| Popularization of the Internet and the wide application of computer network bring great convenience to people's work and daily life. At the same time, various network attacks and network crimes have been increasing sharply. Protecting network security against hacker attacks is becoming more important. Intrusion detection, as a kind of network technology which can detect attack actively and protect information system against destroying, has been used widely.Snort is a typical open source intrusion detection system. It has multiple functions including traffic analysis, log network data package, protocol analysis, search content in the network data package, etc. As the increase of network broadband, snort has to deal with more and more network flow in unit time. To cope with the challenge of high-speed network, snort must be improved to have a faster detection speed.Firstly, this thesis analyses snort's rule structure, detection process, the established process of fast rule matching engine, and then a rule classification ideas is proposed, which classifies the rules basing on the number of pattern strings contained in the rules. For the rules containing only one pattern string, the single pattern matching employed repeatedly in the matching process is replaced by a function detecting the boundary conditions, which is got from multiple patterns matching process executed previously. Experiment results show that the detection speed of snort intrusion detection system is improved by 1.28% by using the proposed method. After that, by analyzing the advantage and shortage of general pattern matching algorithm, an improved AC_BMH (Aho-Corasick_Boyer-Moore-Horspool) is proposed in this thesis. The improved AC_BMH algorithm utilizes double-character skip for both larger pattern strings mismatching possibility and further jumping distance, furthermore, combines advantages of QS (Quick Search) algorithm for even longer jumping distance when pattern strings matching fails, at the same time, employs compact storage mechanism to decrease the amount of memory usage. A test was made on algorithm's matching speed and memory usage using VC6.0. The test results show that the matching speed of pattern matching is improved about 29.30%-52.82% by using the proposed algorithm, and the amount of memory used reduces about 90% when many pattern strings existed. Finally, the improved algorithm was used to snort intrusion detection system. Experiment results show that the detection speed of snort intrusion detection system is improved by 5.95%-25.54% by using the improved algorithm. |
PDF Full Text Request