Modelling and analysis of rule-based network security middleboxes

Khaled Salah; Aslam Chaudary

doi:10.1049/iet-ifs.2014.0545

Modelling and analysis of rule-based network security middleboxes

Khaled Salah, Aslam Chaudary

Electrical Engineering

King Fahd University for Petroleum and Minerals (KFUPM)

Research output: Contribution to journal › Article › peer-review

3 Scopus citations

Abstract

This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.

Original language	British English
Pages (from-to)	305-312
Number of pages	8
Journal	IET Information Security
Volume	9
Issue number	6
DOIs	https://doi.org/10.1049/iet-ifs.2014.0545
State	Published - 1 Nov 2015

Access to Document

10.1049/iet-ifs.2014.0545

Cite this

@article{864aed0af4c742e1b71118d3b91de9b3,

title = "Modelling and analysis of rule-based network security middleboxes",

abstract = "This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.",

author = "Khaled Salah and Aslam Chaudary",

note = "Publisher Copyright: {\textcopyright} The Institution of Engineering and Technology 2015.",

year = "2015",

month = nov,

day = "1",

doi = "10.1049/iet-ifs.2014.0545",

language = "British English",

volume = "9",

pages = "305--312",

journal = "IET Information Security",

issn = "1751-8709",

publisher = "John Wiley and Sons Ltd",

number = "6",

}

TY - JOUR

T1 - Modelling and analysis of rule-based network security middleboxes

AU - Salah, Khaled

AU - Chaudary, Aslam

N1 - Publisher Copyright: © The Institution of Engineering and Technology 2015.

PY - 2015/11/1

Y1 - 2015/11/1

N2 - This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.

AB - This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.

UR - http://www.scopus.com/inward/record.url?scp=84944052558&partnerID=8YFLogxK

U2 - 10.1049/iet-ifs.2014.0545

DO - 10.1049/iet-ifs.2014.0545

M3 - Article

AN - SCOPUS:84944052558

SN - 1751-8709

VL - 9

SP - 305

EP - 312

JO - IET Information Security

JF - IET Information Security

IS - 6

ER -

Modelling and analysis of rule-based network security middleboxes

Abstract

Access to Document

Other files and links

Fingerprint

Cite this