Show/Hide Menu
Hide/Show Apps
Logout
Türkçe
Türkçe
Search
Search
Login
Login
OpenMETU
OpenMETU
About
About
Open Science Policy
Open Science Policy
Open Access Guideline
Open Access Guideline
Postgraduate Thesis Guideline
Postgraduate Thesis Guideline
Communities & Collections
Communities & Collections
Help
Help
Frequently Asked Questions
Frequently Asked Questions
Guides
Guides
Thesis submission
Thesis submission
MS without thesis term project submission
MS without thesis term project submission
Publication submission with DOI
Publication submission with DOI
Publication submission
Publication submission
Supporting Information
Supporting Information
General Information
General Information
Copyright, Embargo and License
Copyright, Embargo and License
Contact us
Contact us
Content based packet filtering in linux kernel using deterministic finite automata
Download
index.pdf
Date
2011
Author
Bilal, Tahir
Metadata
Show full item record
Item Usage Stats
265
views
287
downloads
Cite This
In this thesis, we present a content based packet filtering Architecture in Linux using Deterministic Finite Automata and iptables framework. New generation firewalls and intrusion detection systems not only filter or inspect network packets according to their header fields but also take into account the content of payload. These systems use a set of signatures in the form of regular expressions or plain strings to scan network packets. This scanning phase is a CPU intensive task which may degrade network performance. Currently, the Linux kernel firewall scans network packets separately for each signature in the signature set provided by the user. This approach constitutes a considerable bottleneck to network performance. We implement a content based packet filtering architecture and a multiple string matching extension for the Linux kernel firewall that matches all signatures at once, and show that we are able to filter network traffic by consuming constant bandwidth regardless of the number of signatures. Furthermore, we show that we can do packet filtering in multi-gigabit rates.
Subject Keywords
Computer software.
,
Computer security.
URI
http://etd.lib.metu.edu.tr/upload/12613710/index.pdf
https://hdl.handle.net/11511/21099
Collections
Graduate School of Natural and Applied Sciences, Thesis
Suggestions
OpenMETU
Core
Data integration over horizontally partitioned databases in service-oriented data grids
Sunercan, Hatice Kevser Sönmez; Çiçekli, Fehime Nihan; Alpdemir, Mahmut Nedim; Department of Computer Engineering (2010)
Information integration over distributed and heterogeneous resources has been challenging in many terms: coping with various kinds of heterogeneity including data model, platform, access interfaces; coping with various forms of data distribution and maintenance policies, scalability, performance, security and trust, reliability and resilience, legal issues etc. It is obvious that each of these dimensions deserves a separate thread of research efforts. One particular challenge among the ones listed above tha...
Data sharing and access with a corba data distribution service implementation
Dursun, Mustafa; Bilgen, Semih; Department of Electrical and Electronics Engineering (2006)
Data Distribution Service (DDS) specification defines an API for Data-Centric Publish-Subscribe (DCPS) model to achieve efficient data distribution in distributed computing environments. Lack of definition of interoperability architecture in DDS specification obstructs data distribution between different and heterogeneous DDS implementations. In this thesis, DDS is implemented as a CORBA service to achieve interoperability and a QoS policy is proposed for faster data distribution with CORBA features.
Standalone static binary executable rewriting for software protection
Bican, Özgür Saygın; Şehitoğlu, Onur Tolga; Department of Computer Engineering (2015)
This study introduces a static binary rewriting method for improving security of executable binaries. For software security, when the network and host-based precautions are passed by the adversary or they are not present at all, the software has to defend itself. Nevertheless, applying software protection methods during software development requires extra source code development and know-how. Furthermore, these methods inherently make the software undesirably complex. Applying these methods after compilatio...
Visual composition component oriented development
Öztürk, Murat Mutlu; Doğru, Ali Hikmet; Department of Computer Engineering (2005)
This thesis introduces a visual composition approach for JavaBeans components, in compliance with the Component Oriented Software Engineering (COSE) process. The graphical modeling tool, COSECASE, is enhanced with the ability to build a system by integrating domain-specific components. Such integration is implemented by defining connection points and interaction details between components. The event model of the JavaBeans architecture is also added to the capabilities.
Semantically enriched web service composition in mobile environments
Ertürkmen, K. Alpay; Doğaç, Asuman; Department of Information Systems (2003)
Web Services are self-contained, self-describing, modular applications that can be published, located, and invoked through XML artefacts across the Web. Web services technologies can be applied to many kinds of applications, where they offer considerable advantages compared to the old world of product-specific APIs, platform-specific coding, and other أbrittleؤ technology restrictions. Currently there are millions of web services available on the web due to the increase in e-commerce business volume. Web se...
Citation Formats
IEEE
ACM
APA
CHICAGO
MLA
BibTeX
T. Bilal, “Content based packet filtering in linux kernel using deterministic finite automata,” M.S. - Master of Science, Middle East Technical University, 2011.