Fast Packet Classification Using Condition Factorization

  • Alok Tongaonkar
  • R. Sekar
  • Sreenaath Vasudevan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5536)


Rule-based packet classification plays a central role in network intrusion detection systems such as Snort. To enhance performance, these rules are typically compiled into a matching automaton that can quickly identify the subset of rules that are applicable to a given network packet. The principal metrics in the design of such an automaton are its size and the time taken to match packets at runtime. Previous techniques for this problem either suffered from high space overheads (i.e., automata could be exponential in the number of rules), or matching time that increased quickly with the number of rules. In contrast, we present a new technique that constructs polynomial size automata. Moreover, we show that the matching time of our automata is insensitive to the number of rules. Our experimental results demonstrate substantial improvements in space requirements, as well the runtime of Snort.


Condition Factorization Space Usage Automaton State Network Packet Tree Automaton 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aho, A., Corasick, M.: Efficient string matching: An aid to bibliographic search. Communications of the ACM 18(6), 333–343 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Bailey, M.L., Gopal, B., Pagels, M.A., Peterson, L.L., Sarkar, P.: Pathfinder: A pattern-based packet classifier. In: Operating Systems Design and Implementation, pp. 115–123 (1994)Google Scholar
  3. 3.
    Begel, A., McCanne, S., Graham, S.L.: BPF+: Exploiting global data-flow optimization in a generalized packet filter architecture. In: SIGCOMM, pp. 123–134 (1999)Google Scholar
  4. 4.
    Chandra, S., McCann, P.: Packet types. In: Second Workshop on Compiler Support for Systems Software (WCSSS) (May 1999)Google Scholar
  5. 5.
    Engler, D.R., Kaashoek, M.F.: DPF: Fast, flexible message demultiplexing using dynamic code generation. In: SIGCOMM, pp. 53–59 (1996)Google Scholar
  6. 6.
    Gupta, P., McKeown, N.: Packet classification on multiple fields. In: ACM SIGCOMM (1999)Google Scholar
  7. 7.
    Gustafsson, P., Sagonas, K.: Efficient manipulation of binary data using pattern matching. J. Funct. Program. 16(1), 35–74 (2006)CrossRefzbMATHGoogle Scholar
  8. 8.
    Hazem Hamed, E.A.-S., El-Atawy, A.: On dynamic optimization of packet matching in high-speed firewalls. IEEE Journal on Selected Areas in Communications 24(10) (October 2006)Google Scholar
  9. 9.
    Krügel, C., Tóth, T.: Using decision trees to improve signature-based intrusion detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Lakshman, T.V., Stiliadis, D.: High-speed policy-based packet forwarding using efficient multi-dimensional range matching. In: SIGCOMM, pp. 203–214 (1998)Google Scholar
  11. 11.
    McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: USENIX Winter, pp. 259–270 (1993)Google Scholar
  12. 12.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. In: USENIX Security (1998)Google Scholar
  13. 13.
    Ramesh, R., Ramakrishnan, I., Warren, D.: Automata-driven indexing of prolog clauses. In: Seventh Annual ACM Symposium on Principles of Programming Languages, San Francisco, pp. 281–290 (1990); Revised version appears in Journal of Logic Programming (May 1995)Google Scholar
  14. 14.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: 13th Systems Administration Conference, USENIX (1999)Google Scholar
  15. 15.
    Sekar, R., Ramakrishnan, I., Voronkov, A.: Term indexing. In: Robinson, A., Voronkov, A. (eds.) Handbook of Automated Reasoning, ch. 26, vol. II, pp. 1853–1964. Elsevier Science, Amsterdam (2001)CrossRefGoogle Scholar
  16. 16.
    Sekar, R.C., Ramesh, R., Ramakrishnan, I.V.: Adaptive pattern matching. In: Automata, Languages and Programming, pp. 247–260 (1992)Google Scholar
  17. 17.
    Singh, S., Baboescu, F., Varghese, G., Wang, J.: Packet classification using multidimensional cutting. In: SIGCOMM (2003)Google Scholar
  18. 18.
    Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: ACM CCS (2003)Google Scholar
  19. 19.
    Srinivasan, V., Varghese, G., Suri, S., Waldvogel, M.: Fast and scalable layer four switching. In: Proceedings of ACM SIGCOMM 1998, pp. 191–202 (September 1998)Google Scholar
  20. 20.
    Woo, T.Y.C.: A modular approach to packet classification: Algorithms and results. In: INFOCOM (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Alok Tongaonkar
    • 1
  • R. Sekar
    • 1
  • Sreenaath Vasudevan
    • 1
  1. 1.Stony Brook UniversityUSA

Personalised recommendations