The Research Of Fast Pattern Matching Algorithm Based On Snort System

With the popularization and development of networks, network security issues become more critical. Intrusion Detection System, with its own characteristics to make up for effective security measures to protect the traditional shortcomings, and it has become an important component of computers and networks safety. In recent years,with the rapid development of high-speed network technology, how to make intrusion detection systems at high-speed network environment work effectively become a important part of the study. It requires high-speed processing of the Intrusion Detection System to protect network security. And pattern matching algorithm is the core algorithm that is based on the characteristics of the intrusion detection system, the efficiency of pattern matching intrusion detection decide this type of intrusion detection system performance.As one of the free open-source intrusion detection tools, Snort is not just a network security tool, as a open-source project, but also provide a safe learning and research platform for the network operators, which is the Key reasons for why Snort improve so quick.Snort uses plug-ins mechanism to ensure that procedures are highly expandable and simplifies, reduce the coding of the job, use relatively simple architecture, plug-in mechanism for independent and flexible set of rules, make developers can change the Snort easily, in order to meet the new invasion. However, like Snort and other IDS, still faces a series of questions, such as false positives,reporting, as well as their own security questions and processing speed.The main body of this article in analysis invade on systematic basis of detecting, further explanation invade algorithm checking systematic operating principle , studying pattern matching in Snort. we study the pattern matching algorithm based on Snort. Snort is a typical CIDF (Common Intrusion Detection Framework) model of the Intrusion Detection System. By reading the source code of Snort,analyze the four main architecture of Snort. Because intrusion detection systems are mainly related to the detection engine module, so we have a detailed analysis of the engine module for the detection. Intrusion detection module main function is to detect intrusions occurred, the rules of analysis and feature detection. In this article, we analyze the new index and many of the rules of pattern-matching engine in Snort2.7.0.When Snort is detecting, the packet will be captured one by one match with the rule set. If matched,it is success,consider the intrusion was happen. Snort detection engine module systems are the most important part of its design directly affects the quality of system performance.Snort supports a wide range of pattern-matching algorithms, such as BM,AC,AC-BM and MWM pattern-matching algorithms. We detail the pattern-matching algorithm in Snort. Compared with the previous single-pattern matching algorithms,in a multi-pattern matching algorithms, Snort, after pre-treatment of a group of pattern-matching mode set, match the performance of characters has been dramatically, enhanced the detection performance of Snort.This article is the pattern matching algorithm research which carries on based on Snort2.7.0. After analyze the source code of Snort2.7.0, expound Snort pattern matching process in detail .We can see,after pre-treatment carried out after the pattern matching, take the data type for the TCP as an example, describe the basic principles of pattern matching algorithm in Snort and the pattern matching process in detail, in order to raise a new pattern matching algorithm.In this article, we have a preliminary attempt to improve the rapid analysis of pattern-matching engine. Snort in the default mode for the matching algorithm of the lack of AC algorithm,Based on the original algorithm in the study, a new multi-pattern matching algorithm (ACQSWM)is bringed forward,achieve it. The algorithm is based on WM(Wu-Manber) algorithm and QS (Quick Search) algorithm. Use heuristic search strategies have a character jump, and improve the shift form, increase the displacement of shift form as much as possible;Using WM pattern-matching algorithm in the shift table mechanism, with the block size of B characters (usually from B = 2 or 3) to calculate the moving distance, and the use of QS (Quick Search) algorithm based on the current frame to match the next character information to further increase jump distance;at the same time, the application of AC algorithm finite state automata model is used to build a pattern matching tree in order to reduce the number of characters compared, improve the detection speed of Snort, reduce the false alarm rate and omission rate in intrusion detection system. Intrusion detection system for the detection make a significant contribution to the efficiency, but also for the analysis of data large-scale in network.According to the method proposed in this article, use DARPA1999 intrusion detection data set from the Lincoln Laboratory, base on Fedora 7 system, compare the ACQSWM pattern matching algorithm with original AC algorithm in the detection capability and performance assessment. The experimental results show that the improved algorithm ACQSWM algorithm to enhance the detection system to deal with building the capacity of rules to improve the system in high-speed network environment detection efficiency. Prove that the new pattern matching algorithm proposed algorithm than any other time in the match have a better efficiency.Snort's detection principle use a variety of pattern-matching strategy. However, with rising network bandwidth, as well as the types of network attacks increased dramatically, resulting in the detection task Snort become heavier and heavier, and thus may miss some of the serious consequences caused by network attacks. Therefore, the design of efficient pattern matching algorithm to improve the performance of intrusion detection systems have great significance.Finally, this article describes the matching performance of Snort in the future and Snort and IDS technology of the future development. According to current Intrusion Detection System, proposes some new models to improve the working methods of matching algorithm.Of course, there is some shortages in this article. For Snort's pattern matching algorithm disadvantage: the calculation load is big, and the WM algorithm is not perfect, only with modified SHIFT just add a head table, although the pace has accelerated the match, but also increased the space required to match. If we can use a variety of pattern-matching algorithm associated with the mixed pattern matching algorithm, or according to the needs of different pattern matching using a different algorithm should be able to better to improve the matching speed. Currently, IDS is the main direction of the research, use intelligent ways and means for intrusion detection. Common used methods: neural networks, genetic algorithms, fuzzy techniques, immune principle and so on. These methods are commonly used in the invasion of the characteristics of the identification and generalization. Current solution is Intrusion Detection System with intelligent detection of the detection software or a combination of modules. By working with other advanced technologies, IDS will be able to achieve greater development, make contribute to network security.Network security is not just a technical issue, but also a management issue. The Only when deal with the network security as a whole, strengthen the network management, enhance the safety awareness of users, the rational use of network and security tools, can achieve network security.