Enforcement of network security policy has become increasingly important as well as increasingly difficult. High-level security policy is converted into many different filters and/or rules which are enforced in various layers throughout the network stack to provide effective and customizable protection against viruses and/or a variety of other network-based attacks. The filters may be multidimensional, checking a variety of different network traffic properties against potentially large sets and/or ranges of values. The enforcement system must frequently enforce one or more rules that require processing of a cross product of many sets of values. creating a combinatorial “explosion” of filters.
Due to filter explosion, policies and resulting filters become too large to effectively process in a reasonable amount of time. It also becomes difficult to add, remove, or enumerate the filters because of the large number of them. Additionally, because the filters enforcing the policy are very complex, it is difficult to make modifications to the policies. Further, efficient match lookup techniques, such as hashing, are not practical due to the multidimensional nature of many of the filters. When a classification of network traffic is completed at one layer of the network stack, the classification work may not be reusable in another layer due to differences in the complex filters at each level. These issues result in more memory and processor resource consumption than necessary in the data path and when a policy is enforced and modified.