The Design And Realization Of The High Performance Pattern Matching Components Based On The Misuse Intrusion Detection System

In recent years, because network is developing with unbelievable rate and network technology changes quickly, 1000Mbps & 10000Mbps Ethernet network has become popular. Current NIDS can hardly catch up with the speed of network so that conventional detection methods face to serious challenge. There are inherent disadvantages in the conventional pattern-matching-based detection technology based on attacking characteristics, such as huge computing demanded, easily cracked, too many alerts missing, which make it hardly adapted to the high-speed network environment. In order to reduce the computing resources required by the pattern matching process, increase the matching speed, and at the same time be able to protect against cracking to a certain degree, a solution is developed in this paper. The solution is based on the combination of the method of protocol analysis, data pre-processing tools and the improved pattern-matching detection algorithm, with which we develop a high-performance pattern-matching components.First, basal definition, classification of Intrusion Detection System and the algorithms of Intrusion Detection are given in this paper. The pattern match algorithms are discussed in detail from the aspect of theory and technology. Facing the weakness in intrusion detection for the single-mode pattern-matching method, we propose a refined multi-mode pattern-matching algorithm and based on it we develop a new multiple pattern matching components. Our main contributions are the following. We have constructed and realized the protocol analysis pre-processed sub-module. With the method of protocol analysis and pre-processing tools, the obtained data are categorized and protected against cheating. We have developed the rule-processing sub-module, with which the structure of rules are re-organized. The conventional two-dimensional chain structure is improved and the concept of the more reasonable three-dimensional tree structure is proposed. Inspired by the ideas of the BM algorithm, we propose the Fast-BM algorithm, a fast multi-mode pattern-matching method based on finite automatic machine. The performance of the algorithm is theoretically analyzed. Primarily based on the algorithm a fast multi-mode pattern-matching module is developed. The source codes are written in C and as a result it is easy to be implanted. In the final part, we test the influences of our module to the Snort detecting capability, based on the testing data provided by Darpa in 1999. Three aspects are tested: precision indictor, efficiency indicator and system indicator.By experiments and theoretical analysis, the results shows that that our pattern-matching components can increase the precision indicator and efficiency indicator for intrusion detection. The components requires less searching time in average in the case of large rule numbers. At the same time, it can fight efficiently against cracks avoiding IDS.