High Performance and High Scalable Packet Classification Algorithm for Network Security Systems

Packet classification is a core function in network and security systems; hence, hardware-based solutions, such as packet classification accelerator chips or Ternary Content Addressable Memory (T-CAM), have been widely adopted for high-performance systems. With the rapid improvement of general hardw...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing Vol. 14; no. 1; pp. 37 - 49
Main Authors: Pak, Wooguil, Choi, Young-June
Format: Journal Article
Language:English
Published: Washington IEEE 01.01.2017
IEEE Computer Society
Subjects:
Algorithms
Associative memory
Asynchronous transfer mode
Benchmarks
Buildings
cache-aware table structure
Classification
Classification algorithms
Cybersecurity
Decision trees
Hardware
Heuristic algorithms
integrated inter- and intra-table search
Microprocessors
Network security
Network switching
Packet classification
Packet switched networks
partitioning
Partitioning algorithms
Scalability
Security
Security systems
Software
Software engineering
Studies
System effectiveness
Tables
ISSN:1545-5971, 1941-0018
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract Packet classification is a core function in network and security systems; hence, hardware-based solutions, such as packet classification accelerator chips or Ternary Content Addressable Memory (T-CAM), have been widely adopted for high-performance systems. With the rapid improvement of general hardware architectures and growing popularity of multi-core multi-threaded processors, software-based packet classification algorithms are attracting considerable attention, owing to their high flexibility in satisfying various industrial requirements for security and network systems. For high classification speed, these algorithms internally use large tables, whose size increases exponentially with the ruleset size; consequently, they cannot be used with a large rulesets. To overcome this problem, we propose a new software-based packet classification algorithm that simultaneously supports high scalability and fast classification performance by merging partition decision trees in a search table. While most partitioning-based packet classification algorithms show good scalability at the cost of low classification speed, our algorithm shows very high classification speed, irrespective of the number of rules, with small tables and short table building time. Our test results confirm that the proposed algorithm enables network and security systems to support heavy traffic in the most effective manner.
AbstractList Packet classification is a core function in network and security systems; hence, hardware-based solutions, such as packet classification accelerator chips or Ternary Content Addressable Memory (T-CAM), have been widely adopted for high-performance systems. With the rapid improvement of general hardware architectures and growing popularity of multi-core multi-threaded processors, software-based packet classification algorithms are attracting considerable attention, owing to their high flexibility in satisfying various industrial requirements for security and network systems. For high classification speed, these algorithms internally use large tables, whose size increases exponentially with the ruleset size; consequently, they cannot be used with a large rulesets. To overcome this problem, we propose a new software-based packet classification algorithm that simultaneously supports high scalability and fast classification performance by merging partition decision trees in a search table. While most partitioning-based packet classification algorithms show good scalability at the cost of low classification speed, our algorithm shows very high classification speed, irrespective of the number of rules, with small tables and short table building time. Our test results confirm that the proposed algorithm enables network and security systems to support heavy traffic in the most effective manner.
Author Young-June Choi
Wooguil Pak
Author_xml – sequence: 1
  givenname: Wooguil
  surname: Pak
  fullname: Pak, Wooguil
– sequence: 2
  givenname: Young-June
  surname: Choi
  fullname: Choi, Young-June
BookMark eNp9kEtLAzEQgIMoqNUfIF4Cnrdm8thsjqU-KogKrecQs4nGbndrkiL9925t8eChh2GGYb6Z4TtFh23XOoQugAwBiLqe3UzHQ0pADCnnTEp2gE5AcSgIgeqwrwUXhVASjtFpSp-EUF4pfoL0JLx_4BcXfRcXprUOm7bGv82pNY15axx-MXbuMh43JqXggzU5dC0eNe9dDPljgXsUP7n83cU5njq76rtrPF2n7BbpDB150yR3vssD9Hp3OxtPisfn-4fx6LGwTEEuDGHcl_1X1Pm3slYVN6IEI42sRSVAemZrwahnpTF1xYUU_feVojUta6s8sAG62u5dxu5r5VLWn90qtv1JTUFyXnJCyn1TUEkoCZN9DBBsp2zsUorO62UMCxPXGoje2NYb23pjW-9s94z8x9iQf0XlaEKzl7zcksE593dJAiWKKfYDzwKNfg
CODEN ITDSCM
CitedBy_id crossref_primary_10_1016_j_comnet_2020_107534
crossref_primary_10_1109_ACCESS_2020_2990331
Cites_doi 10.1109/SFFCS.1999.814600
10.1109/ISPAN.2002.1004254
10.1109/TNET.2009.2018618
10.1109/INFCOM.2005.1498483
10.1109/INFCOM.2000.832493
10.1145/1108956.1108958
10.1109/INFCOM.2005.1497898
10.1109/INFCOM.2005.1497901
10.1109/JSAC.2003.810527
10.1016/j.comnet.2008.11.017
10.1109/ISIE.2009.5215939
10.1109/LCOMM.2010.100810.100572
10.1109/TDSC.2009.28
10.1109/TIT.2009.2021326
10.1007/s10994-009-5103-0
10.1109/TNET.2005.857070
10.1109/65.912717
10.1145/863955.863980
ContentType Journal Article
Copyright Copyright IEEE Computer Society Jan-Feb 2017
Copyright IEEE Computer Society 2017
Copyright_xml – notice: Copyright IEEE Computer Society Jan-Feb 2017
– notice: Copyright IEEE Computer Society 2017
DBID 97E
RIA
RIE
AAYXX
CITATION
JQ2
DOI 10.1109/TDSC.2015.2443773
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005-present
IEEE All-Society Periodicals Package (ASPP) 1998-Present
IEEE Electronic Library (IEL)
CrossRef
ProQuest Computer Science Collection
DatabaseTitle CrossRef
ProQuest Computer Science Collection
DatabaseTitleList ProQuest Computer Science Collection
ProQuest Computer Science Collection
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1941-0018
EndPage 49
ExternalDocumentID 4316974071
10_1109_TDSC_2015_2443773
7120939
Genre orig-research
Feature
GrantInformation_xml – fundername: National Research Foundation of Korea (NRF)
  funderid: 10.13039/100007431
– fundername: Basic Science Research Program
– fundername: Ministry of Education, Science and Technology
  grantid: NRF-2014R1A1A1038306
  funderid: 10.13039/501100004085
GroupedDBID .4S
.DC
0R~
29I
4.4
5GY
5VS
6IK
7WY
8FE
8FG
8FL
8R4
8R5
97E
AAJGR
AARMG
AASAJ
AAWTH
ABAZT
ABJCF
ABQJQ
ABUWG
ABVLG
ACGFO
ACIWK
AENEX
AETIX
AFKRA
AGQYO
AGSQL
AHBIQ
AIBXA
AKJIK
AKQYR
ALMA_UNASSIGNED_HOLDINGS
ARAPS
ARCSS
ATWAV
AZQEC
BEFXN
BENPR
BEZIV
BFFAM
BGLVJ
BGNUA
BKEBE
BPEOZ
BPHCQ
CCPQU
CS3
DU5
DWQXO
EBS
EDO
EJD
FRNLG
GNUQQ
HCIFZ
HZ~
IEDLZ
IFIPE
IPLJI
ITG
ITH
JAVBF
K60
K6V
K6~
K7-
L6V
LAI
M0C
M43
M7S
O9-
OCL
P2P
P62
PHGZM
PHGZT
PQBIZ
PQBZA
PQGLB
PQQKQ
PROAC
PTHSS
PUEGO
Q2X
RIA
RIE
RNI
RNS
RZB
AAYXX
AFFHD
CITATION
JQ2
ID FETCH-LOGICAL-c391t-a034f60022efb6d984a561a7a7d58517f3cd532f36aad84575894892d26dc9f13
IEDL.DBID RIE
ISICitedReferencesCount 19
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000394113900005&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 1545-5971
IngestDate Thu Sep 25 00:44:05 EDT 2025
Mon Nov 10 03:02:55 EST 2025
Sat Nov 29 03:48:42 EST 2025
Tue Nov 18 21:13:13 EST 2025
Wed Aug 27 02:56:26 EDT 2025
IsPeerReviewed false
IsScholarly true
Issue 1
Language English
License https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c391t-a034f60022efb6d984a561a7a7d58517f3cd532f36aad84575894892d26dc9f13
Notes SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ObjectType-Article-1
ObjectType-Feature-2
PQID 1871603760
PQPubID 27603
PageCount 13
ParticipantIDs proquest_journals_2174464006
proquest_journals_1871603760
ieee_primary_7120939
crossref_primary_10_1109_TDSC_2015_2443773
crossref_citationtrail_10_1109_TDSC_2015_2443773
PublicationCentury 2000
PublicationDate 2017-01-01
PublicationDateYYYYMMDD 2017-01-01
PublicationDate_xml – month: 01
  year: 2017
  text: 2017-01-01
  day: 01
PublicationDecade 2010
PublicationPlace Washington
PublicationPlace_xml – name: Washington
PublicationTitle IEEE transactions on dependable and secure computing
PublicationTitleAbbrev TDSC
PublicationYear 2017
Publisher IEEE
IEEE Computer Society
Publisher_xml – name: IEEE
– name: IEEE Computer Society
References ref12
ref15
suri (ref6) 0
ref10
xu (ref21) 0
ref2
ref1
ref17
ref16
ref18
varghese (ref19) 0
kaufman (ref24) 2008
waldvogel (ref22) 0
florin (ref13) 0
ref26
ref25
ref20
lakshman (ref14) 0
song (ref23) 0
gupta (ref11) 0
ref27
ref8
ref7
ref9
ref4
ref3
ref5
References_xml – start-page: 1445
  year: 0
  ident: ref21
  article-title: A novel cache architecture to support Layer-four packet classification at memory access speeds
  publication-title: Proc IEEE Conf Comput Commun Soc
– start-page: 135
  year: 0
  ident: ref6
  article-title: Packet classification using tuple space search
  publication-title: Proc ACM Conf Appl Technol Archit Protocols Comput Commun
– start-page: 199
  year: 0
  ident: ref13
  article-title: Scalable packet classification
  publication-title: Proc ACM Conf Appl Technol Archit Protocols Comput Commun
– start-page: 191
  year: 0
  ident: ref19
  article-title: Fast and scalable layer four switching
  publication-title: Proc ACM Conf Appl Technol Archit Protocols Comput Commun
– ident: ref25
  doi: 10.1109/SFFCS.1999.814600
– ident: ref5
  doi: 10.1109/ISPAN.2002.1004254
– ident: ref12
  doi: 10.1109/TNET.2009.2018618
– ident: ref8
  doi: 10.1109/INFCOM.2005.1498483
– ident: ref18
  doi: 10.1109/INFCOM.2000.832493
– ident: ref1
  doi: 10.1145/1108956.1108958
– ident: ref9
  doi: 10.1109/INFCOM.2005.1497898
– ident: ref17
  doi: 10.1109/INFCOM.2005.1497901
– ident: ref10
  doi: 10.1109/JSAC.2003.810527
– start-page: 203
  year: 0
  ident: ref14
  article-title: High speed policy-based packet forwarding using efficient multi-dimensional range matching
  publication-title: Proc ACM Conf Appl Technol Archit Protocols Comput Commun
– ident: ref15
  doi: 10.1016/j.comnet.2008.11.017
– ident: ref4
  doi: 10.1109/ISIE.2009.5215939
– ident: ref16
  doi: 10.1109/LCOMM.2010.100810.100572
– start-page: 25
  year: 0
  ident: ref22
  article-title: Scalable high speed IP routing lookups
  publication-title: Proc ACM Conf Appl Technol Archit Protocols Comput Commun
– ident: ref2
  doi: 10.1109/TDSC.2009.28
– start-page: 2518
  year: 0
  ident: ref23
  article-title: IPv6 lookups using distributed and load balanced bloom filters for 100 Gbps core router line cards
  publication-title: Proc IEEE Conf Comput Commun Soc
– ident: ref27
  doi: 10.1109/TIT.2009.2021326
– year: 2008
  ident: ref24
  publication-title: Finding Groups in Data An Introduction to Cluster Analysis
– start-page: 147
  year: 0
  ident: ref11
  article-title: Packet classification on multiple fields
  publication-title: Proc ACM Conf Appl Technol Archit Protocols Comput Commun
– ident: ref26
  doi: 10.1007/s10994-009-5103-0
– ident: ref20
  doi: 10.1109/TNET.2005.857070
– ident: ref7
  doi: 10.1109/65.912717
– ident: ref3
  doi: 10.1145/863955.863980
SSID ssj0024894
Score 2.2541273
Snippet Packet classification is a core function in network and security systems; hence, hardware-based solutions, such as packet classification accelerator chips or...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 37
SubjectTerms Algorithms
Associative memory
Asynchronous transfer mode
Benchmarks
Buildings
cache-aware table structure
Classification
Classification algorithms
Cybersecurity
Decision trees
Hardware
Heuristic algorithms
integrated inter- and intra-table search
Microprocessors
Network security
Network switching
Packet classification
Packet switched networks
partitioning
Partitioning algorithms
Scalability
Security
Security systems
Software
Software engineering
Studies
System effectiveness
Tables
Title High Performance and High Scalable Packet Classification Algorithm for Network Security Systems
URI https://ieeexplore.ieee.org/document/7120939
https://www.proquest.com/docview/1871603760
https://www.proquest.com/docview/2174464006
Volume 14
WOSCitedRecordID wos000394113900005&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVIEE
  databaseName: IEEE Electronic Library (IEL)
  customDbUrl:
  eissn: 1941-0018
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0024894
  issn: 1545-5971
  databaseCode: RIE
  dateStart: 20040101
  isFulltext: true
  titleUrlDefault: https://ieeexplore.ieee.org/
  providerName: IEEE
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LS8QwEB508eDFt7i-yMGTWG2bbB7HxQeeloVV8FbSPFTQXdmt_n4zaXZFFMFbaZNS8nUyM5nHB3Biy5rVtCez3OrgoDArsqD06kxaZjUvhdC8JZsQg4F8eFDDJThb1MI452LymTvHyxjLtxPzjkdlFwILPalahmUheFur9dVXT0bSQ7QIsmAkFymCWeTq4u5qdIlJXL3zoMuoEPSbDoqkKj924qhebtb_92EbsJbMSNJvcd-EJTfegvU5RQNJErsNFeZxkOFXdQDRY0vizVFAB-umyFAHSW5IpMfExKGIFem_PE6mz83TKwlTyaDNFiejRHdHUqfzHbi_ub67vM0Sp0JmqCqaTOeUeYzFlc7X3CrJdLCgtNDCYoBQeGpsj5aecq2tZMGYC-sqVWlLbo3yBd2FzngydntADCuNNN4xmVvGaqW8D7sFl9Z6Y1TR60I-X-XKpIbjyHvxUkXHI1cVAlMhMFUCpguniylvbbeNvwZvIxKLgQmELhzOoaySPM6qAv3CHBOAfn2MfhnjYTvj-7-_9ABWS9Tn8ezlEDrN9N0dwYr5aJ5n0-P4J34CN6Pakg
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LT9wwEB5RilQupYUitoXWB06ogcR2YvuIeIiqdLXSbiVuluNHiwS7aAn8_noc7yJUVKm3KLGjyF_GM-N5fAD7jra8ZbUsSmeig8KdKKLSawvpuDMNFcI0PdmEGA7l1ZUarcDXZS2M9z4ln_lDvEyxfDezD3hUdiSw0JOpV_C65pyWfbXWU2c9mWgP0SYooplc5RhmVaqjyen4BNO46sOozZgQ7JkWSrQqf-3FScGcb_zfp72Dt9mQJMc98u9hxU83YWNB0kCyzG6BxkwOMnqqDyBm6ki6OY74YOUUGZkoyx1JBJmYOpTQIsc3v2bz6-73LYlTybDPFyfjTHhHcq_zD_Dz_GxyclFkVoXCMlV1hSkZDxiNoz60jVOSm2hDGWGEwxChCMy6mtHAGmOc5NGci-sqFXW0cVaFim3D6nQ29TtALKdW2uC5LB3nrVIhxP2ikc4Fa1VVD6BcrLK2ueU4Ml_c6OR6lEojMBqB0RmYARwsp9z1_Tb-NXgLkVgOzCAMYHcBpc4Sea8r9AxLTAF68TF6ZryJG1rz8eWXfoE3F5Mfl_ry2_D7J1inqN3TScwurHbzB78Ha_axu76ff05_5R-9Lt3Z
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=High+Performance+and+High+Scalable+Packet+Classification+Algorithm+for+Network+Security+Systems&rft.jtitle=IEEE+transactions+on+dependable+and+secure+computing&rft.au=Pak%2C+Wooguil&rft.au=Choi%2C+Young-June&rft.date=2017-01-01&rft.pub=IEEE+Computer+Society&rft.issn=1545-5971&rft.eissn=1941-0018&rft.volume=14&rft.issue=1&rft.spage=37&rft_id=info:doi/10.1109%2FTDSC.2015.2443773&rft.externalDBID=NO_FULL_TEXT&rft.externalDocID=4316974071
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1545-5971&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1545-5971&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1545-5971&client=summon