| With the rapid development of computer and network technology, more and more companies and persons are surfing the internet, all of the world are regarding the hurt aroused by hacker intrusion, information leakiness and virus flood as importance. In this case, as an important component of detecting illegal activities and preventing computer and network from destruction, Network Intrusion detection system emerged. As a kind of active measure of information assurance, it identifies the malice activities of utilizing computer and network resources and offers important information to confront intrusion. Network Intrusion Detection System acts as the effective complement to traditional protection techniques such as access control, firewall and identity authentication.Through analyses the network intrusion detection system Snort, aimed at improving the intrusion detection efficiency, makes deep research on the two aspects of pattern matching algorithm of detection engine and Snort's regular matching capability. First analyses the most commonly used pattern matching methods, including single-pattern Boyer-Moore algorithm, multi-pattern Aho-Corasick-Boyer-Moore algorithm, combine the jump matching principles of single-mode Boyer-Moore-Horspool algorithm, and proposed an improvement on the AC-BM algorithms. Then based on the analysis of the bottleneck of Snort's regular matching capability, reference to foreign advanced intrusion detection design ideas, creates the lightweight regular subset according to the unique parameter of rule, and carries on the dynamic alignment to the order of rule matching, thus realizes rule optimization. Detection engine uses pattern-matching technology to have when processing the keyword content with the invasion of rules and the effective data packet payload carries on the match, should transfer the multiple-pattern matching plug-in units, its core is a configurable multi-pattern matching engine which may dispose. By more rules-based search engine and remove the pattern matching technology optimization strategies, changes compiler module of the Snort rules and data packet detection engine, strengthening the detection system capability to deal with a large number of rule sets, design network intrusion detection system and implementation its main functions.The experiment showed that improved AC-BM algorithm has better time performance than AC-BM in the circumstance of increase little memory , intrusion detection system efficiency will be further improved, improved AC-BM algorithm used in the network intrusion detection system to a certain extent practical. |
PDF Full Text Request