Study On Algorithm Of Pattern Matching For Network Information Audit Based On Content

With the continuous development of Internet, network and all walks of life in the world are getting closer. Network brings convenience and fast, but also hazards. Reactionary remarks and unhealthy information on the network are spread abroad increasingly rampantly. Business secrets and personal privacy are wantonly theved and spread. Therefore, network security has attracted increasing attention. Now there are many products to maintain network security, such as firewall technology and intrusion detection system (IDS) in all walks of life have been widely used. However, in recent years the harmful information against network security is no longer as blatant as before. And they are often packaged into a legitimate message, or loaded into the middle of a legitimate message and spread through legitimate users. In view of this situation the network information audit system has been brought up, which is an effective supplementary for traditional network security products.The thesis analyzes the basic model network information audit system and introduces the function of each module. Then it compares a number of common model structures. Later it shows a content-based network information audit model with real-time network data flow characteristics.Pattern matching is one of the main technologies for network information audit. Its efficiency, such as matching speed, directly affects the performance of audit system. In network information audit, the pattern set P is usually very large, having hundreds or even thousands of patterns and it needs to occupy more space. Classic single-pattern matching algorithm Boyer-Moore (BM) and multi-pattern matching algorithm Aho-Corasick (AC) are not suitable for it. Therefore, the thesis shows a classifiable multi-pattern matching algorithm (CMA). First, the algorithm finds out the frequent character set F, which is used to build the first-tier table: H1, from the pattern set P. Then pattern set P is divided into several pattern subsets with the pattern set balancing strategy and the algorithm uses them to build the second-tier table: H2. The algorithm is divided into two stages and can scan the packets rapidly by using the tables. And no patterns in the payload T will be missed.Later, the thesis demonstrates the process of CMA by an example, and the Snort system validates its performance.