Packet Cassification with Network Traffic Statistics Yaxuan Qi and Jun Li Research Institute of Information Technoogy (RIIT), Tsinghua Uniersity Beijing, China, 100084 Abstract-- Packet cassification on mutipe header fieds is one of the basic techniques for poicy enforcement appications in network deices. In this paper, we anayzed the existing packet cassification agorithms from a theoretica point of iew, focusing on the information expoitation in each agorithm. A noe packet cassification scheme is proposed that expoits not ony the structura characteristics of network packet cassifiers but aso the statistica characteristics of network traffic fows. The proposed agorithm D-Cuts (Dynamic Cuttings) is based on a decision tree data structure simiar to but improed than the preiousy we-known agorithm HiCuts. Howeer, the memory aocation function in D-Cuts is significanty improed by introducing the statistica characteristics of network traffic. A set of unified discrimination criterion based on entropy measurement is aso adopted by D-Cuts. Experimenta resuts show that D-Cuts performs superior to other popuar mutipefied packet cassification agorithms. Its aerage search time is on the same order as for the HiCuts optimized for speed whie its memory usage is on the same order as for HiCuts optimized for space. Index terms packet cassification, traffic statistics, search space. A. INTRODUCTION The Internet is becoming a more and more compex pace to ie in because of its use for more and more mission critica tasks executed by organizations. It is desired that those critica actiities not be suberted either by heay traffic sent by other organizations or by maicious intruders. Traffic engineering, access contro, and many other serices require a discrimination of packets based on mutipe fieds of packet headers, which is caed packet cassification. Packet cassification is empoyed by poicy enforcing deices to impement a number of adanced Internet serices, such as poicy-based routing, access-contro, serice differentiation, oad baancing, traffic shaping and traffic biing. Each serice requires the Internet deices to cassify packets into different fows and then perform appropriate actions depending upon which fow the packet beongs to. These fows are specified by a cassifier containing a set of rues. With the rapid deeopment of poicy enforced networks, packet cassification becomes more and more important and there is a need for efficient packet cassification agorithms to enabe high speed poicy enforcement. Seera popuar agorithms hae been proposed and some of them proide reasonabe soutions. Most of the new agorithms proposed in recent years, especiay the heuristic agorithms, are inspired by the obseration of redundancy in the data structure of reaife cassifiers. Such obseration is introduced into the design of packet cassification agorithms to improe the cassification performance. The importance of the obseration against rea-ife cassifiers is undeniabe, but it was a bottom-up approach and hence ack of theoretica guidance. Therefore, it is hard to further improe and refine those agorithms foowing this direction. Our research starts from the theoretica anaysis on the packet cassification probem. We compared and anayzed the existing agorithms from two aspects: the expoitation of the heuristic information and the diision of the search space. Based on the concusion of such anaysis, we present a noe packet cassification scheme that adopts network traffic statistica characteristics into the decision tree based cassification agorithms. Compared to the we-known agorithm HiCuts, its aerage search time is on the same order as for the HiCuts optimized for speed whie its memory storage requirements are on the same order as for HiCuts optimized for space. The rest of the paper is organized as foows. SECTION B gies a mathematic definition of the packet cassification probem; SECTION C compares and anayzes the most popuar existing packet cassification agorithms; SECTION D presents the reasoning to introduce network traffic statistica characteristics into the decision tree based data structure; SECTION E describes the proposed agorithm Dynamic Cuttings (D- Cuts); SECTION F iustrates the experimenta resuts of D-Cuts in comparison with the existing agorithms; as a summary, SECTION G states our concusions. B. MATHEMATIC DEFINITION OF PACKET CLASSIFICATION Generic packet cassification cassifies a packet based on mutipe fieds of its header. Each rue of the cassifier specifies a cass that a packet may beong to, based on certain specifications on the F fieds (dimensions) of the packet header. The cass uniquey determines the action associated to the rue. Each rue has F components. The ith component of rue R, referred to as Ri [], is a reguar expression on the ith fied of the packet header. A packet P is said to match a particuar rue R, if, the ith fied of the header of P satisfies the reguar expression Ri [], for a 0 i< F.
The casses specified by the rue set may be oerapping, i.e. one packet can match seera rues. From a theoretica point of iew, the F fieds of the packet header make up a muti-dimensiona space, which is caed the search space in this paper. Each of the F fieds is a dimension of the search space. A packet P is a point in the muti-dimensiona search space. For the generaized range matching, the reguar expression R[] i refers to a range in the ith dimension of the search space and a of these ranges make up a F-dimensiona hypercube. If a packet P matches a particuar rue R, the point P fas into the hyper-cube specified by R. Therefore, packet cassification can be treated as a point ocation probem in computing geometry. The point ocation probem is inherenty hard to soe. It has been proed [2] that in its fuest generaity, packet F 1 cassification requires either O(og N) time and F ON ( ) space, or O(og N ) time and ON ( ) space where N is the number of rues, and F is the number of header fieds. Therefore, it is reatiey simpe to perform packet cassification at high speed using arge amounts of storage, or at ow speed with sma amounts of storage. When matching mutipe fieds (in another word, searching in mutipe dimensions) simutaneousy, howeer, it is difficut to achiee both high cassification speed and modest storage in the worst-case. C. ANALYSIS OF PREVIOUS WORK The design of cassification agorithms is encumbered by worst-case bounds on search time and memory requirements that are so onerous as to make bruta force agorithms unusabe [3]. Therefore, it wi be futie to try to find a goba optimized agorithm under a circumstances. Instead we must search for structures or characteristics of certain cassification probems that can be expoited in pursuit of agorithms that are fast enough and use not too much space. The simpest cassification scheme is a inear search of each rue of a cassifier. Whie it is ery efficient in terms of storage requirements and update time, inear search requires a comparatiey ong search time of ON ( ). This makes it impractica to dea with arge size cassifiers as the search time increase ineary with arger N. In resent years, a ariety of packet cassification schemes hae been proposed to soe the genera probem of muti-dimensiona packet cassification. The generic idea to dea with arge cassifiers is diide and conquer: Most of the existing agorithms appropriatey diide the muti-dimensiona search space into a certain number of sub-spaces. Since there are fewer rues in each sub-space, the origina cassification probem is simpified and hence easier to dea with. Each agorithm has its own way to diide the search space. Different ways in which to appy the diision depend on the information expoited by the agorithms. Such information incudes: 1. Basic attributes of the search space, such as its dimensionaity and the ranges of aue in each dimension. 2. Structura properties of rea-ife cassifiers, incuding the distribution, redundancy and many other characteristics of the gien rue set. 3. Statistica characteristics of rea-ife (or specific, particuar) networks, such as the traffic fow statistics and the hit rates of the rues. The aboe items 1 and 2 are static information. They are definitey specified by certain cassification probems (IDS/IPS interacting with firewa and introducing firewa poicies reactiey can be treated as a specia case and does not impact the generaness of this caim). The item 3 is dynamic information because statistica characteristics of certain networks are time-ariant. Sriniasan et a. [5] proposed two agorithms Grid-oftrie and Cross-producting. Like Hierarchica tries [4] and Set-pruning tries [4], Grid-of-trie uses a trie-based data structure and the search space is equay diided bit by bit at each trie node. Superior to other trie-based agorithms, Grid-of-trie adopts switch pointers to aoid the time-consuming back tracking search. These switch pointers aow the query process to switch from one subspace to another. Cross-producting diides the search space according to the rue segmentations aong each dimension. Each segment refers to a sub-region in one of the F dimensions, and the cross-product of the F subregions makes up of a sub-space. Search can be done quicky by separate ookups on each dimension and then indexing into the cross-product tabe. Gupta and McKeown [1,3] introduced two new agorithms, RFC and HiCuts. HiCuts is based on a decision tree structure. At each tree node, the current search space is equay cut (diided) aong a chosen dimension. Which dimension to cut and the number of cuttings (diisions) depend on the characteristics of the rues beong to the node. Different from trie-based agorithms, the diision in HiCuts is not a simpe binarydiision. The agorithm determines the number of diisions according to the gien rue set. RFC is reay an improed form of Cross-producting that significanty compresses the cross-product tabe. In the first phase of RFC, the diision of the search space is the same as that of Cross-producting. Howeer, RFC is a recursie agorithm and does not obtain the cassification resut though one tabe ookup. The main idea of RFC is to pace the smaer cross-products into equiaence casses
before combing them to form arger cross-products. This equiaencing of partia cross-products consideraby reduces memory requirements, because seera origina cross-product terms map into the same equiaence cass [8]. Objectie eauation of the performance of each agorithm can be done both in worst-case anaysis and experimenta comparison. We ist the worst-case compexity of time and space in Tabe.1, from which we found that it is not obious that some agorithms are superior to others. Howeer, experimenta resuts (gien in SECTION F) show that the decision tree based agorithm mosty works we. This is because the fexibe data structure of the decision tree makes it possibe to expoit more usefu information of rea-ife cassifiers into the design of packet cassifiers. We summarize the existing agorithms as three aspects: 1. The agorithm generaity. Some of the existing agorithms, such as Grid-of-trie, are designed for 2-dimensiona packet cassification and not efficient for muti-dimensiona probems. Athough Cross-producting works we with sma number of rues in mutipe fieds, it is not abe to hande arge cassifiers. RFC is ery efficient for muti-dimensiona cassification, but it is found that RFC consumes too much storage for cassifiers with more than 2000 rues. HiCuts mosty works we with thousands of muti-dimensiona rues. Whie it is sower compared to RFC, HiCuts is abe to gie a practica soution for arge cassifiers. This is because the memory requirement for the decision tree data structure does not expodingy increase. 2. The information expoitation. Grid-of-trie expoits the information that some of the rues share the same part of the prefix, so the searching process can switch from one subspace to another in order to aoid the redundant back-tracking search. RFC takes adantage of the obseration that, in rea-ife cassifiers, the number of oerapping regions is consideraby smaer than the worst-case, thus a recursie mapping can be appied. HiCuts expoits much more heuristic information in such structura redundancy, especiay some abstract information, such as the discriminating abiity in each dimension. More information expoited, more efficient wi the agorithms be. 3. The search space diision. There are two ways to diide the search space: diiding equay and diiding according to the rues. Grid-of-trie and HiCuts adopt the former way. At each node, Grid-of-trie bisects the search space whie HiCuts diides (cuts) the search space into a certain number of equa-sized sub-spaces. Cross-producting and RFC use the atter method, diiding each dimension of the search space into segments according to the gien rues. Searching in equa-sized space needs just one operation whie in unequa-sized space (diision according to the rues) it requires a binary search with og( N ) operations. On the other hand, equa-sized diision is not as discriminatie as the diision according to the rues, i.e. it requires arger number of diisions to discriminate the gie rues. Figure.1 is a simpe exampe to compare the two ways for diision. Athough at each node, HiCuts appies an equa-sized diision, but when considered gobay, the whoe decision tree irtuay diides the search space into unequa-sized subspaces. Tabe.1 Comparison of popuar agorithms. In this tabe N is the number of rues, W is bit-width of header ector in a certain dimension (e.g. for IP address, W = 32 ), F is dimensionaity of the search space. Agorithm Worst time Worst space Linear Search ON ( ) ON ( ) Hierarchica Tries F OW ( ) ON ( ) F Cross-producting OFW ( ) ON ( ) Grid-of-tries RFC HiCuts OW ON ( ) F 1 ( ) F OF ( ) ON ( ) As a concusion, the reason why HiCuts can expoit more usefu information is that the decision tree based data structure of HiCuts is ery fexibe to adapt to different cassifiers. The proposed agorithm D-Cuts (Dynamic Cuttings) is aso based on decision tree data structure. Different from HiCuts, D-Cuts expoits not ony the static information, but aso the dynamic information of certain networks. In addition, D-Cuts uses an improed discrimination criterion in buiding the decision tree.
Figure.1 Two ways of the search space diision in one dimension for three rues ( R1, R2, R 3 ). (a) refers to equasized diision. It needs 4 diisions to discriminate the 3 rues and 1 operation to search. (b) is the diision according to the rues. It needs 3 diisions to discriminate the rues but more (up to 2) search operations. D. STATISTICAL CHARACTERISTIC OF NETWORK TRAFFIC Most of the existing cassification agorithms expoit the static information, such as the structura characteristics of rea-ife cassifiers. They assume a incoming packets are distributed uniformy in the search space. Howeer, it is unikey that the traffic in a certain network eeny spread oer a IP addresses and/or port numbers. For exampe, most Internet sessions are usuay Web appications so that majority packet headers are haing destination port numbers of 80 or 443 (HTTP or HTTPS). In a particuar network, some of the rues may be set to preent networks from irus or other attacks and thus appicabe for amost no traffic being cassified. Athough most of time there is no packet matches them, these rues hae to be kept in the cassifier for the sake of security, and thus make the diision of the search space more compex. Each network has its own traffic patterns, and the packet cassification process is affected by the dynamic characteristics to a certain extend. Our study focuses on the expoitation of network traffic characteristics to achiee more time-efficient and ess memory-consuming cassification agorithms. Chaenges of adopting this new idea incude: 1. Extracting the dynamic information of network traffic and expressing them in an appropriate form that can be empoyed in cassification agorithms. The dynamic characteristics of network traffic expoited in our agorithm are the IP address and port number statistica distribution in the search space. Periodic samping is a practica way to gather statistica information of IP and port distribution characteristics. After normaization, the statistica information is introduced into the proposed cassification agorithm as prior probabiity of the IP addresses and port numbers. 2. Optimizing the agorithm dependency to the statistica characteristics of network traffic. Different from the static structura characteristics of gien cassifiers, the dynamic characteristics of network traffic are timeariant. In the proposed D-Cuts agorithm, the extent to which it depends on the traffic statistics is determined by setting two bounds for the space factor. 3. Appying the statistica characteristics in cassification agorithm. D-Cuts expoits statistica characteristics of network traffic by dynamicay adjusting the memory aocation function. Nodes corresponding to arger traffic fow wi be aocated with more memory storage to reduce the depth of the sub-trees. Detais of the considerations wi be eaborated in the next section. E. THE PROPOSED ALGORITHM D-CUTS E.1 An Exampe To iustrate the D-Cuts agorithm we proposed in this paper, a simpe 2-dimensiona cassifier (simiar to the cassifier used in [4]) is used for demonstration, shown in Tabe.2. This cassifier is represented with two fieds in a 2-dimensiona space (X-Y pane), where each rue is represented by a rectange (Figure.2). Like HiCuts, the cassification scheme D-Cuts is based on a decision tree structure. Howeer, the way to impement cuttings on the search space is improed by expoiting not ony the structura characteristics of the specific cassifier, but aso the network traffic statistica characteristics. Spaces where there is more traffic wi be cut into more sub-spaces in order to reduce the depth of the sub-trees. Tabe 2. A sampe cassifier with 6 two-dimensiona rues, the search space is X-Y pane. Rue Fied1(X) Fied2(Y) R1 00* 00* R2 0* 01* R3 1* 0* R4 01* 00 * R5 0* 1* R6 1* 1*
Figure.2 Geometric representation of the sampe cassifier in Tabe.2. In HiCuts, space aaiabe for each N-size node (node with N rues) is determined by the function SpaceA() : SpaceA() = N * spfac (1) Where spfac is the space factor [1] and often takes aue through 1 to 4 for a time/space tradeoff. A arger spfac is ikey to consume more memory whie cost ess search time. SpaceA() sets an upper bound for the number of cuttings and, in the exampe, we simpy define the cutting number numcuts() by: numcuts() = SpaceA() (2) Figure.3 shows how HiCuts works for the sampe cassifier isted in Tabe.2. Figure.3 Decision tree buit by HiCuts for the sampe cassifier isted in Tabe.2. Leaf nodes (rectange) hae ony one rue whie interna nodes (eipse) hae more than one rues. In D-Cuts, we simpy reised the space aocation function for node by: SpaceA() = N * P()*10 (3) Where P () is defined as the probabiity of traffic faing into the region coered by node aong X dimension. In case of 40% traffic fas into region [000, 001] of X dimension and the other 60% traffic distributed uniformy in [010, 111] aong X, Figure.4 iustrates the decision tree buit by D-Cuts. Figure.4 Decision tree buit by D-Cuts for the sampe cassifier isted in Tabe.2, with 40% traffic fas into region [000, 001] of X dimension. It can be deried from Figure.3 and Figure.4 that the number of nodes in D-Cuts does not increase whie the aerage depth of decision tree decreases, comparing to HiCuts. Worst-case search time (determined by the depth of the decision tree) stays the same whie the aerage search time is improed because 40% traffic traes through the 2-ee sub-tree in D-Cuts in stead of the 3-ee sub-tree in HiCuts. E.2 Extracting Statistica Characteristics of Network Traffic Network traffic statistica characteristics are obtained by periodic samping. First, we get the packet header distribution information aong each dimension, such as IP prefixes (16-bit for B cass) and port number ranges. For exampe, a two-dimensiona array of 4*65536 entries { count[ d][ i], d = 0,...,3, i = 0,...,65535} can be used to count source/destination B-cass IP prefixes (for d=0 and 1) and source/destination port numbers (for d=2 and 3), e.g. count [3][80] is the number of samped packets with destination port 80. After samping step, a normaization process is appied to { count[ d][ i ]}. We use { prior[ d][ i], d = 0,...,3, i = 0,...,65535} to denote the normaized distribution of network traffic, where count[ d][ i] prior[ d][ i] = (4) 65535 count[ d][ j] j= 0 E.3 Introducing Statistica Characteristics Of Network Traffic To D-Cuts SECTION E.1 gies a simpe ersion of function SpaceA() to iustrate the expoitation of network traffic statistica characteristics. Here we define two genera forms of function SpaceA(). FORM-1: SpaceA() = N * spfac() (5) = N*( spfac + ( P min( P ))* K) min
3 bd 1 P = prior[ d][ i] (6) 4 d= 0 i= ad for max( P ) min( P ) > 0 K = ( spfac spfac ) /(max( P ) min( P )) max min for max( P ) min( P ) = 0 (7) K = 0 where N is the number of rues associated with node ; P is the prior probabiity assigned to node at ee of the decision tree; [ ad, b d] is the search range of node aong the dth dimension; max( P ) and min( P ) are the maximum/minimum prior probabiity among a nodes in the same ee of the decision tree; spfac min and spfac max are bounds of the space factor. FORM-2: SpaceA( ) = N * spfac( ) (8) = N * BOUND( P * D * spfac, spfac, spfac ) ag min max where spfacag = ( spfacmax + spfacmin)/2; D is the number of nodes at the same ee as node ; P takes the same definition in (6); and BOUNDabc (,, ) is defined as the foowing that has aue a with ower bound as b and upper bound as c (for b c): a b a c BOUNDabc (,, ) = b a < b (9) c a > c Different from the space factor spfac in HiCuts, the space factor spfac is not a constant in D-Cuts. It takes aue in [ spfacmin, spfac max ]. Here spfac min can be specified for space-optimization, whie spfac max is specified for time-optimization. Therefore, it can be seen in both FORM-1 and FORM-2 that nodes with arger P, i.e. arger traffic oume, wi hae more memory resered for cuttings to increase the search speed. E.4 Seecting The Number Of Cuttings numcuts(, d ) An approximate memory measurement for the cutting of node is defined as [1] numcuts(, d ) sm(, d) = numrues( ) + numcuts(, d) (10) i i= 1 where d is the dimension to cut, i is a chid node of, numrues( i ) is the number of rues coiding with ( Rue R is said to coide with node means R i spans, cuts or is contained in the range associated with ). For d = 0,...,3 numcuts(, d) is determined by maximizing sm(, d) in (10) with the imit: sm(, d) < SpaceA() (11) E.5 Seecting The Dimension To Cut dimcut() To seect a dimension to cut at node, dimcut() is determined by the discriminatie functions that can be found in [1] and [7]. In our experiment, we found that under certain circumstances, these discriminatie functions take the same aue, i.e. they cannot determine which dimension is more discriminatie to appy the cuttings. Figure.5 is an exampe to show that the discriminatie function (gien in [1]) min(max( numrues( i, d))) (12) d i fais to determine dimcut(). Figure.5 In STEP1, cut1 diide the search space [0000, 1111] into two equa-sized sub-spaces [0000, 0111] and [1000, 1111]. Both DIM1 and DIM2 hae two rues fa into the sub-space [0000, 0111]. Therefore Eq.12 cannot discriminate which dimension to cut. Note that most of the discriminatie functions are based on the number of cuttings. We gie an improed discriminatie function that does not depend on the number of cuttings. This function describes the uniformity of the rue segments distributed in each dimension. For the equa-sized diision at each tree node in D-Cuts, it is faorabe to diide the dimension with most uniformy distributed segments. Eq.13 and Eq.14 gie the definition of the improed discriminatie function max( segentropy(, d)/ numseg(, d)) (12) d
seg range segentropy(, d) *og numseg (, d ) id, d, = (13) i= 1 range seg d, id, where segid, is the ith segmented rejoin aong the dth dimension according to the rues beonging to node ; ranged, is the fu range aong dimension d in the search space of ; numseg(, d) is the tota number of segments aong dimension d in the search space of node. Adopting this discriminatie function, the aues computed for the two dimensions in Figure.5 are: 0.43 and 0.54. Therefore it is more faorabe to cut aong the second dimension. E.6 Impementation Fow-chart As a summary, the fow-chart shown in Figure.6 describes the impementation of D-Cuts. Because we use the Breadth First methodoogy to buid up the tree, each time we try to buid a node, a the nodes at the parent ee is aready done. This makes it possibe to compute the two forms of SpaceA() for each node. F. EXPERIMENTAL RESULTS F.1 Databases We eauate D-Cuts both on rea-ife firewa and core router rue sets as we as on synthetic rue sets. The reaife rue sets are obtained from typica enterprise networks and major ISPs. The two firewa rue sets are named FW1, FW2, the two router rue sets are CR1, CR2, and the synthetic rue set is SN1. The number of rues in the fie rue sets aries from 68 to 2000. A the cassifiers are 4-dimensiona with source/destination IP addresses represented as prefixes and source/destination port numbers represented as ranges. It is reported in [7] that the structura characteristics of firewa poicy tabes (rue sets) are different from core router access contro ist (ACL, aso rue sets), e.g. most source port ranges in core routers are [0, 65535], whie in firewa poicy tabes source port ranges are assigned more specificay. Statistica characteristics of network traffic are obtained by samping or reasonabe manua generation. Characteristics of the testing traffic fow are different from the samping traffics in certain extent, in order to simuate the time-ariant networks. Figure. 6 Fow-chart for impementation of D-Cuts. binth in the chart is a constant parameter defined as the maximum number of rues for eaf nodes. In D-Cuts, we set binth=8. F.2 Performance Eauation To test the performance of D-Cuts agorithm with both rea-ife and synthetic cassifiers, we examined, for each cassifier, the number of memory accesses in the query process (indicating search time) and the amount of memory usage for the whoe data structure buit by the agorithm. Note that the search time indicates the aerage search time which is the mean of the memory accesses of a testing packets. The first comparison is done between HiCuts and D- Cuts on FW2. Figure.7 shows the time/space performance in histograms for HiCuts-x ( spfac = x ) and D-Cuts (using two forms of SpaceA() ). It is obious that in HiCuts, when the space factor spfac increases, the search time decreases whie the memory usage bows up. Compared to D-Cuts, the search time is ery cose to the optimized search time (HiCuts-4) whie the memory usage is just about 2/3 of HiCuts-4. D-Cuts effectiey baances the storage space usage and the aerage searching time.
depth of them because it dose not hep to reduce the aerage search time. Figure.7 Time/Space trade-offs for FW2. Memory usage (Space) are shown by ight histograms, Memory accesses (Time) are shown dark histograms. HiCuts-x refers to HiCuts with spfac=x. D-Cuts uses FORM1 SpaceA() function whie D-Cuts uses FORM2. Figure.8 and Figure.9 are the comparison on CR2 and SN1 ia memory usage and aerage search time. It can be seen that the aerage search time of D-Cuts is on the same order as for the HiCuts optimized for speed (HiCuts-T opt in the figures) whie its memory usage is on the same order as for HiCuts optimized for space (HiCuts-S opt in the figures). Figure.9 Time/Space trade-offs for SN1. Memory usage (Space) are shown by ight histograms, Memory accesses (Time) are shown dark histograms. HiCuts-S opt is spaceoptimized whie HiCuts-T opt is time-optimized. Figure.10 Time/Space trade-offs for FW1. From eft to right are memory usage (Space), aerage memory accesses (A- Time) and worst-case memory accesses (Ws-Time). HiCuts- S opt is space-optimized whie HiCuts-T opt is time-optimized. Figure.8 Time/Space trade-offs for CR2. Memory usage (Space) are shown by ight histograms, Memory accesses (Time) are shown dark histograms. HiCuts-S opt is spaceoptimized whie HiCuts-T opt is time-optimized. Figure.10 is the comparison between HiCuts and D- Cuts ia memory usage, aerage and worst-case search time on FW1. Note that the improement of the aerage search time is much greater than that of the worst-case. This is because D-Cuts focus on reducing the depth of the decision tree where there is arger traffic. Therefore, if there is no significant traffic fow going though the deepest nodes of the tree, D-Cuts wi not reduce the Tabe.3 Memory requirements for the popuar packet cassification agorithms. RFC ABV HiCuts HiCuts D-Cuts (S opt ) (T opt ) FW1 816 6.2 12 28 23 FW2 910 34.8 15 129 57 CR1 966 1077 85 100 60 CR2 2,220 3,157 2,653 4,235 2,031 SN1 * 2435 202 789 473 *Running Out of Memory Comparison of memory usage against other popuar packet cassification agorithms is isted in Tabe.3. The worst-case search time (memory accesses) for the decision tree based agorithms aries from 30 to 130 memory accesses. In comparison, the fastest agorithm
RFC needs just 12 memory accesses whie ABV requires up to 200 memory accesses. G. CONCLUSIONS Worst-case bounds on search time and memory usage greaty hamper the design of generic agorithms for packet cassification. Instead we must search for characteristics of cassification probems in pursuit of fast enough agorithms using not too much memory storage. Our research foows the idea that more heuristic information are adopted, better cassification performance are achieed. The presented agorithm D- Cuts (Dynamic Cuttings) bases on both structura characteristics of rea-ife cassifiers (static information) and statistica characteristics of certain network traffic (dynamic information). Experimenta resut shows that D-Cuts prominenty improes the aerage search time whie keeps modest memory usage. Future work can be conducted to anayze the impact of fast changing traffic patterns and burst caused by irus or other attacks. Future work aso incudes introducing traffic statistica characteristics into other existing agorithms to deeop improed agorithms. The code we wrote for D-Cuts, HiCuts, RFC, and ABV wi be pubicy aaiabe (on ine) to encourage experimentation with cassification agorithms. [7] F. Baboescu, and G. Varghese, "Packet cassification Using Mutidimensiona Cutting," Proc. ACM SIGCOMM, 2003. [8] F. Baboescu, S. Singh, and G. Varghese, Packet cassification for core routers: Is there an aternatie to CAMs? Proc. INFOCOM, 2003. [9] V.Sriniasan, S.Suri, and G.Varghese, Packet cassification using tupe space search, in Proc. SIGCOMM, 1999. [10] S. Singh and F. Baboescu, Packet cassification repository. http://ia.ucsd.edu/cassification [11] A. Fedman and S. Muthukrishnan, Tradeoffs for packet cassification, in Proc. INFOCOM, 2000. [12] T. Lakshman and D. Stiiadis, High speed poicy-based packet forwarding using efficient mutidimensiona range matching, in Proc. SIGCOMM,1998. H. ACKNOWLEDGEMENT The authors woud ike to express their thanks to Dr. Enke Chen, as we as Quan Huang, for their heps in proiding and preparing data for the experiments. Thanks aso due to Mr. Dongyi Jiang and other coeagues of RIIT Network Security Lab for their generous suggestions and encouragement. I. REFERENCE [1] P. Gupta and N. McKeown, Packet cassification using hierarchica inteigent cuttings, in Proc. Hot Interconnects, 1999 [2] M.H. Oermars and A.F. an der Stappen, Range searching and point ocation among fat objects, in Journa of Agorithms, 21(3), 1996 [3] P. Gupta and N. McKeown, Packet cassification on mutipe fieds, in Proc. ACM SIGCOMM 99, 1999. [4] P. Gupta, and N. McKewon, Agorithms for Packet Cassification, IEEE Network, March/Apri 2001, 2001. [5] V. Sriniasan, et a., "Fast and Scaabe Layer Four Switching," Proc. ACM SIGCOMM, 1998. [6] F. Baboescu, and G. Varghese, "Scaabe Packet Cassification," Proc. ACM SIGCOMM, 2001.