Accelerating network security services with fast packet classification

To protect a network, secure network systems such as intrusion detection system (IDS) and firewall are often installed to control or monitor network traffic. These systems often incur substantial delay for analyzing network packets. The delay can be reduced with fast packet classification, which can effectively classify network traffic, and consequently accelerate the analysis of network packets. In the last few years, many researchers devoted to providing fast packet classification methods for multidimensional classifier. However, these methods either suffer from poor performance and huge storage requirement, or are lack of dimension scalability. In this paper, we propose a packet classification method based on tuple space search, and use the multidimensional binary search tree (Kd-tree) to improve search performance. The proposed scheme requires only O(dlogW) search time and controlled storage requirement, where d is the number of dimensions, and W is the utmost bit length for specifying prefixes in a classification rule. It features fast packet classification, and supports dynamic update which is a basic requirement of many secure network services, such as IDS and firewall.