Application Of VLDC Pattern Matching Algorithm In Intrusion Detection Systems

In the current society, whether for enterprise, or individual, the network has played a great role, people use network to transfer news quickly, which will bring great convenience to people's communication, but the network has a large number of negative factors for enterprises and individuals, so the technology of network intrusion detection is a very important direction of researching in the network. As more sophisticated services are taken into the basic service, they need to deal with a lot of packets. Detect the packets transmitting in the network becomes more important. Deep packet inspection is getting more and more focus of the people now, which will detect the data of the packets, and take defense work. While testing and processing packets, it mainly tests and processes the data of transmission in the packet, so the pattern matching algorithm needs to be used. Pattern matching algorithm can match the data of the packets with the patterns and test whether the data is dangerous.Intrusion detection system is a kind of network security device that makes real-time monitoring to the transmission of network and alarms or take the initiative measures in suspicious transmission. It is different with other network security equipment. Intrusion detection system is a kind of positive technology of security.The technology of intrusion detection can be divided into the anomaly detection and the misuse detection in accordance with the methods of detection. Snort intrusion detection system is a kind of IDS. It has the characteristic of cross-platform and based on the technology of misuse detection. The algorithm for matching pattern used in the intrusion detection system of snort basically has three kinds, BM algorithm, AC algorithm and WM algorithm. In the IDS, The algorithm for matching pattern will influence the performance of the system directly. Therefore improve the algorithm for matching pattern in the system efficiency, which will play a very important role in the optimizing system.The VLDC algorithm has certain differences with the regular algorithm, which is more flexibility than regular algorithm for matching pattern no matter on the method and in the structure. VLDC (Variable Length Don't Cares) is VLDC pattern, which is a kind of specific strings of pattern. Give a set of symbols namedΣ, a prior pattern p by p1@p2...@pm,while p1 is a string ofΣ, it is called keyword,@ does not belongs toΣ, which is a common symbols, and used to represent VLDC symbols. We say, pattern p matches a text t, if t= u0 p1 u1... um-1 pm um, including u0,..., um∈Σ*, above the pattern p,namely VLDC pattern. VLDC algorithm can be defined as follows:given a set of VLDC patterns and a specific text t, deciding whether a pattern of p matches t.In the intrusion detection system of snort, we uses the engine of PCRE to match the regular expressions, and we don't need to change it to ascend the performance of the PCRE engine, but to take the way of adding new node to make relevant improvement,and filter the information that do not satisfy the conditions in advance. Although PCRE engine can handle of the matching problem of regular expressions quickly, but to the mass of data by the network for transmission. Only a small minority of it will eventually be matched successfully.Before the PCRE engine takes the job of matching, add the new VLDC node for matching patterns to the intrusion detection system.The message of the node are perfectly matched, then continue the further testing by PCRE engine. The reason for doing this is that satisfy the conversion of the VLDC mode, which can satisfy the conversion of the prior regular expressions in the process of matching.When the VLDC mode that can be converted to the regular expressions is in the process of the pre-register detection.So, it will save a lot of time in the PCRE engine.In order to prove that the algorithm in intrusion detection system of snort plays an optimization role, we need to test and contrast the algorithm with the original algorithm. Before we make the test, we need to make some related preparation, include the construction of the experimental platform, the selection of testing data, and the selection of tools for analysis the testing data, etc. The construction of the experimental platform contains the selection of hardware and some factors, such as operating system of computer and compiling environment. The results of the experiment show that, the results are consistent before and after the test, so the number of detected instance is all the same, the size of the output and content is also same.Although the results did not has any change before and after the test, the time of the experiments is different greatly. From the comparison, we can see that for any group of the data, which is applied to the improved system, the executting time got reduced. The average time of multi-group data also decreases. Therefore, it can prove that, the improved system is better than the original system in the time of the execution and improved in performance.