- The document presents a new protocol for identifying redundant firewall rules across different administrative domains in a privacy-preserving manner.
- Prior work on firewall optimization focused only on intra-domain optimization where firewall policies could be shared. This presents the first approach for inter-domain optimization without disclosing private firewall policies.
- The key challenge is for two adjacent firewalls from different domains to identify redundant rules in each other's policies without revealing their actual policies. The proposed protocol uses compact predicates and firewall decision diagrams to detect redundant rules through cooperative computation while preserving privacy.
A Crypto-System with Embedded Error Control for Secure and Reliable Communica...CSCJournals
In this paper we propose a novel Crypto-System with Embedded Error Control (CSEEC). The system supports data security and reliability using forward error correction codes (FEC). Security is provided through the use of a new symmetric encryption algorithm, while reliability is provided through the support of FEC codes. The system also supports joint security and reliability in which encryption and encoding are performed in a single step. The system aims at speeding up the encryption and encoding operations and reduces the hardware dedicated to each of these operations.In addition, the proposed system allows users to achieve secure and reliable communication in which they can alternate between a priority onsecurity and reliabilityand scale their choice to the desired level in order to attain communication quality and fulfill application needs. The system targets resource constrained nodes such as remote sensor nodes operating in noisy environments.
A Crypto-System with Embedded Error Control for Secure and Reliable Communica...CSCJournals
In this paper we propose a novel Crypto-System with Embedded Error Control (CSEEC). The system supports data security and reliability using forward error correction codes (FEC). Security is provided through the use of a new symmetric encryption algorithm, while reliability is provided through the support of FEC codes. The system also supports joint security and reliability in which encryption and encoding are performed in a single step. The system aims at speeding up the encryption and encoding operations and reduces the hardware dedicated to each of these operations.In addition, the proposed system allows users to achieve secure and reliable communication in which they can alternate between a priority onsecurity and reliabilityand scale their choice to the desired level in order to attain communication quality and fulfill application needs. The system targets resource constrained nodes such as remote sensor nodes operating in noisy environments.
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsIJAAS Team
Mobile ad-hoc networks (MANETs) are composed of mobile nodes connected by wireless links without using any pre-existent infrastructure. Hence the assigning of unique IP address to the incoming node becomes difficult. There are various dynamic auto configuration protocols available to assign IP address to the incoming nodes including grid based protocol which assigns IP address with less delay and low protocol overhead. Such protocols get affected by presence of either selfish nodes or malicious nodes. Moreover there is no centralized approach to defend against these threats like in wired network such as firewall, intrusion detection system, proxy etc. The selfish nodes are the nodes which receive packet destined to it and drop packet destined to other nodes in order to save its energy and resources. This behavior of nodes affects normal functioning of auto configuration protocol. Many algorithms are available to isolate selfish nodes but they do not deal with presence of false alarm and protocol overhead. And also there are certain algorithms which use complex formulae and tedious mathematical calculations. The proposed algorithm in this paper helps to overcome the attack of selfish nodes effect in an efficient and scalable address auto configuration protocol that automatically configures a network by assigning unique IP addresses to all nodes with a very low protocol overhead, minimal address acquisition delay and computational overhead.
Defending against collaborative attacks byranjith kumar
Dear Student,
DREAMWEB TECHNO SOLUTIONS is one of the Hardware Training and Software Development centre available in
Trichy. Pioneer in corporate training, DREAMWEB TECHNO SOLUTIONS provides training in all software
development and IT-related courses, such as Embedded Systems, VLSI, MATLAB, JAVA, J2EE, CIVIL,
Power Electronics, and Power Systems. It’s certified and experienced faculty members have the
competence to train students, provide consultancy to organizations, and develop strategic
solutions for clients by integrating existing and emerging technologies.
ADD: No:73/5, 3rd Floor, Sri Kamatchi Complex, Opp City Hospital, Salai Road, Trichy-18
Contact @ 7200021403/04
phone: 0431-4050403
THE NASH’S BALANCE IN THE THEORY OF GAMES FOR A SECURE MODEL MECHANISM IN ROU...ijcisjournal
The present work is dedicated to study attacks and countermeasure in MANET. After a short introduction to what the Mobile Ad hoc Networks (MANETs) are and network security we present a survey of various attacks in MANETs pertaining to fail routing protocols. We present the different tools used by these attacks and the mechanisms used by the secured routing protocols to counter them. We also study a mechanism of security, named the reputation, proposed for the MANETs and the protocol which implements it. We also propose a secure mechanism which is based on the reputation. Our work ends with a proposal analytical model to the modules of our mechanism and the equilibrium states of our model.
JPN1422 Defending Against Collaborative Attacks by Malicious Nodes in MANETs...chennaijp
Get the latest IEEE ns2 projects in JP INFOTECH; we are having following category wise projects like Industrial Informatics, Vehicular Technology, Networking, WSN and Manet.
For More Details:
http://jpinfotech.org/final-year-ieee-projects/2014-ieee-projects/ns2-projects/
Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable D...1crore projects
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
NEW ALGORITHM FOR WIRELESS NETWORK COMMUNICATION SECURITYijcisjournal
This paper evaluates the security of wireless communication network based on the fuzzy logic in Mat lab. A new algorithm is proposed and evaluated which is the hybrid algorithm. We highlight the valuable assets in designing of wireless network communication system based on network simulator (NS2), which is crucial to protect security of the systems. Block cipher algorithms are evaluated by using fuzzy logics and a hybrid
algorithm is proposed. Both algorithms are evaluated in term of the security level. Logic (AND) is used in the rules of modelling and Mamdani Style is used for the evaluations
Anew approach to broadcast in wormhole routed three-dimensional networks is proposed. One of the most
important process in communication and parallel computer is broadcast approach.. The approach of this
case of Broadcasting is to send the message from one source to all destinations in the network which
corresponds to one-to-all communication. Wormhole routing is a fundamental routing mechanism in
modern parallel computers which is characterized with low communication latency. We show how to apply
this approach to 3-D meshes. Wormhole routing is divided the packets into set of FLITS (flow control
digits). The first Flit of the packet (Header Flit) is containing the destination address and all subsets flits
will follow the routing way of the header Flit. In this paper, we consider an efficient algorithm for
broadcasting on an all-port wormhole-routed 3D mesh with arbitrary size. We introduce an efficient
algorithm, Y-Hamiltonian Layers Broadcast(Y-HLB). In this paper the behaviors of this algorithm were
compared to the previous results, our paradigm reduces broadcast latency and is simpler. In this paper our
simulation results show the average of our proposed algorithm over the other algorithms that presented.
Identifying the Performance Efficiency Of Attribute Based Encryption With Sec...IJSRD
Attribute-based encryption (ABE) can be used for the encryption of data with attributes and logs. Instead of encrypting each part of a log with the keys of all recipients, it is possible to encrypt the log only with attributes which match recipient’s attributes. This primitive can also be used for broadcast encryption in order to decrease the number of keys used. Here the access control will be given with the keys and the attributes. The outsourcing computation cost will be comparatively less when compared to the existing system. The data will be shared between the two users if and only if the key matches. In addition, for the first time, we propose an outsourced ABE construction which provides check ability of the outsourced computation results in an efficient way. The performance analysis has been proven this method to be more secured.
Random Key Pre-distribution Schemes using Multi-Path in Wireless Sensor Networksijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Security in Wireless Sensor Networks: Key Management Module in SOOAWSN IJNSA Journal
Due to high restrictions in wireless sensor networks, where the resources are limited, clustering protocols for routing organization have been proposed in much research for increasing system throughput, decreasing system delay and saving energy. Even these algorithms have proposed some levels of security, but because of their dynamic nature of communication, most of their security solutions are not suitable. In this paper we focus on how to achieve the highest possible level of security by applying new keymanagement technique that can be used during wireless sensor networks communications. For our proposal to be more effective and applicable to a large number of wireless sensor networks applications, we work on a special kind of architecture that have been proposed to cluster hierarchy of wireless sensor networks and we pick one of the most interesting protocols that have been proposed for this kind of architecture, which is LEACH. This proposal is a module of a complete solution that we are developing to cover all the aspects of wireless sensor networks communication which is labeled Secure Object Oriented Architecture for Wireless Sensor Networks (SOOAWSN) .
Outsourced kp abe with chosen ciphertext securitycsandit
Key-Policy Attribute Based Encryption (KP-ABE) has always been criticized for its inefficiency
drawbacks. Based on the cloud computing technology, computation outsourcing is one of the
effective solution to this problem. Some papers have proposed their schemes; however,
adversaries in their attack models were divided into two categories and they are assumed not to
communicate with each other, which is obviously unrealistic. In this paper, we first proved there
exist severe security vulnerabilities in these schemes for such an assumption, and then proposed
a security enhanced Chosen Ciphertext Attack (SE-CCA) model, which eliminates the improper
limitations. By utilizing Proxy Re-Encryption (PRE) and one-time signature technology, we also
constructed a concrete KP-ABE outsourcing scheme (O-KP-ABE) and proved its security under
SE-CCA model. Comparisons with existing schemes show that our constructions have obvious
comprehensive advantages in security and efficiency.
Research trends review on RSA scheme of asymmetric cryptography techniquesjournalBEEI
One of the cryptography classifications is asymmetric cryptography, which uses two different keys to encrypt and decrypt the message. This paper discusses a review of RSA scheme of asymmetric cryptography techniques. It is trying to present the domains of RSA scheme used including in public network, wireless sensor network, image encryption, cloud computing, proxy signature, Internet of Things and embedded device, based on the perspective of researchers’ effort in the last decade. Other than that, this paper reviewed the trends and the performance metrics of RSA scheme such as security, speed, efficiency, computational complexity and space based on the number of researches done. Finally, the technique and strengths of the proposed scheme are also stated in this paper.
Sybian Technologies Pvt Ltd
Final Year Projects & Real Time live Projects
JAVA(All Domains)
DOTNET(All Domains)
ANDROID
EMBEDDED
VLSI
MATLAB
Project Support
Abstract, Diagrams, Review Details, Relevant Materials, Presentation,
Supporting Documents, Software E-Books,
Software Development Standards & Procedure
E-Book, Theory Classes, Lab Working Programs, Project Design & Implementation
24/7 lab session
Final Year Projects For BE,ME,B.Sc,M.Sc,B.Tech,BCA,MCA
PROJECT DOMAIN:
Cloud Computing
Networking
Network Security
PARALLEL AND DISTRIBUTED SYSTEM
Data Mining
Mobile Computing
Service Computing
Software Engineering
Image Processing
Bio Medical / Medical Imaging
Contact Details:
Sybian Technologies Pvt Ltd,
No,33/10 Meenakshi Sundaram Building,
Sivaji Street,
(Near T.nagar Bus Terminus)
T.Nagar,
Chennai-600 017
Ph:044 42070551
Mobile No:9790877889,9003254624,7708845605
Mail Id:sybianprojects@gmail.com,sunbeamvijay@yahoo.com
Sybian Technologies Pvt Ltd
Final Year Projects & Real Time live Projects
JAVA(All Domains)
DOTNET(All Domains)
ANDROID
EMBEDDED
VLSI
MATLAB
Project Support
Abstract, Diagrams, Review Details, Relevant Materials, Presentation,
Supporting Documents, Software E-Books,
Software Development Standards & Procedure
E-Book, Theory Classes, Lab Working Programs, Project Design & Implementation
24/7 lab session
Final Year Projects For BE,ME,B.Sc,M.Sc,B.Tech,BCA,MCA
PROJECT DOMAIN:
Cloud Computing
Networking
Network Security
PARALLEL AND DISTRIBUTED SYSTEM
Data Mining
Mobile Computing
Service Computing
Software Engineering
Image Processing
Bio Medical / Medical Imaging
Contact Details:
Sybian Technologies Pvt Ltd,
No,33/10 Meenakshi Sundaram Building,
Sivaji Street,
(Near T.nagar Bus Terminus)
T.Nagar,
Chennai-600 017
Ph:044 42070551
Mobile No:9790877889,9003254624,7708845605
Mail Id:sybianprojects@gmail.com,sunbeamvijay@yahoo.com
Mitigation of Selfish Node Attacks In Autoconfiguration of MANETsIJAAS Team
Mobile ad-hoc networks (MANETs) are composed of mobile nodes connected by wireless links without using any pre-existent infrastructure. Hence the assigning of unique IP address to the incoming node becomes difficult. There are various dynamic auto configuration protocols available to assign IP address to the incoming nodes including grid based protocol which assigns IP address with less delay and low protocol overhead. Such protocols get affected by presence of either selfish nodes or malicious nodes. Moreover there is no centralized approach to defend against these threats like in wired network such as firewall, intrusion detection system, proxy etc. The selfish nodes are the nodes which receive packet destined to it and drop packet destined to other nodes in order to save its energy and resources. This behavior of nodes affects normal functioning of auto configuration protocol. Many algorithms are available to isolate selfish nodes but they do not deal with presence of false alarm and protocol overhead. And also there are certain algorithms which use complex formulae and tedious mathematical calculations. The proposed algorithm in this paper helps to overcome the attack of selfish nodes effect in an efficient and scalable address auto configuration protocol that automatically configures a network by assigning unique IP addresses to all nodes with a very low protocol overhead, minimal address acquisition delay and computational overhead.
Defending against collaborative attacks byranjith kumar
Dear Student,
DREAMWEB TECHNO SOLUTIONS is one of the Hardware Training and Software Development centre available in
Trichy. Pioneer in corporate training, DREAMWEB TECHNO SOLUTIONS provides training in all software
development and IT-related courses, such as Embedded Systems, VLSI, MATLAB, JAVA, J2EE, CIVIL,
Power Electronics, and Power Systems. It’s certified and experienced faculty members have the
competence to train students, provide consultancy to organizations, and develop strategic
solutions for clients by integrating existing and emerging technologies.
ADD: No:73/5, 3rd Floor, Sri Kamatchi Complex, Opp City Hospital, Salai Road, Trichy-18
Contact @ 7200021403/04
phone: 0431-4050403
THE NASH’S BALANCE IN THE THEORY OF GAMES FOR A SECURE MODEL MECHANISM IN ROU...ijcisjournal
The present work is dedicated to study attacks and countermeasure in MANET. After a short introduction to what the Mobile Ad hoc Networks (MANETs) are and network security we present a survey of various attacks in MANETs pertaining to fail routing protocols. We present the different tools used by these attacks and the mechanisms used by the secured routing protocols to counter them. We also study a mechanism of security, named the reputation, proposed for the MANETs and the protocol which implements it. We also propose a secure mechanism which is based on the reputation. Our work ends with a proposal analytical model to the modules of our mechanism and the equilibrium states of our model.
JPN1422 Defending Against Collaborative Attacks by Malicious Nodes in MANETs...chennaijp
Get the latest IEEE ns2 projects in JP INFOTECH; we are having following category wise projects like Industrial Informatics, Vehicular Technology, Networking, WSN and Manet.
For More Details:
http://jpinfotech.org/final-year-ieee-projects/2014-ieee-projects/ns2-projects/
Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable D...1crore projects
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
NEW ALGORITHM FOR WIRELESS NETWORK COMMUNICATION SECURITYijcisjournal
This paper evaluates the security of wireless communication network based on the fuzzy logic in Mat lab. A new algorithm is proposed and evaluated which is the hybrid algorithm. We highlight the valuable assets in designing of wireless network communication system based on network simulator (NS2), which is crucial to protect security of the systems. Block cipher algorithms are evaluated by using fuzzy logics and a hybrid
algorithm is proposed. Both algorithms are evaluated in term of the security level. Logic (AND) is used in the rules of modelling and Mamdani Style is used for the evaluations
Anew approach to broadcast in wormhole routed three-dimensional networks is proposed. One of the most
important process in communication and parallel computer is broadcast approach.. The approach of this
case of Broadcasting is to send the message from one source to all destinations in the network which
corresponds to one-to-all communication. Wormhole routing is a fundamental routing mechanism in
modern parallel computers which is characterized with low communication latency. We show how to apply
this approach to 3-D meshes. Wormhole routing is divided the packets into set of FLITS (flow control
digits). The first Flit of the packet (Header Flit) is containing the destination address and all subsets flits
will follow the routing way of the header Flit. In this paper, we consider an efficient algorithm for
broadcasting on an all-port wormhole-routed 3D mesh with arbitrary size. We introduce an efficient
algorithm, Y-Hamiltonian Layers Broadcast(Y-HLB). In this paper the behaviors of this algorithm were
compared to the previous results, our paradigm reduces broadcast latency and is simpler. In this paper our
simulation results show the average of our proposed algorithm over the other algorithms that presented.
Identifying the Performance Efficiency Of Attribute Based Encryption With Sec...IJSRD
Attribute-based encryption (ABE) can be used for the encryption of data with attributes and logs. Instead of encrypting each part of a log with the keys of all recipients, it is possible to encrypt the log only with attributes which match recipient’s attributes. This primitive can also be used for broadcast encryption in order to decrease the number of keys used. Here the access control will be given with the keys and the attributes. The outsourcing computation cost will be comparatively less when compared to the existing system. The data will be shared between the two users if and only if the key matches. In addition, for the first time, we propose an outsourced ABE construction which provides check ability of the outsourced computation results in an efficient way. The performance analysis has been proven this method to be more secured.
Random Key Pre-distribution Schemes using Multi-Path in Wireless Sensor Networksijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Security in Wireless Sensor Networks: Key Management Module in SOOAWSN IJNSA Journal
Due to high restrictions in wireless sensor networks, where the resources are limited, clustering protocols for routing organization have been proposed in much research for increasing system throughput, decreasing system delay and saving energy. Even these algorithms have proposed some levels of security, but because of their dynamic nature of communication, most of their security solutions are not suitable. In this paper we focus on how to achieve the highest possible level of security by applying new keymanagement technique that can be used during wireless sensor networks communications. For our proposal to be more effective and applicable to a large number of wireless sensor networks applications, we work on a special kind of architecture that have been proposed to cluster hierarchy of wireless sensor networks and we pick one of the most interesting protocols that have been proposed for this kind of architecture, which is LEACH. This proposal is a module of a complete solution that we are developing to cover all the aspects of wireless sensor networks communication which is labeled Secure Object Oriented Architecture for Wireless Sensor Networks (SOOAWSN) .
Outsourced kp abe with chosen ciphertext securitycsandit
Key-Policy Attribute Based Encryption (KP-ABE) has always been criticized for its inefficiency
drawbacks. Based on the cloud computing technology, computation outsourcing is one of the
effective solution to this problem. Some papers have proposed their schemes; however,
adversaries in their attack models were divided into two categories and they are assumed not to
communicate with each other, which is obviously unrealistic. In this paper, we first proved there
exist severe security vulnerabilities in these schemes for such an assumption, and then proposed
a security enhanced Chosen Ciphertext Attack (SE-CCA) model, which eliminates the improper
limitations. By utilizing Proxy Re-Encryption (PRE) and one-time signature technology, we also
constructed a concrete KP-ABE outsourcing scheme (O-KP-ABE) and proved its security under
SE-CCA model. Comparisons with existing schemes show that our constructions have obvious
comprehensive advantages in security and efficiency.
Research trends review on RSA scheme of asymmetric cryptography techniquesjournalBEEI
One of the cryptography classifications is asymmetric cryptography, which uses two different keys to encrypt and decrypt the message. This paper discusses a review of RSA scheme of asymmetric cryptography techniques. It is trying to present the domains of RSA scheme used including in public network, wireless sensor network, image encryption, cloud computing, proxy signature, Internet of Things and embedded device, based on the perspective of researchers’ effort in the last decade. Other than that, this paper reviewed the trends and the performance metrics of RSA scheme such as security, speed, efficiency, computational complexity and space based on the number of researches done. Finally, the technique and strengths of the proposed scheme are also stated in this paper.
Sybian Technologies Pvt Ltd
Final Year Projects & Real Time live Projects
JAVA(All Domains)
DOTNET(All Domains)
ANDROID
EMBEDDED
VLSI
MATLAB
Project Support
Abstract, Diagrams, Review Details, Relevant Materials, Presentation,
Supporting Documents, Software E-Books,
Software Development Standards & Procedure
E-Book, Theory Classes, Lab Working Programs, Project Design & Implementation
24/7 lab session
Final Year Projects For BE,ME,B.Sc,M.Sc,B.Tech,BCA,MCA
PROJECT DOMAIN:
Cloud Computing
Networking
Network Security
PARALLEL AND DISTRIBUTED SYSTEM
Data Mining
Mobile Computing
Service Computing
Software Engineering
Image Processing
Bio Medical / Medical Imaging
Contact Details:
Sybian Technologies Pvt Ltd,
No,33/10 Meenakshi Sundaram Building,
Sivaji Street,
(Near T.nagar Bus Terminus)
T.Nagar,
Chennai-600 017
Ph:044 42070551
Mobile No:9790877889,9003254624,7708845605
Mail Id:sybianprojects@gmail.com,sunbeamvijay@yahoo.com
Sybian Technologies Pvt Ltd
Final Year Projects & Real Time live Projects
JAVA(All Domains)
DOTNET(All Domains)
ANDROID
EMBEDDED
VLSI
MATLAB
Project Support
Abstract, Diagrams, Review Details, Relevant Materials, Presentation,
Supporting Documents, Software E-Books,
Software Development Standards & Procedure
E-Book, Theory Classes, Lab Working Programs, Project Design & Implementation
24/7 lab session
Final Year Projects For BE,ME,B.Sc,M.Sc,B.Tech,BCA,MCA
PROJECT DOMAIN:
Cloud Computing
Networking
Network Security
PARALLEL AND DISTRIBUTED SYSTEM
Data Mining
Mobile Computing
Service Computing
Software Engineering
Image Processing
Bio Medical / Medical Imaging
Contact Details:
Sybian Technologies Pvt Ltd,
No,33/10 Meenakshi Sundaram Building,
Sivaji Street,
(Near T.nagar Bus Terminus)
T.Nagar,
Chennai-600 017
Ph:044 42070551
Mobile No:9790877889,9003254624,7708845605
Mail Id:sybianprojects@gmail.com,sunbeamvijay@yahoo.com
Sybian Technologies Pvt Ltd
Final Year Projects & Real Time live Projects
JAVA(All Domains)
DOTNET(All Domains)
ANDROID
EMBEDDED
VLSI
MATLAB
Project Support
Abstract, Diagrams, Review Details, Relevant Materials, Presentation,
Supporting Documents, Software E-Books,
Software Development Standards & Procedure
E-Book, Theory Classes, Lab Working Programs, Project Design & Implementation
24/7 lab session
Final Year Projects For BE,ME,B.Sc,M.Sc,B.Tech,BCA,MCA
PROJECT DOMAIN:
Cloud Computing
Networking
Network Security
PARALLEL AND DISTRIBUTED SYSTEM
Data Mining
Mobile Computing
Service Computing
Software Engineering
Image Processing
Bio Medical / Medical Imaging
Contact Details:
Sybian Technologies Pvt Ltd,
No,33/10 Meenakshi Sundaram Building,
Sivaji Street,
(Near T.nagar Bus Terminus)
T.Nagar,
Chennai-600 017
Ph:044 42070551
Mobile No:9790877889,9003254624,7708845605
Mail Id:sybianprojects@gmail.com,sunbeamvijay@yahoo.com
Sybian Technologies is a leading IT services provider & custom software development company. We offer full cycle custom software development services, from product idea, offshore software development to outsourcing support & enhancement. Sybian employs a knowledgeable group of software developers coming from different backgrounds. We are able to balance product development efforts & project duration to your business needs.
Sybian Technologies invests extensively in R&D to invent new solutions for ever changing needs of your businesses, to make it future-proof, sustainable and consistent. We work in close collaboration with academic institutions and research labs across the world to design, implement and support latest IT based solutions that are futuristic, progressive and affordable. Our services continue to earn trust and loyalty from its clients through its commitment to the following parameters
Final Year Projects & Real Time live Projects
JAVA(All Domains)
DOTNET(All Domains)
ANDROID
EMBEDDED
VLSI
MATLAB
Project Support
Abstract, Diagrams, Review Details, Relevant Materials, Presentation,
Supporting Documents, Software E-Books,
Software Development Standards & Procedure
E-Book, Theory Classes, Lab Working Programs, Project Design & Implementation
24/7 lab session
Final Year Projects For BE,ME,B.Sc,M.Sc,B.Tech,BCA,MCA
PROJECT DOMAIN:
Cloud Computing
Networking
Network Security
PARALLEL AND DISTRIBUTED SYSTEM
Data Mining
Mobile Computing
Service Computing
Software Engineering
Image Processing
Bio Medical / Medical Imaging
Contact Details:
Sybian Technologies Pvt Ltd,
No,33/10 Meenakshi Sundaram Building,
Sivaji Street,
(Near T.nagar Bus Terminus)
T.Nagar,
Chennai-600 017
Ph:044 42070551
Mobile No:9790877889,9003254624,7708845605
Mail Id:sybianprojects@gmail.com,sunbeamvijay@yahoo.com
An Effective Policy Anomaly Management Framework for FirewallsIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
Millions of people all over the world are now connected to the Internet for doing business. Therefore, the demand for Internet and web-based services continues to grow. So, need to install required infrastructure to balance the computing. In spite the success of new infrastructure, it is susceptible to several critical
malfunctions. Therefore, to guarantee the secure operations on Network and Data, several solutions need to be developed. The researchers are working in this direction to have the better solution for security. In distributed environment, at the time of management of resources both computing and networking,
resource allocation and resource utilization, etc, the security is most crucial problem. In this paper, an extensive review has been made on the different security aspect, different types of attack and techniques to sustain and block the attack in the distributed environment.
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
Millions of people all over the world are now connected to the Internet for doing business. Therefore, the
demand for Internet and web-based services continues to grow. So, need to install required infrastructure
to balance the computing. In spite the success of new infrastructure, it is susceptible to several critical
malfunctions. Therefore, to guarantee the secure operations on Network and Data, several solutions need
to be developed. The researchers are working in this direction to have the better solution for security.
In distributed environment, at the time of management of resources both computing and networking,
resource allocation and resource utilization, etc, the security is most crucial problem. In this paper, an
extensive review has been made on the different security aspect, different types of attack and techniques to
sustain and block the attack in the distributed environment.
Interfirewall optimization across various administrative domain for enabling ...Editor IJMTER
Network security is usually protected by a firewall, which checks in-out packets against
a set of defined policies or rules. Hence, the overall performance of the firewall generally depend on
its rule management. For example, the performance can be decreased when there are firewall rule
anomalies. The anomalies may happen when two sets of firewall rules are overlapped or their
decision parts are both an acceptance and a denial simultaneously. Firewall optimization focuses on
either inter-firewall or intra-firewall optimization within one administrative domain where the
privacy of firewall policies is not a concern. Explore interfirewall optimization across administrative
domain for the first time. The key technical challenge is that firewall policy cannot be shared across
domains because a firewall policy contains confidential information and even potential security
holes, which can be exploited by attackers. Using interfirewall redundant rule which overcome the
prior problem and enable the interfirewall optimization across administrative domains. Also propose
the first cross domain cooperative firewall (CDCF) policy optimization protocol. The optimization
process involves cooperative computation between the two firewall without any party disclosing its
policy to the other.
An Energy Efficient Data Secrecy Scheme For Wireless Body Sensor NetworksCSEIJJournal
Data secrecy is one of the key concerns for wireless body sensor networks (WBSNs). Usually, a data
secrecy scheme should accomplish two tasks: key establishment and encryption. WBSNs generally face
more serious limitations than general wireless networks in terms of energy supply. To address this, in this
paper, we propose an energy efficient data secrecy scheme for WBSNs. On one hand, the proposed key
establishment protocol integrates node IDs, seed value and nonce seamlessly for security, then
establishes a session key between two nodes based on one-way hash algorithm SHA-1. On the other hand,
a low-complexity threshold selective encryption technology is proposed. Also, we design a security
selection patter exchange method with low-complexity for the threshold selection encryption. Then, we
evaluate the energy consumption of the proposed scheme. Our scheme shows the great advantage over
the other existing schemes in terms of low energy consumption.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTijsrd.com
Network security is essential for protecting the private and public networks such as banking and educational zones. Network can use different kinds of security mechanism. Among this firewall is one of the security mechanisms. The Firewalls are used as a protection barrier among the two different networks. The performance of firewall is mainly based on firewall policies. The firewall policies are used to decide whether the packets can be permitted or to be refused. These rules are crucial for the operation of firewall policies. The firewall policy contains erroneous configurations like rule redundancies, errors and conflicts. Such, conflicts are resolved by various mechanisms based on their errors. The following techniques are used for some error detection and correction process like cross-domain cooperative firewall, firewall compression, firewall decision diagrams, firewall verification tool and anomaly detection tools like FAME(Firewall Anomaly Management Environment),FPA(Firewall Policy Advisor, Fireman etc.
A Novel Management Framework for Policy Anomaly in Firewallijsrd.com
The advent of emerging technologies such as Web services, service-oriented architecture, and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services. Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error-prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. We also discuss a proof-of-concept implementation of a visualization-based firewall policy analysis tool called Firewall Anomaly Management Environment (FAME). In addition, we demonstrate how efficiently our approach can discover and resolve anomalies in firewall policies through rigorous experiments using Automatic rule generation technique.
Redundancy removal of rules with reordering them to increase the firewall opt...eSAT Journals
Abstract
Firewalls are widely getting used for securing the private network. Firewalls check each incoming and outgoing packets and according the rules given by network administrator and it will take the decision whether to accept or discard the packet. As per the huge requirement of services on internet the rule set becomes large and takes more time to process one packet and it affects the throughput of firewall. So firewall optimization has a great demand to get good performance. Exiting research efforts developed techniques for either intra-firewall or inter-firewall optimization within a single administrative domain. In addition, existing techniques are inefficient in reducing packet processing delay, because they optimize firewall rules by only reducing the number of rules, but lack the intelligence to decide the order of rules. This paper proposes an adaptive cross-domain firewall policy optimization technique using statistical analysis, while protecting the policy confidentiality. To the best of our knowledge, we are the first to propose a technique that dynamically decides the order of rules based on the network statistics. The proposed technique not only identifies and removes redundant rules but also identifies the order of rules in the rule set to improve the performance of the system. The optimization process involves two tasks: First, collaboratively reduce the number of rules between multiple firewalls, while protecting confidentiality of them. Second, using network usage statistics, identify the order of rules in the rule set The feasibility of the proposed technique is shown with the help of the prototype implementation. The evaluation results show the effectiveness and efficiency of the proposed solution.
Keywords: Civilization, Redundancies, Adjoining, Privacy, Stiff.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Automobile Management System Project Report.pdfKamal Acharya
The proposed project is developed to manage the automobile in the automobile dealer company. The main module in this project is login, automobile management, customer management, sales, complaints and reports. The first module is the login. The automobile showroom owner should login to the project for usage. The username and password are verified and if it is correct, next form opens. If the username and password are not correct, it shows the error message.
When a customer search for a automobile, if the automobile is available, they will be taken to a page that shows the details of the automobile including automobile name, automobile ID, quantity, price etc. “Automobile Management System” is useful for maintaining automobiles, customers effectively and hence helps for establishing good relation between customer and automobile organization. It contains various customized modules for effectively maintaining automobiles and stock information accurately and safely.
When the automobile is sold to the customer, stock will be reduced automatically. When a new purchase is made, stock will be increased automatically. While selecting automobiles for sale, the proposed software will automatically check for total number of available stock of that particular item, if the total stock of that particular item is less than 5, software will notify the user to purchase the particular item.
Also when the user tries to sale items which are not in stock, the system will prompt the user that the stock is not enough. Customers of this system can search for a automobile; can purchase a automobile easily by selecting fast. On the other hand the stock of automobiles can be maintained perfectly by the automobile shop manager overcoming the drawbacks of existing system.
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSEDuvanRamosGarzon1
AIRCRAFT GENERAL
The Single Aisle is the most advanced family aircraft in service today, with fly-by-wire flight controls.
The A318, A319, A320 and A321 are twin-engine subsonic medium range aircraft.
The family offers a choice of engines
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
2. 858 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
Fig. 2. Example interfirewall redundant rules.
firewall policy may have security holes that can be exploited by
attackers. Quantitative studies have shown that most firewalls
are misconfigured and have security holes [25]. Second, a
firewall policy often contains private information, e.g., the IP
addresses of servers, which can be used by attackers to launch
more precise and targeted attacks.
C. Cross-Domain Interfirewall Optimization
To our best knowledge, no prior work focuses on cross-do-
main privacy-preserving interfirewall optimization. This paper
represents the first step in exploring this unknown space.
Specifically, we focus on removing interfirewall policy redun-
dancies in a privacy-preserving manner. Consider two adjacent
firewalls 1 and 2 belonging to different administrative domains
and . Let denote the policy on firewall 1’s
outgoing interface to firewall 2 and denote the policy on
firewall 2’s incoming interface from firewall 1. For a rule in
, if all the packets that match but do not match any rule
above in are discarded by , rule can be removed
because such packets never come to . We call rule an
interfirewall redundant rule with respect to . Note that
and only filter the traffic from to ;
the traffic from firewall 2’s outgoing interface to firewall 1’s
incoming interface is guarded by other two separate policies.
For simplicity, we assume that and have no in-
trafirewall redundancy as such redundancy can be removed
using the proposed solutions [15], [17].
Fig. 2 illustrates interfirewall redundancy, where two adjacent
routers belong to different administrative domains CSE and EE.
The physical interfaces connecting two routers are denoted as
and , respectively. The rules of the two firewall policies
and , that are used to filter the traffic flowing from CSE to
EE, are listed in two tables following the format used in Cisco
Access Control Lists. Note that SIP, DIP, SP, DP, PR, and Dec
denote source IP, destination IP, source port, destination port,
protocol type, and decision, respectively. Clearly, all the packets
that match and in are discarded by in . Thus,
and of are interfirewall redundant with respect to
in .
D. Technical Challenges and Our Approach
The key challenge is to design a protocol that allows two
adjacent firewalls to identify the interfirewall redundancy
with respect to each other without knowing the policy of
the other firewall. While intrafirewall redundancy removal is
complex [15], [17], interfirewall redundancy removal with the
privacy-preserving requirement is even harder. To determine
whether a rule in is interfirewall redundant with respect
to , certainly needs some information about ;
yet, cannot reveal from such information.
A straightforward solution is to perform a privacy preserving
comparison between two rules from two adjacent firewalls. Par-
ticularly, for each rule in , this solution checks whether
all possible packets that match rule in match a rule
with the discard decision in . If rule exists, is interfire-
wall redundant with respect to in . However, because
firewalls follow the first-match semantics and the rules in a fire-
wall typically overlap, this solution is not only incorrect but also
incomplete. Incorrect means that wrong redundant rules could
be identified in . Suppose this solution identifies as a re-
dundant rule in with respect to in . However, if
some packets that match rule also match rule ( is above
) with the accept decision in , these packets will pass
through , and then needs to filter them with . In
this case, is actually not redundant. Incomplete means that a
portion of redundant rules could be identified in . If all
possible packets that match rule in are discarded by not
only one rule but multiple rules in , is also redundant.
However, the direct comparison solution cannot identify such
redundancies.
Our basic idea is as follows. For each rule in , we
first compute a set of compact predicates representing the set of
packets that match but do not match the rules above in .
Then, for each predicate, we check whether all the packets that
match the predicate are discarded by . If this condition
holds for all the predicates computed from rule , then rule is
redundant. To efficiently compute these predicates, we convert
firewalls to firewall decision diagrams [17]. To allow the two
firewalls to detect the redundant rules in in a privacy-
preserving manner, we develop a protocol so that two firewalls
can detect such redundant rules without disclosing their policies
to each other.
Our protocol applies to both stateful and stateless firewalls.
The main difference between stateful and stateless firewalls
is that stateful firewalls maintain a connection table. Upon
receiving a packet, if it belongs to an established connection,
it is automatically accepted without checking against the rules.
Having the connection table or not does not affect our protocol.
E. Key Contributions
We make two key contributions. First, we propose a novel
privacy-preserving protocol for detecting interfirewall redun-
dant rules in one firewall with respect to another firewall. This
paper represents the first effort along this unexplored direction.
Second, we implemented our protocol and conducted extensive
experiments on both real and synthetic firewall policies. The re-
sults on real firewall policies show that our protocol can remove
as many as 49% of the rules in a firewall whereas the average
is 19.4%. The communication cost is less than a few hundred
kilobytes. Our protocol incurs no extra online packet processing
overhead, and the offline processing time is less than a few hun-
dred seconds.
We organize the paper as follows. We first review related
work in Section II. Then, we introduce our system model and
threat model in Section III. In Section IV, we present our pri-
vacy-preserving protocol for detecting interfirewall redundant
rules. In Section V, we discuss remaining issues. In Section VI,
we give security analysis results of our protocol. In Section VII,
3. CHEN et al.: CROSS-DOMAIN PRIVACY-PRESERVING COOPERATIVE FIREWALL OPTIMIZATION 859
we present our experimental results. Finally, we conclude in
Section VIII.
II. RELATED WORK
A. Firewall Redundancy Removal
Prior work on intrafirewall redundancy removal aims to de-
tect redundant rules within a single firewall [12], [15], [17].
Gupta identified backward and forward redundant rules in a fire-
wall [12]. Later, Liu et al. pointed out that the redundant rules
identified by Gupta are incomplete and proposed two methods
for detecting all redundant rules [15], [17]. Prior work on in-
terfirewall redundancy removal requires the knowledge of two
firewall policies and therefore is only applicable within one ad-
ministrative domain [3], [30].
B. Collaborative Firewall Enforcement in Virtual Private
Networks (VPNs)
Prior work on collaborative firewall enforcement in VPNs
enforces firewall policies over encrypted VPN tunnels without
leaking the privacy of the remote network’s policy [6], [13]. The
problems of collaborative firewall enforcement in VPNs and
privacy-preserving interfirewall optimization are fundamentally
different. First, their purposes are different. The former focuses
on enforcing a firewall policy over VPN tunnels in a privacy-
preserving manner, whereas the latter focuses on removing in-
terfirewall redundant rules without disclosing their policies to
each other. Second, their requirements are different. The former
preserves the privacy of the remote network’s policy, whereas
the latter preserves the privacy of both policies.
III. SYSTEM AND THREAT MODELS
A. System Model
A firewall is an ordered list of rules. Each rule has a
predicate over fields and a decision for the packets
that match the predicate. Firewalls usually check five fields:
source IP, destination IP, source port, destination port, and pro-
tocol type. The length of these fields are 32, 32, 16, 16, and
8 bits, respectively. A predicate defines a set of packets over
the fields and is specified as ,
where each is a subset of ’s domain . A packet over
the fields is a -tuple where each
is an element of . A packet
matches a rule if and
only if the condition holds. Typical
firewall decisions include accept, discard, accept with logging,
and discard with logging. Without loss of generality, we only
consider accept and discard in this paper. We call a rule with
the accept decision an accepting rule and a rule with the dis-
card decision a discarding rule. In a firewall policy, a packet
may match multiple rules whose decisions are different. To re-
solve these conflicts, firewalls typically employ a first-match
semantics where the decision for a packet is the decision of
the first rule that matches. A matching set of , , is
the set of all possible packets that match the rule [15]. A re-
solving set of , , is the set of packets that match but
do not match any rule above , and is equal
to [15].
Based on the above concepts, we define interfirewall redun-
dant rules. Given two adjacent firewalls and , where
the traffic flow is from to , a rule in is in-
terfirewall redundant with respect to if and only if all the
packets in ’s resolving set are discarded by .
B. Threat Model
We adopt the semi-honest model in [9]. For two adjacent fire-
walls, we assume that they are semi-honest, i.e., each firewall
follows our protocol correctly, but each firewall may try to re-
veal the policy of the other firewall. The semi-honest model is
realistic and well adopted [4], [26]. For example, this model is
appropriate for large organizations that have many independent
branches as well as for loosely connected alliances composed
by multiple parties. While we are confident that all administra-
tive domains follow mandate protocols, we may not guarantee
that no corrupted employees are trying to reveal the private fire-
wall policies of other parties. Also, it may be possible for one
party to issue a sequence of inputs to try and reveal the other
party’s policy. For this attack to be successful, several assump-
tions have to be satisfied, one of them being that one firewall’s
policy remain constant. Another requirement is that the number
of times the protocol needs to be executed to reveal a significant
amount of rules is computationally expensive.1 Such malicious
activitiy may be identified by the other party using anomaly de-
tection approaches [27]–[29]. However, in our threat model, the
inputs to the protocol are honest, and crafting inputs to reveal the
firewall policies is beyond our threat model. We leave investi-
gation of privacy-preserving firewall optimization in the model
with malicious participants to future work.
IV. PRIVACY-PRESERVING INTERFIREWALL REDUNDANCY
REMOVAL
In this section, we present our privacy-preserving protocol for
detecting interfirewall redundant rules in with respect to
. To do this, we first convert each firewall to an equivalent
sequence of nonoverlapping rules. Because for any nonoverlap-
ping rule , the matching set of is equal to the resolving set
of , i.e., , we only need to compare nonover-
lapping rules generated from the two firewalls for detecting
interfirewall redundancy. Second, we divide this problem into
two subproblems, single-rule coverage redundancy detection
and multirule coverage redundancy detection, and then propose
our privacy-preserving protocol for solving each subproblem. A
rule is covered by one or multiple rules
if and only if . The first
subproblem checks whether a nonoverlapping rule in
is covered by a nonoverlapping discarding rule in , i.e.,
. The second subproblem checks whether a
nonoverlapping rule in is covered by multiple nonover-
lapping discarding rules in , i.e.,
. Finally, after redundant
nonoverlapping rules generated from are identified, we
map them back to original rules in and then identify the
redundant ones.
The problem of checking whether boils
down to the problem of checking whether one range in
is contained by another range in , which further
boils down to the problem of checking whether
1It requires log updates to reveal -bit field. Given that rule has fields, the
complexity is updates for a single rule whereby such high communication
activity can be detected by anomaly detection approaches.
4. 860 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
and . Thus, we first describe the privacy-preserving
protocol for comparing a number and a range.
A. Privacy-Preserving Range Comparison
To check whether a number from is in a range
from , we use a method similar to the prefix membership
verification scheme in [13]. The basic idea is to convert the
problem of checking whether to the problem of
checking whether two sets converted from and have
a common element. Our method consists of four steps.
1) Prefix Conversion: It converts to a minimum
number of prefixes, denoted as , whose union is
. For example, .
2) Prefix Family Construction: It generates all the prefixes
that contain including itself. This set of prefixes is called
the prefix family of , denoted as . Let be the bit length
of . The prefix family consists of prefixes where
the th prefix is obtained by replacing the last bits of by
. For example, as the binary representation of 12 is 1100, we
have . It is not difficult
to prove that if and only if .
3) Prefix Numericalization: It converts the prefixes gener-
ated in the previous steps to concrete numbers such that we can
encrypt them in the next step. We use the prefix numericaliza-
tion scheme in [5]. Given a prefix of bits, we
first insert 1 after . The bit 1 represents a separator between
and . Then, we replace every by 0. For ex-
ample, 11 is converted to 11100. If the prefix does not contain
’s, we place 1 at the end. For example, 1100 is converted to
11001.
4) Comparison: It checks whether by checking
whether , which boils down to checking
whether two numbers are equal. We use commutative en-
cryption to do this checking in a privacy-preserving manner.
Given a number and two encryption keys and , a
commutative encryption is a function that satisfies the property
, i.e., encryption with key first
and then is equivalent to encryption with key first and
then . Example commutative encryption algorithms are
the Pohlig–Hellman Exponentiation Cipher [22] and Secure
RPC Authentication (SRA) [23]. In our scheme, each domain
chooses a private key. Let be the private keys chosen
by and , respectively. To check whether number
from is equal to number from without dis-
closing the value of each number to the other party,
can first encrypt using key and sends to ;
similarly, can first encrypt using key and sends
to . Then, each party checks whether
by checking whether . Note that
if and only if . If ,
neither party can learn anything about the numbers being
compared. Fig. 3 illustrates the process of checking whether 12
from is in the range [11, 15] from .
B. Processing Firewall
To detect the redundant rules in , converts its fire-
wall to a set of nonoverlapping rules. To preserve the pri-
vacy of , first converts each range of a nonoverlap-
ping discarding rules from to a set of prefixes. Second,
Fig. 3. Prefix membership verification.
and encrypt these prefixes using commutative en-
cryption. The conversion of includes nine steps.
1) first converts to an equivalent firewall decision
diagram (FDD) [10], [11]. An FDD for a firewall of a se-
quence of rules over fields is an acyclic
and directed graph that has five properties.
a) There is exactly one node that has no incoming edges.
This node is called the root. The nodes that have no out-
going edge are called terminal nodes.
b) Each node has a label, denoted . If is a nonter-
minal node, then . If is a terminal
node, then is a decision.
c) Each edge , , is labeled with a nonempty set of in-
tegers, denoted , where is a subset of the domain
of ’s label (i.e., ).
d) The set of all outgoing edges of a node , denoted ,
satisfies two conditions.
i) Consistency: for any two distinct
edges and in .
ii) Completeness: .
e) A directed path from the root to a terminal node is called
a decision path. No two nodes on a decision path have
the same label. Each path in the FDD corresponds to a
nonoverlapping rule. A full-length ordered FDD is an
FDD where in each decision path all fields appear exactly
once and in the same order. For ease of presentation, we
use the term “FDD” to denote “full-length ordered FDD.”
An FDD construction algorithm, which converts a fire-
wall policy to an equivalent FDD, is presented in [14].
Fig. 4(b) shows the FDD constructed from Fig. 4(a).
2) reduces the FDD’s size by merging isomorphic sub-
graphs. An FDD is reduced if and only if it satisfies two con-
ditions: a) no two nodes in are isomorphic; b) no two nodes
have more than one edge between them. Two nodes and in
an FDD are isomorphic if and only if and satisfy one of the
following two conditions: a) both and are terminal nodes
with identical labels; b) both and are nonterminal nodes
and there is a one-to-one correspondence between the outgoing
edges of and the outgoing edges of such that every two cor-
responding edges have identical labels and they both point to
5. CHEN et al.: CROSS-DOMAIN PRIVACY-PRESERVING COOPERATIVE FIREWALL OPTIMIZATION 861
Fig. 4. Conversion of .
the same node. Fig. 4(c) shows the FDD reduced from the FDD
in Fig. 4(b).
3) extracts nonoverlapping discarding rules.
does not extract nonoverlapping accepting rules because the
packets accepted by are passed to . Note that a
nonoverlapping rule from that is covered by these dis-
carding rules from is redundant. Fig. 4(d) shows the
discarding nonoverlapping rules extracted from the reduced
FDD in Fig. 4(c).
4) converts each range to a set of prefixes. Fig. 4(e)
shows the prefixes generated from Fig. 4(d).
5) unions all these prefix sets and then permutes the
prefixes. Fig. 4(f) shows the resulting prefix list. Note that the
resulting list does not include duplicate prefixes. The benefits
are twofold. In terms of efficiency, it avoids encrypting and
sending duplicate prefixes for both parties and, hence, signifi-
cantly reduces computation and communication costs. In terms
of security, cannot reconstruct the nonoverlapping rules
from because does not know which prefix belongs
to which field of which rule. However, knows such infor-
mation, and it can reconstruct these nonoverlapping rules.
6) numericalizes and encrypts each prefix using ,
and then sends to . Fig. 4(g) and (h) shows the numerical-
ized and encrypted prefixes, respectively.
7) further encrypts these prefixes with and sends
them back to as shown in Fig. 4(i).
8) reconstructs its nonoverlapping discarding rules
from the double encrypted prefixes because knows which
prefix belongs to which field of which rule.
9) For each reconstructed nonoverlapping rule, assigns
a distinct random index to it. These indices are used for
to identify the redundant nonoverlapping rules from . For
example, in Fig. 4(j), assigns its three rules with three
random indices: 27, 13, and 45. The detailed discussion is in
Section IV-D.
C. Processing Firewall
In order to compare two firewalls in a privacy-preserving
manner, and convert firewall to sets of
double encrypted numbers, where is the number of fields. The
conversion of includes five steps.
1) converts to an equivalent all-match FDD. All-
match FDDs differ from FDDs on terminal nodes. In an all-
match FDD, each terminal node is labeled with a nonempty set
of rule sequence numbers, whereas in an FDD, each terminal
node is labeled with a decision. For rule , we call
the sequence number of . The set of rule sequence numbers
labeled on a terminal node consists of the sequence numbers of
all the rules that overlaps with the decision path ending with this
terminal node. Given a decision path , ,
the matching set of is defined as the set of all packets that
satisfy . We use
to denote the matching set of . More formally, in an all-match
FDD, for any decision path : , if
, then and . Fig. 4(b)
shows the all-match FDD generated from Fig. 4(a). Consid-
ering the terminal node of the fourth path in Fig. 4(b), its label
{2, 4} means that , ,
, and . An all-match FDD not
only represents a firewall in a nonoverlapping fashion, but also
represents the overlapping relationship among rules. The reason
of converting to an all-match FDD is that later needs
the rule sequence numbers to identify interfirewall redundant
rules in .
2) extracts all nonoverlapping rules from the all-match
FDD. Fig. 5(c) shows the nonoverlapping rules extracted from
Fig. 5(b). For each range of a nonoverlapping rule,
6. 862 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
Fig. 5. Conversion of .
generates two prefix families and . Fig. 5(d) shows
the result from Fig. 5(c).
3) For every field , unions all prefix families of all
the nonoverlapping rules into one prefix set and permutes the
prefixes. Considering the first field in Fig. 5(d), unions
, , , , , and to obtain the first
prefix set in Fig. 5(e). The benefits of this step are similar to
those of Step (5) in ’s conversion. In terms of efficiency,
it avoids encrypting and sending the duplicate prefixes for each
field and, hence, significantly reduces the computation and com-
munication costs. In terms of security, cannot reconstruct
the nonoverlapping rules of because does not know
which prefix belongs to which rule in . However,
knows such information, which will be used to identify redun-
dant nonoverlapping rules later. Note that the ordering of the
fields cannot be permuted because needs to perform com-
parison of the prefixes with only those prefixes from the corre-
sponding fields.
4) numericalizes and encrypts the prefixes using its pri-
vate and sends them to . Fig. 5(f) shows the prefixes.
5) further encrypts these prefixes using key .
D. Single-Rule Coverage Redundancy Detection
After processing the two firewalls, has a sequence of
double encrypted nonoverlapping rules obtained from and
sets of double encrypted numbers obtained from . Let
denote a double
encrypted rule, where is a set of double encrypted numbers.
Let denote the sets of double encrypted numbers
from . Fig. 6(a) shows the double encrypted nonoverlap-
ping rules generated from Fig. 4, and Fig. 6(b) shows the double
encrypted numbers generated from Fig. 5. For each field
and for each number in , checks whether
there exists a double encrypted rule
such that . If rule satisfies this condi-
tion, then associates the rule index with . As there may
be multiple rules that satisfy this condition, eventually as-
sociates a set of rule indices with . If no rule satisfies this con-
dition, associates an empty set with . Considering the
number , only the rule with index 13 contains it
because ; thus, asso-
ciates with {13}. Finally, replaces each
number in with its corresponding set of rule indices
and sends them to .
Upon receiving the sets from , for each prefix family,
finds the index of the rule that overlaps with the prefix
family. For a nonoverlapping rule from , if all its prefix
families overlap with the same discarding rule from ,
is covered by and, hence, is redundant. For example,
in Fig. 6(d), is redundant because , , , and
overlap with rule 27 from . Similarly, is redun-
dant. Note that denotes that overlaps
with nonoverlapping rules from .
E. Multirule Coverage Redundancy Detection
To detect multirule coverage redundancy, our basic idea
is to combine all the nonoverlapping discarding rules from
to a set of new rules so that for any arbitrary rule from
, if it is covered by multiple nonoverlapping discarding
rules from , it is covered by a rule from these new rules.
More formally, let denote the nonoverlapping
discarding rules from and denote the set
of new rules generated from . For any rule
from , if a nonoverlapping rule from is multirule
coverage redundant, i.e.,
where from , there is a rule
that covers , i.e., . Thus, after
computes the set of new rules from , we reduce
7. CHEN et al.: CROSS-DOMAIN PRIVACY-PRESERVING COOPERATIVE FIREWALL OPTIMIZATION 863
Fig. 6. Comparison of two firewalls.
the problem of multirule coverage redundancy detection to
single-rule coverage redundancy detection. Then, two parties
and can cooperatively run our protocol proposed
in this section to identify the nonoverlapping single-rule and
multirule coverage redundant rules from at the same
time. However, the key question is how to compute the set of
new rules .
A straightforward method is to compute all possible rules that
are covered by a single or multiple nonoverlapping discarding
rules among . All these rules form the set of new
rules . However, this method incurs two major draw-
backs. First, the time and space complexities of this method can
be significant because the number of all these rules could be
huge. Second, due to the huge number of these rules, the com-
munication and computation costs increase significantly. The
relationship between these costs and the number of rules is dis-
cussed in Section IV-B.
Our solution is to compute only the largest rules that are
covered by a single or multiple nonoverlapping discarding
rules among . The term largest can be explained
as follows. Without considering the decision, a firewall rule
with fields can be denoted as a hyperrectangle over a
-dimensional space. Then, nonoverlapping discarding rules
are hyperrectangles over a -dimensional space.
The new rules are also the hyperrectangles. The
term largest means that if a hyperrectangle contains the
hyperrectangle but is larger than , has some parts that
are not covered by all the hyperrectangles . For
example, the nonoverlapping discarding rules in
Fig. 4(d) can be illustrated as three filled rectangles in Fig. 7.
Fig. 7 also shows three new rules generated from
, where , , and are illustrated as different
dashed rectangles. Note that is the same as , and is
the same as . Note that the values of two fields and
Fig. 7. Three largest rules generated from Fig. 4(d).
are integers. Thus, we can combine three ranges [0, 4], [5, 7],
[8, 15] to a range [0, 15] for the field of .
More formally, we can define a largest rule
as follows.
1) .
2) For any rule that ,
.
Given the set of all largest rules generated from
, for any rule , if is covered by one or
multiple rules in , there exists a largest rule
that covers . We have the following theorem.
Theorem 4.1: Given the set of all largest rules
generated from , for any rule , if
, there exists a largest rule
that satisfies the condition .
Proof: If is a largest rule, it is included in .
If is not a largest rule, we prove it by contradiction. If
there exists no largest rule among that covers , we
can generate all possible rules that satisfy two conditions: 1) the
8. 864 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
matching set of each of these rules is the superset of ; 2)
each of these rules is covered by . Among all these
generated rules, there exists at least a largest rule, otherwise
the number of these rules is infinite. However,
is a finite domain.
Next, we discuss how to compute the set of all the largest
rules from the nonoverlapping discarding
rules . Our idea is to first compute the largest rules
for every two rules among . Repeat computing the
largest rules for every two rules in the previous step until the
resulting rules do not change. Finally, the resulting rules are
the set of all the largest rules . Note that it is trivial
to compute the largest rules from two rules. This algorithm is
shown in Algorithm 1.
Algorithm 1: Computation of the set of largest rules
Input: nonoverlapping rules .
Output: The set of all the largest rules
1 Initialize , ;
2 while has been changed do
3 for every two rules , in do
4 compute the largest rules from and ;
5 add the largest rules to ;
6 for each rule in do
7 if there is a rule in such that
then
8 remove from ;
9 ;
10 ;
11 return ;
For example, to identify the single-rule and multiple-rule cov-
erage redundancy simultaneously, only needs to perform
one more step between Fig. 4(d) and (e). computes all
the largest rules from the nonoverlapping discarding rules in
Fig. 4(d), which are
Finally, can identify that
is redundant because is covered the by the
rule .
F. Identification and Removal of Redundant Rulesw
After single-rule and multirule coverage redundancy detec-
tion, identifies the redundant nonoverlapping rules in
. Next, needs to identify which original rules are
interfirewall redundant. As each path in the all-match FDD
of corresponds to a nonoverlapping rule, we call the
paths that correspond to the redundant nonoverlapping rules
redundant paths and the remaining paths effective paths. For
example, in Fig. 8, the dashed paths are the redundant paths
that correspond to , , and in Fig. 5(c), respectively.
Finally, identifies redundant rules based on Theorem 4.2.
Theorem 4.2: Given firewall with no
intrafirewall redundancy and its all-match FDD, rule is
Fig. 8. Identification of redundant rules in .
interfirewall redundant with respect to if and only if two
conditions hold: 1) there is a redundant path whose terminal
node contains sequence number ; 2) there is no effective path
whose terminal node contains as the smallest element.
Proof: Let denote all paths in ’s all-
match FDD. According to the theorems in [15] and [17], the
resolving set of each rule in firewall satis-
fies the condition , where
are all the paths whose terminal nodes contain as
the smallest element. Based on the definition of interfirewall re-
dundant rules in Section III-A, rule is interfirewall redundant
if and only if all the packets in are discarded by
. Thus, each path is a redundant path.
In other words, all the paths whose terminal nodes
contain as the smallest element are redundant paths.
Considering redundant paths in Fig. 8, identifies that
and are interfirewall redundant with respect to .
Theorem 4.3: The privacy-preserving interfirewall redun-
dancy removal protocol is a complete interfirewall redundancy
removal scheme.
Proof: Suppose that our proposed protocol is not a com-
plete scheme, and hence it cannot detect all interfirewall re-
dundant rules in . Assume that rule is interfirewall re-
dundant in , but it is not detected by our protocol. Ac-
cording to Theorem 4.2,
and are redundant paths in ’s all-match FDD.
Thus, some paths in cannot be identified as re-
dundant paths by our protocol. This conclusion violates the fact
that our protocol can identify all the redundant paths in ’s
all-match FDD.
V. FIREWALL UPDATE AFTER OPTIMIZATION
If or changes after interfirewall optimization, the
interfirewall redundant rules identified by the optimization may
not be interfirewall redundant anymore. In this section, we dis-
cuss our solution to address firewall update. There are five pos-
sible cases under this scenario.
1) changes the decisions of some rules in . In this
case, neither party needs to take actions because the inter-
firewall redundancy detection does not consider the deci-
sions of the rules in .
2) changes the decisions of some rules from discard to
accept in . In this case, needs to notify
which nonoverlapping rules (indices of these rules) from
are changed. Using this information, checks
if there were any rules in that were removed due to
these rules, and then adds the affected rules back into .
3) changes the decisions of some rules from accept to
discard in . In this case, can run our cooperative
9. CHEN et al.: CROSS-DOMAIN PRIVACY-PRESERVING COOPERATIVE FIREWALL OPTIMIZATION 865
optimization protocol again to possibly identify more inter-
firewall redundant rules in .
4) adds or removes some rules in . In this case,
since the resolving sets of some rules in may
change, a rule in that used to be interfirewall redun-
dant maybe not redundant anymore. It is important for
to run our optimization protocol again.
5) adds or removes some rules in . Similar to the
fourth case, since the resolving sets of some rules in
may change, it is important for to run our protocol
again.
VI. SECURITY AND COMPLEXITY ANALYSIS
A. Security Analysis
To analyze the security of our protocol, we first describe the
commutative encryption and its properties. Let denote a set
of private keys and denote a finite domain. A commutative
encryption is a computable function
that satisfies the following four properties.
1) Secrecy: For any and key , given , it is computa-
tionally infeasible to compute .
2) Commutativity: For any , , and , we have
.
3) For any , , and , if , we have .
4) The distribution of is indistinguishable from the dis-
tribution of .
Note that, for ease of presentation, in the rest of this section, any
, , or is an element of ; any , , or is an element
of ; and denotes .
In the conversion of , for each nonoverlapping rule
from , let denote the prefix set for the field ,
e.g. in Fig. 4(e), denotes {00 , 0100}. In the con-
version of , let denote the prefix set for the field
after removing duplicate prefixes, e.g. in Fig. 5(e), denotes
the first prefix set. Our cooperative optimization protocol es-
sentially compares and in a privacy-preserving
manner. We have the following theorem.
Theorem 6.1: If both parties and are semi-honest,
after comparing two sets and using our protocol,
learns only the size and the intersection
, and learns only the size and the intersec-
tion .
Proof: According to the theorems in multiparty secure
computation [2], [8], if we can prove that the distribution of
the ’s view of our protocol cannot be distinguished from a
simulation that uses only , , and ,
then cannot learn anything else except
and . Note that ’s view of our protocol is the infor-
mation that gains from .
Without loss of generality, we only prove that learns
only the size and the intersection . The
simulator for uses key to create a set from
and as follows:
where are random values generated by the sim-
ulator and they are uniformly distributed in the finite domain
. According to the theorems in [2], cannot distin-
guish the distribution of ’s elements from that in
The ’s view of our protocol corresponds to . Therefore,
the distribution of the ’s view of our protocol cannot be
distinguished from this simulation.
Next, we analyze the information learned by and .
After implementing our protocol, knows the converted
firewalls of and , e.g. Figs. 4(j) and 5(g), and
knows the comparison result, e.g. Fig. 6(d). On side, for
each field , it knows only and
, and it cannot reveal the rules of for two reasons. First,
in , a numericalized prefix can be generated from
many different numbers. For example, a prefix of IP addresses
(32 bits) can be generated from dif-
ferent IP addresses. Second, even if finds the number for
a prefix in , does not know which rule in
contains that number. On side, it only knows that
the prefix in belongs to which nonoverlapping rules in
. However, such information is not enough to reveal the
rules in .
B. Complexity Analysis
Let and be the number of rules in two adjacent firewalls
and , respectively, and be the number of fields
in both firewalls. For simplicity, we assume that the numbers
in different fields have the same length, say bits. We first
analyze the computation, space, and communication costs for
the conversion of . Based on the theorem in [14], the max-
imum number of nonoverlapping rules generated from the FDD
is . Each nonoverlapping rule consists of -bit
intervals, and each interval can be converted to at most
prefixes. Thus, the maximum number of prefixes generated
from these nonoverlapping rules is . Note
that the total number of prefixes cannot exceed because
puts all prefixes into one set. Thus, the computation cost
of encryption by is .
Therefore, for the conversion of , the computation cost of
is , the space cost of is
, the communication cost is ,
and the computation cost of is .
Similarly, for the conversion of , the computation
cost of is , the space
cost of is , the communication cost is
, and the computation cost of is
.
The computation and communication costs of firewall update
depend on the different cases in Section V. There is no cost for
Case 1 in Section V. Case 2 only incurs the computation and
communication costs of firewall comparison. For Cases 3–5, the
computation and communication costs of firewall update are the
overall costs of our protocol because we need to rerun our pro-
tocol for these three cases. Note that if a firewall is updated fre-
quently, our protocol may not be applicable for this scenario due
10. 866 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
to significant computation and communication costs of running
our protocol many times.
VII. EXPERIMENTAL RESULTS
We evaluate the effectiveness of our protocol on real firewalls
and evaluate the efficiency of our protocol on both real and syn-
thetic firewalls. We implemented our protocol using Java 1.6.0.
Our experiments were carried out on a PC running Linux with
two Intel Xeon cores and 16 GB of memory.
A. Evaluation Setup
We conducted experiments over five groups of two real
adjacent firewalls. Each firewall examines five fields, source
IP, destination IP, source port, destination port, and pro-
tocol. The number of rules ranges from dozens to thousands.
In implementing the commutative encryption, we used the
Pohlig–Hellman algorithm [22] with a 1024-bit prime modulus
and 160-bit encryption keys. To evaluate the effectiveness, we
conducted our experiments over these five groups of adjacent
firewalls. To evaluate the efficiency, for two firewalls in each
group, we measured the processing time, the comparison time,
and the communication cost of both parties.
Due to security concerns, it is difficult to obtain a large
number of real adjacent firewalls. To further evaluate the
efficiency, we generated a large number of synthetic firewalls
based on Singh et al.’s method [24]. The synthetic firewalls
also examine the same five fields as real firewalls. The number
of rules in the synthetic firewalls ranges from 200 to 2000,
and for each number, we generated 10 synthetic firewalls.
To measure the efficiency, we first processed each synthetic
firewall as and then measured the processing time and
communication cost of two parties. Second, we processed each
synthetic firewall as and measured the processing time
and communication cost. Third, we measured the comparison
time for every two synthetic firewalls. We did not evaluate the
effectiveness of our protocol on synthetic firewalls because they
are generated randomly and independently without considering
whether two firewalls are adjacent or not.
B. Methodology
In this section, we define the metrics to measure the ef-
fectiveness of our protocol. Given our firewall optimization
algorithm , and two adjacent firewalls and , we
use to denote a set of interfirewall redundant
rules in . Let denote the number of rules in and
denote the number of interfirewall redundant
rules in . To evaluate the effectiveness, we define a redun-
dancy ratio .
This ratio measures what percentage of
rules are interfirewall redundant in .
C. Effectiveness and Efficiency on Real Policies
Table I shows the redundancy ratios for five real firewall
groups. Column 1 shows the names of five real firewall groups.
Columns 2 and 3 show the names of firewalls and
, respectively. Column 4 shows the number of rules in
firewall . Fig. 9 shows the processing time and commu-
nication cost of two parties and when processing
; Fig. 10 shows the processing time and communication
cost of the two parties when processing . Fig. 11 shows
Fig. 9. Processing on real firewalls. (a) Processing time. (b) Communi-
cation cost.
Fig. 10. Processing on real firewalls. (a) Processing time. (b) Commu-
nication cost.
Fig. 11. Comparing two real firewalls.
TABLE I
REDUNDANCY RATIOS FOR FIVE REAL FIREWALL GROUPS
the comparison time of each group. Fig. 12 shows the overall
processing time and communication cost of implementing our
protocol on real firewalls. Note that the processing time in
Fig. 12 does not include the communication time between two
parties.
Our protocol achieves significant redundancy ratio on four
real firewall groups. For five real firewall groups, our protocol
achieves an average redundancy ratio of 19.4%. Particularly,
for the firewall group Host, our protocol achieves 49.6% redun-
dancy ratio, which implies that almost half of rules in Host2 are
interfirewall redundant rules. For firewall groups Econ, Ath, and
Comp, our protocol achieves 14.4%–17.1% redundancy ratios,
which implies that about 15% of rules in are redundant
in these three groups. Only for one firewall group, Wan, our
11. CHEN et al.: CROSS-DOMAIN PRIVACY-PRESERVING COOPERATIVE FIREWALL OPTIMIZATION 867
Fig. 12. Total processing time and communication cost on real firewalls.
(a) Processing time. (b) Communication cost.
Fig. 13. Processing on synthetic firewalls. (a) Average processing time.
(b) Average communication cost.
protocol achieves 1.0% redundancy ratio. From these results,
we observed that most adjacent real firewalls have many inter-
firewall redundant rules. Thus, our protocol could effectively
remove interfirewall redundant rules and significantly improve
the network performance.
Our protocol is efficient for processing and comparing two
real firewalls. When processing in the five real firewall
groups, the processing time of is less than 2 s and the pro-
cessing time of is less than 1 s. When processing in
those real firewall groups, the processing time of is less
than 4 s and the processing time of is less than 10 s. The
comparison time of two firewalls is less than 0.07 s. The total
processing time of two parties is less than 14 s, which demon-
strates the efficiency of our protocol.
Our protocol is efficient for the communication cost between
two parties. When processing firewall in the five real fire-
wall groups, the communication cost from to and
that from to are less than 60 kB. Note that the com-
munication cost from to and that from to
are the same because and encrypt the same number
of values and the encrypted values have the same length, i.e.
1024 bits in our experiments. When processing in those
real firewall groups, the communication cost from to
is less than 300 kB. The total communication cost between two
parties is less than 350 kB, which can be sent through the cur-
rent network (e.g. DSL network) around 10 s.
D. Efficiency on Synthetic Policies
For the synthetic firewalls, Figs. 13 and 14 show the av-
erage processing time and communication cost of two parties
and for processing and , respectively.
Fig. 15 shows the average comparison time for every two syn-
thetic firewalls. Fig. 16 shows the overall processing time and
communication cost of implementing our protocol on synthetic
firewalls. The processing time in Fig. 16 does not include the
Fig. 14. Processing on synthetic firewalls. (a) Average processing time.
(b) Average communication cost.
Fig. 15. Comparing two synthetic firewalls.
Fig. 16. Total processing time and communication cost on Synthetic firewalls.
(a) Processing time. (b) Communication cost.
communication time between two parties. Note that the vertical
axes of Figs. 13(a), 14(a), and 16(a) are in a logarithmic scale.
Our protocol is efficient for processing and comparing two
synthetic firewalls. When processing the synthetic firewalls as
, the processing time of is less than 300 s and the
processing time of is less than 5 s. When processing the
synthetic firewalls as , the processing time of is less
than 400 s and the processing time of is less than 20 s. The
comparison time of two synthetic firewalls is less than 4 s.
Our protocol is efficient for the communication cost between
two synthetic firewalls. When processing the synthetic firewalls
as , the communication cost from to and that
from to grow linearly with the number of rules in
, and both costs are less than 420 kB. Similarly, when
processing synthetic firewalls as , the communication cost
from to grows linearly with the number of rules in
, and the communication cost from to is less
than 1600 kB.
VIII. CONCLUSION AND FUTURE WORK
In this paper, we identified an important problem, cross-do-
main privacy-preserving interfirewall redundancy detection. We
12. 868 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
propose a novel privacy-preserving protocol for detecting such
redundancy. We implemented our protocol in Java and con-
ducted extensive evaluation. The results on real firewall policies
show that our protocol can remove as many as 49% of the rules
in a firewall whereas the average is 19.4%.
Our protocol is applicable for identifying the interfirewall
redundancy of firewalls with a few thousands of rules, e.g.
2000 rules. However, it is still expensive to compare two fire-
walls with many thousands of rules, e.g. 5000 rules. Reducing
the complexity of our protocol needs to be further studied.
In our work, we have demonstrated rule optimization, from
to , and we note that a similar rule optimization is
possible in the opposite direction, i.e., to . In the
first scenario, to , it is that is improving the
performance load of , and in return is improving the
performance of in a vice-versa manner. All this is being
achieved the without or revealing each other’s
policies thus allowing for a proper administrative separation.
Our protocol is most beneficial if both parties are willing to
benefit from it and can collaborate in a mutual manner. There
are many special cases that could be explored based on our
current protocol. For example, there may be hosts or Network
Address Translation (NAT) devices between two adjacent
firewalls. Our current protocol cannot be directly applied to
such cases. Extending our protocol to these cases could be an
interesting topic and requires further investigation.
REFERENCES
[1] nf-HiPAC, “Firewall throughput test,” 2012 [Online]. Available: http://
www.hipac.org/performance_tests/results.html
[2] R. Agrawal, A. Evfimievski, and R. Srikant, “Information sharing
across private databases,” in Proc. ACM SIGMOD, 2003, pp. 86–97.
[3] E. Al-Shaer and H. Hamed, “Discovery of policy anomalies in dis-
tributed firewalls,” in Proc. IEEE INFOCOM, 2004, pp. 2605–2616.
[4] J. Brickell and V. Shmatikov, “Privacy-preserving graph algorithms in
the semi-honest model,” in Proc. ASIACRYPT, 2010, pp. 236–252.
[5] Y.-K. Chang, “Fast binary and multiway prefix searches for packet for-
warding,” Comput. Netw., vol. 51, no. 3, pp. 588–605, 2007.
[6] J. Cheng, H. Yang, S. H. Wong, and S. Lu, “Design and implementation
of cross-domain cooperative firewall,” in Proc. IEEE ICNP, 2007, pp.
284–293.
[7] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, “Packet
classifiers in ternary CAMs can be smaller,” in Proc. ACM SIGMET-
RICS, 2006, pp. 311–322.
[8] O. Goldreich, “Secure multi-party computations,” Working draft, Ver.
1.4, 2002.
[9] O. Goldreich, Foundations of Cryptography: Volume II (Basic Appli-
cations). Cambridge, U.K.: Cambridge Univ. Press, 2004.
[10] M. G. Gouda and A. X. Liu, “Firewall design: Consistency, complete-
ness and compactness,” in Proc. IEEE ICDCS, 2004, pp. 320–327.
[11] M. G. Gouda and A. X. Liu, “Structured firewall design,” Comput.
Netw., vol. 51, no. 4, pp. 1106–1120, 2007.
[12] P. Gupta, “Algorithms for routing lookups and packet classification,”
Ph.D. dissertation, Stanford Univ., Stanford, CA, 2000.
[13] A. X. Liu and F. Chen, “Collaborative enforcement of firewall policies
in virtual private networks,” in Proc. ACM PODC, 2008, pp. 95–104.
[14] A. X. Liu and M. G. Gouda, “Diverse firewall design,” IEEE Trans.
Parallel Distrib. Syst., vol. 19, no. 8, pp. 1237–1251, Sep. 2008.
[15] A. X. Liu and M. G. Gouda, “Complete redundancy removal for packet
classifiers in TCAMs,” IEEE Trans. Parallel Distrib. Syst., vol. 21, no.
4, pp. 424–437, Apr. 2010.
[16] A. X. Liu, C. R. Meiners, and E. Torng, “TCAM Razor: A system-
atic approach towards minimizing packet classifiers in TCAMs,”
IEEE/ACM Trans. Netw., vol. 18, no. 2, pp. 490–500, Apr. 2010.
[17] A. X. Liu, C. R. Meiners, and Y. Zhou, “All-match based complete
redundancy removal for packet classifiers in TCAMs,” in Proc. IEEE
INFOCOM, 2008, pp. 574–582.
[18] A. X. Liu, E. Torng, and C. Meiners, “Firewall compressor: An al-
gorithm for minimizing firewall policies,” in Proc. IEEE INFOCOM,
2008.
[19] C. R. Meiners, A. X. Liu, and E. Torng, “TCAM Razor: A systematic
approach towards minimizing packet classifiers in TCAMs,” in Proc.
IEEE ICNP, 2007, pp. 266–275.
[20] C. R. Meiners, A. X. Liu, and E. Torng, “Bit weaving: A non-prefix
approach to compressing packet classifiers in TCAMs,” in Proc. IEEE
ICNP, 2009, pp. 93–102.
[21] C. R. Meiners, A. X. Liu, and E. Torng, “Topological transformation
approaches to optimizing TCAM-based packet processing systems,” in
Proc. ACM SIGMETRICS, 2009, pp. 73–84.
[22] S. C. Pohlig and M. E. Hellman, “An improved algorithm for com-
puting logarithms over GF(p) and its cryptographic significance,” IEEE
Trans. Inf. Theory, vol. IT-24, no. 1, pp. 106–110, Jan. 1978.
[23] D. K. H. D. R. Safford and D. L. Schales, “Secure RPC authentication
(SRA) for TELNET and FTP,” Tech. Rep., 1993.
[24] S. Singh, F. Baboescu, G. Varghese, and J. Wang, “Packet classification
using multidimensional cutting,” in Proc. ACM SIGCOMM, 2003, pp.
213–224.
[25] A. Wool, “A quantitative study of firewall configuration errors,” Com-
puter, vol. 37, no. 6, pp. 62–67, Jun. 2004.
[26] Z. Yang, S. Zhong, and R. N. Wright, “Privacy-preserving classification
of customer data without loss of accuracy,” in Proc. SIAM SDM, 2005,
pp. 21–23.
[27] W. Lee and D. Xiang, “Information-theoretic measures for anomaly
detection,” in Proc. IEEE S&P, 2001, pp. 130–143.
[28] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and
S. Zhou, “Specification-based anomaly detection: A new approach for
detecting network intrusions,” in Proc. ACM CCS, 2002, pp. 265–274.
[29] C. Kruegel, T. Toth, and E. Kirda, “Service specific anomaly detec-
tion for network intrusion detection,” in Proc. ACM SAC, 2002, pp.
201–208.
[30] L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra,
“Fireman: A toolkit for firewall modeling and analysis,” in Proc. IEEE
S&P, 2006, pp. 199–213.
Fei Chen received the B.S. and M.S. degrees in
automation from Tsinghua University, Beijing,
China, and the Ph.D. degree in computer science
from Michigan State University, East Lansing, in
2011.
He is currently a Performance Engineer with
VMware, Inc., Palo Alto, CA.
Bezawada Bruhadeshwar received the B.E. degree
from Osmania University, Hyderabad, India, in
1998, and the M.S. degree in electrical and computer
engineering and Ph.D. in computer science and
engineering from Michigan State University, East
Lansing, in 2000 and 2005, respectively.
He is currently working as an Assistant Professor
with the International Institute of Information Tech-
nology, Hyderabad (IIIT-H), India. His research in-
terests are in security, networking, and dependable
systems.
Alex X. Liu received the Ph.D. degree in computer
science from the University of Texas at Austin in
2006.
His research interests focus on networking, secu-
rity, and dependable systems.
Dr. Liu received the IEEE & IFIP William C.
Carter Award in 2004, an NSF CAREER Award in
2009, and the Withrow Distinguished Scholar Award
in 2011 at Michigan State University.