Network intrusion detection systems require all-match packet classication, where all rules matching a packet are reported by the system. The problem of eciently reporting all matching rules is known as the all-match optimization problem. One solution is to convert an all-match classier into a first-match classier (in which only the rst classier rule that matches a packet is reported), and use ternary content addressable memory (TCAM) forpacket classication.In this thesis, we evaluate two classier minimization approaches. First, we consider the use of all-match classier-specic optimization algorithms. Second, we use state-of-the-art first-match classier optimization algorithms in conjunction with all-match algorithms. Our results indicate the appropriate approach is related to the number of TCAM chips available for classication. When using one TCAM chip, we attain 70.85% TCAM space savings using rst-match classier optimization algorithms instead of all-match classier optimization algorithms. When using multiple TCAM chips, we found that it is best to use all-match specic optimization algorithms.
Read
