule. For example, a rule with a range of [71, 74] can be divided into four rules with exact values from 71 to 74. However, a rule with a wide range, such as [49152, 65535], can produce 16,384 huge rules. Fortunately, TCP / UDP ports with a range are generally biased. For example, even when the total number of prepared ports is very large, such as [0, 49151], 80 percent of the port numbers used in most rules are 3,999 or less.

The concept is that you can group different numbers of rules depending on the density range. Preferably, in a particular port range with 16 bits, 10 LSBs are used to decompose in the high density region of [0, 1023] while creating a single entry for each port of 1024 or less. On the other hand, while generating 63 entries with 1024 ports per entry, 6MSBs are used as hashes for the low density regions of [1024, 65535].

2. Classification stage

After partitioning the rulebase in the preprocessing step and generating the hash table, the classifier can narrow the search range of the rulebase by mapping the incoming packet to the corresponding sub-rulebase. The classifier searches the hash table using hashes extracted from the packet headers.

FIG. 5 is a diagram illustrating a rule base and a hash table created using a hashing algorithm extracting the most significant 8 bits from the source and destination IP addresses, respectively.

Referring to FIG. 5A, it is assumed that R0 to R3 are listed in descending order of priority. If the packet does not match the four rules R0 to R3, the packet is matched to D, which is the lowest priority rule.

In a preferred embodiment of the present invention, five-dimensional packet classification is assumed. This uses a total of 104 bits: 8 bits from the protocol field of the packet header, 16 bits from the source port, 16 bits from the destination port, 32 bits from the source IP address, and 32 bits from the destination IP address. In general, a protocol consists of 8 bits and has a specific number according to its type.

Therefore, the type of protocol is confirmed by the protocol number. In practice, there are 5 to 20 protocols that appear in rules. The port is divided into a source port and a destination port. Each port is 16 bits and has a fixed number or zone. In particular, based on the firewall, one of the origin and destination has a fixed number as a service port and the other becomes a client, with a temporary port in the range of 1024 to 65535.

Referring to FIG. 5B, only the eight most significant bits (hereinafter referred to as '8MSBs') in the classification space are represented, which represents a predetermined header field such as a protocol field.

In the rule base shown in FIG. 5A, the rule base is divided into 256 buckets using 8 MSBs to generate the hash table shown in FIG. 5B. In the hash table of FIG. 5B, rules belonging to one sub-rulebase do not overlap with rules belonging to another sub-rulebase.

When a packet arrives at the classifier, the classifier extracts 8 MSBs from the packet header and uses the extracted 8MSBs as an index of the hash table. The hashing used for packet classification is the same as the hashing used for partitioning the rulebase. After the hashing is completed, if the entry in the hash table is not empty, packet classification may be performed in the sub-rulebase belonging to the entry. If the entry of the hash table is empty, the default rule (D) becomes the matching rule. Fig. 5C shows a hash table created using b ₃ and b ₅ as hashes.

6 is a graph showing classification performance in terms of average number of rules referenced to find a matching rule. Referring to FIG. 6, the packet classification results using the maximum entropy key selection algorithm are 5.6 and 42.64 rulebases having 10,000 (10K), 100,000 (100K), and 500,000 (500K) rules, respectively. This shows that the rulebase is reduced to 207.02 rules.

This result is very encouraging considering that the best of the conventional packet classification methods requires at least 13 memory references for packet classification in a rulebase with 5,000 (5K) rules. . That is, according to the present invention, even when the worst case linear search is performed in the final sub-rulebase, not only two memory references are required to search the hash table, but only 5.6 You only need to reference the rules.

As described above, according to the present invention, it is possible to substantially reduce the size of the rule base by splitting the two steps. For example, in a rule base with 100K rules, the average number of rules is 7.6, and in the worst case, 258. In a rulebase with 100,000 (100K) rules, the worst case classifier will only check 258 rules for incoming packets.

Experimental data on real packet traces includes 5,000 (5K), 10,000 (10K), 20,000 (20K), 50,000 (50K), 100,000 (100K), 200,000 (200K), and In a rulebase with 500,000 (500K) rules, the classifier only needs to check 4.2, 5.6, 8.4, 20.4, 42.6, 83.2 and 207 rules, respectively, on average.

According to the present invention, even if the search is performed in the sub-rulebase under the worst condition, it exceeds RFC which is one of the optimal algorithms when the rulebase is relatively small. Here, the RFC requires 13 memory references for a rule base of 5,000 (5K) size. In addition, according to the present invention, as the size of the rule base increases, it has unique expandability in space and time.

Although the preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above, and the present invention is not limited to the specific embodiments of the present invention without departing from the spirit of the present invention as claimed in the claims. Anyone skilled in the art can make various modifications, as well as such modifications that fall within the scope of the claims.

Claims (9)

A packet classification method for processing a packet according to the retrieved rule after searching for a rule having the highest priority matching a plurality of packets input from an external network among a plurality of rules included in a predetermined rule base, A preprocessing step of dividing the rule base into a plurality of independent sub-rule bases based on at least one of a predetermined protocol and a predetermined port number, and generating a hash table based on the divided sub-rule bases; And A classification step of searching for the sub-rulebase corresponding to the packet in the hash table using a hash key extracted from the header of the packet, and classifying the packet by mapping the packet to the retrieved sub-rulebase; Packet classification method comprising a. delete The method of claim 1, When the number of rules belonging to a predetermined sub-rule base among the plurality of sub-rule bases exceeds a predetermined threshold value, Repartitioning the sub-rulebase by using the hashing extracted from the source IP address and the destination IP address in a predetermined manner, and generating a hash table based on the sub-rulebase; Packet classification method characterized in that. The method of claim 1, A specific application is determined according to the protocol and the port number. The method of claim 3, wherein the predetermined scheme is  Packet classification method characterized in that any one of the MSB pattern, Exponential growing pattern, Mask distribution pattern, and Entropy-maximizing pattern. The method of claim 5, wherein the MSB pattern method, And selecting a predetermined number of bits from the most significant bits of the destination IP address and the source IP address. The method of claim 5, wherein the exponential growing pattern method, And selecting a bit position corresponding to an exponential function of two from the destination IP address and the source IP address. The method of claim 5, wherein the mask distribution pattern method, At each bit position bi, the sum of the non-care bits in all defined rules belonging to the rulebase is summed to yield an accumulated value at each bit position, and the accumulated value from the most significant bit to the least significant bit. Summing to calculate the total accumulated value, and then selecting the predetermined bit position when the accumulated value at the predetermined bit position becomes a multiple of the total accumulated value divided by K: Where K is the bit value of the hash to be generated. The method of claim 5, wherein the Entropy-maximizing pattern method, And selecting a predetermined number of bits each of which maximizes entropy from the destination IP address and the source IP address.

Images