| Summary: | 碩士 === 國立中興大學 === 資訊科學與工程學系所 === 99 === Packet filters are rules of packet classification for classifying packets based on their header fields. A filter conflict occurs when two or more filters overlap, causing an ambiguity in packet classification. These conflicts may cause some security vulnerabilities in packet classification based services, e.g. firewalls and access control lists. It is necessary to detect conflicts within a reasonable time period. SBV is the first algorithm designed for multidimensional conflict detection, but it cannot distinguish between overlapping conflict and subset conflict. The problem of subset conflict can be solved by reordering filters, while overlapping conflict cannot. In this paper, we describe how to extract overlapping conflicts by modifying the original SBV algorithm. The modified algorithm can support the range fields in packet filters to generate correct result of overlapping conflict. To further shorten the time of conflict detection, we redefine the bit vectors and deal range fields with boundary address concept to speed up the procedure of conflict detection. Our experimental results show that the new algorithm is two times faster than the modified SBV algorithm in detecting overlapping conflict.
|
|---|
