An Efficient Hybrid Algorithm for Multidimensional Packet Classification

Y. Qi and J. Li (PRC)


Network security, Packet classification, ACL and IDS


Multidimensional Packet Classification is one of the most critical functions for network security devices such as firewalls and intrusion detection systems. Due to the worst case bounds found in computational geometry, most of the existing algorithms for multidimensional packet classification trade memory usage for search speed in order to achieve better overall performance. Although some of these algorithms are proved to be efficient on small number of classification rules, they scale poorly in either search time or memory usage when the number of rules grows. In this paper, we propose an efficient hybrid algorithm named sBits, which combines the advantages of two best existing algorithms, RFC and HiCuts. Compared to RFC and HiCuts, sBits uses 10 to 400 times less memory storage and 30% to 50% less time in worst case search. sBits also reduces the heavy computational burden in pre-processing. Its full update time is 10 to 100 times less than RFC and HiCuts.

