Improvement Study Of Content-Based Intrusion Detection System

With fast development of information technology, security issues have evolved into the key problem of information systems. As a kind of active measure of information assurance, intrusion detection acts as the effective complement to traditional protection techniques such as access control, firewall, and identity authentication. Today many intrusion detection systems are being studied and used, but as the number of intrusions and network bandwidth increase constantly, accuracy and efficiency of intrusion detection system can't satisfy the need.For the misuse-based intrusion detection system, the string matching computations dominate in the overall of running an intrusion detection system, so the capability of matching algorithm directly affects the total efficiency. Considering this problem, the paper expatiates on some classical matching algorithms, and analyses their applying ranges, advantages and disadvantages. On the base of this, an exclusion-based matching algorithm is presented. It can exclude the packets whose load doesn't include intrusion strings.At the same time, the detection process of misuse-based intrusion detection system is to match the packet load against the rules in the rule library, so the structure of the rule library has great effect on detection efficiency. Considering this issue, the paper improves the structure of rule library. On the one hand through optimizing the criterion of classifying rules, each rule belongs to only one rule chain. On the other hand, considering the difference of use frequency between different application services, common services ports are displayed in the front of rule chains.In order to further enhance the speed and accuracy of intrusion detection, the paper presents the idea of analyzing application protocol from the viewpointof shortening load length. Thus it decreases the detection burden, and enhancesdetection accuracy.The paper conducts a number of performance tests with Snort under Linux operating system, and the emphasis is to test the performances of the exclusion-based matching algorithm and improved rule library. By analyzing the experiments results, it proves that the results are coincidental to the theory basically, and the performance of intrusion detection system is improved evidently.For intrusion detection system after improvement, there are still some shortages, so the paper provides the future work finally.