npf-a simple, traffic-adaptive packet classifier using on-line reorganization of rule trees

Packet classification is one of the crucial components of application such as firewalls, intrusion detection, and differentiated services. For example, an intrusion detection system (IDS) classifies packets either as benign or malicious and alerts the network administrator when hostile traffic is detected. Since existing IDS spend the majority of CPU time in packet classification, an IDS fails to detect malicious packets under high load. Many ideas have been proposed to make the packet inspection faster so that an IDS spends less time in packet classification. However, because of the increasing number of security threats and vulnerabilities, the number of rules often exceeds thousands, requiring more than hundreds of megabytes of memory. As a result, an IDS spends longer time to classify packets since each packet incurs many memory accesses, and thus the throughput of an IDS is limited by memory bandwidth. The problem can be mitigated by exploiting locality in traffic patterns. In this paper, we propose npf, a fast and traffic-adaptive packet classifier which dynamically reorganizes the internal data structure based on the traffic pattern. Unlike existing approaches requiring a separate, off-line reorganization phase, npf performs reorganization on-line with little overhead, resulting in higher throughput without compromising accuracy. Experimental results on our test bed show that npf outperforms a traditional packet classifier by spending an order of magnitude less time per packet in order to classify the packet.