Configuring networks with content filtering nodes with applications to network security

Abstract

With the rapid increase in the frequency of worm attacks, there has been significant interest in developing network based mechanisms that slow or contain worm propagation. One suggested network-based approach is the use of special content filtering nodes that examine the complete content of each packet and block traffic that contain strings matching a pre-specified set of worm signatures. To be effective, containment systems need to have fast reaction times (content filtering with the appropriate signatures must be activated very soon after the start of an attack) and need to be comprehensive in the sense that every packet routed through the network must be examined at least once. Since network-based content filtering is expensive, it is desirable to make the best use of deployable content filtering capability. This requires intelligent placement of the content filtering nodes in the network and use of appropriate network routing to maximize the carried traffic. In this paper, we study the impact of the content filtering requirement on network capacity. First, we develop an intelligent heuristic for deployment of content filtering nodes in the network. Next, given a set of deployed content filtering nodes, we develop a fully polynomial time approximation scheme (FP-TAS) that maximizes the traffic carried by the network subject to the constraint that all traffic passes through a content filtering node at least once. Simulation studies using the developed schemes show that for large networks, most of the traffic can be examined even when only 10% of the network nodes are content filtering capable.