The Analysis And Research Of Signature-based Intrusion Detection Engine

In recently years, the network security is more and more rigorous. Intrusion detection system is one of important components of computer network security defense system. With the increasing network traffic and speed, speed is a important metrics to evaluate intrusion detection performance. How to increase the speed of the intrusion detection engine has been a hot research problem. This article researchs the signature-based intrusion detection engine, there are two aspects, one is how to organize intrusion rules effectively. The other is which pattern match algorithm can be used to detect intrusion quickly and accurately when the packet matching intrusion rules.This paper uses Snort as the experiment tool. Snort is the most popular the signature-based intrusion detection system because it is open source, Snort has the important position in the intrusion detection field. This paper analyses two kinds of detection engine in Snort. Traditional detection engine uses 2-dimension list to organize rules, new technique uses decision tree to organize rules. The choice of attribute selection metric to split has an important impact on the shape and the depth of the resulting decision tree. This paper uses a new attribute selection metric to construct decision tree, called the gain-ratio criterion, replace the gain criterion. For the certain particular attack, experimental evaluation shows that the detection engine utilized gain-ratio criterion has significantly improved the speed of detection process.Pattern matching algorithm is the important part of the signature-based intrusion detection engine. In the condition of mixed attack and single attack, experiment evaluates the performance of the above algorithms. Experimental evaluation shows that different algorithms have different application area. It provides valuable reference for developer to pick out adaptive pattern matching algorithm for intrusion detection system. Final, the paper emphasizes on how to optimize memory consumption of Aho-Corasick algorithm. This paper uses a new storage format, called Compressed Sparse Vector Multi-Bands Storage format. Experiment shows Multi-Bands Storage format can reduce memory consumption obviously.