Research And Improvement On BM Pattern Matching Algorithm For Intrusion Detection

Intrusion detection is an active security-defensive mechanism. It can recognize intrusive information and offer secure protection to network systems. The technique of pattern matching is mainly adopted by the intrusion detection system (IDS) because of its high detection accuracy, low false detection rate and strong practicability, which detects the attack more rapidly and exactly. However, with the acceleration of the network speed, the processing speed of IDS cannot catch up with the packet transmission speed, resulting in the missing detections of intrusion frequently. So, the detection speed is becoming a performance bottleneck of the detection system. Reducing the time complexity and space complexity of the pattern matching algorithm used in IDS is one of effective solutions to this problem. This dissertation focuses on the improvement of pattern matching algorithm in the intrusion detection.First, this dissertation analyses the current status of intrusion detection, focuses on the pattern matching algorithm which is the most difficult technique in network intrusion detection, and discusses the principle and the difficulties. This dissertation discusses on the technology principle and performance of the popular algorithm of BM, which is efficient in pattern matching. The disadvantage of BM is that it cannot record the last match result. And its pretreatment functions need lots of memory. This dissertation discusses the improvement of BM in the time complexity and space complexity, brings forward two improved algorithms: BMLT and BMLS. The algorithm of BMLT with a new pretreatment function can increase in the movement of pattern significantly. The algorithm of BMLS can reduce the space complexity and maintain the time complexity by reducing a pretreatment function and recording the number of times that a bad char found in the pattern.In this dissertation, the improved algorithms are both implemented with actual network environment and Snort, the famous open-source IDS. Experiments indicate that the time complexity is reduced by 60% and the space complexity is reduced by 26% at most. Therefore, the improved algorithms can provide significant improvement in pattern matching performance when using in an IDS.