Title of Thesis: Improving Packet Classification: Learning from Traffic Improving Packet Classification: Learning from Traffic

Some rules in a packet classifier’s ruleset are more likely to be matched than others. Which of these rules are most likely to be matched cannot be known a priori, however. As a result, a classifier should be able to adapt itself to the traffic that it sees. This thesis explores the idea of using the traffic a packet classifier is seeing to tune that classifier’s search structure in order to improve its average response time. To test this idea, HICuts, a heuristic-based packet classifier recently proposed by Gupta and McKeown, was modified to periodically restructure itself to best match the traffic it is seeing. In addition, a Ternary Content Addressable Memory (TCAM) was added to the classifier to act as a form of transposition table. The classifier was also given the ability to maintain a worst-case bound on its performance, as, by the nature of Internet traffic, classifiers must ensure that all possible packets be matched in a reasonable amount of time. In order to describe the effects of restructuring, several modifications were made to an Interval Decision Diagram (IDD) notation. Such notation can be used as a HICuts tree is essentially an IDD tree with a slightly different condition for creating leaf nodes. Experimental results drawn from synthetic tests designed to test specific situations and extreme cases, and from real-world tests using actual packet traces are shown. In experimentation, compared to the original static HICuts classifier, the new dynamic classifier performed significantly better in terms of the amount of work performed during classification, while maintaining a strict bound on its worst-case performance.