Research And Improvement Of Detection Algorithm For Snort Detection Engine

Recent years, the internet has got explosive development, which brings the human society, economy, culture infinite opportunity, meanwhile,it also brings information security rigorous challenge. People adopt anti-virus, firewall, intrusion detection technology etc to assure the network security. With the development of network technology, the intrusion detection technology has become the necessary component of network security architecture.Snort intrusion detection system, as a famous open source NIDS, could protect system information security effectively, which gets vast research and application in industry. The Snort detection engine adopts the simple pattern matching strategy. With the increase of net-band and rule-set, the detection load of Snort is becoming heavier; therefore, it is possible that Snort may neglect some severe attacks. So it is crucial to design high efficient pattern matching algorithm for intrusion detection system.This thesis takes Snort as research subject,three fruits are obtained as follow:Firstly, based on the introduction of rule-drived theory for Snort, the thesis analyses the architecture and working flow of Snort's four modules. The time consumption ratios of the key functions during the system running are gotten by the GNU profiler Gprof. We get the conclusion that the pattern matching algorithm is the bottleneck for Snort performance.Secondly, the pattern matching algorithms adopted by Snort are analyzed specially. The detection algorithm has been the bottleneck of Snort, Therefore, a suffix tree automaton-based Snort detection algorithm is presented in this thesis, which is called fast string matching algorithm, aimed to increase the efficiency of Snort. The algorithm constructs a suffix automaton, uses the good suffix heuristic in the pattern matching, neglects the unnecessary matching, making the detection faster.Finally, the FSM algorithm is implemented in Snort2.4.3. Based on the"DARPA 1999 intrusion detection data set", against the BM, AC, MWM algorithms which are adopted by Snort, the performance of FSM algorithm is tested. The experiments based on the mixed attacks and special attacks show that the detection speed of Snort is highly improved,meanwhile, consumes more memory.