Research Of Pattern Matching Algorithm And Its Application In Snort System

With the rapid development of network technology, the security issues of computer network have received a lot of attentions. The intrusion detection, following the firewall and other traditional security protection technology, is a new generation technology of security defends which can intercept and respond to intrusions before the network system is jeopardized. The intrusion detection has become an important part of the information and network security architecture.First of all, this thesis introduces the major theory and technology of the intrusion detection, including its concepts, principles, the module structure of intrusion detection system (IDS), and classification, etc; Next are two aspects of static and dynamic analysis of the overall structure and work process of Snort, a lightweight network intrusion detection system (NIDS), including rules of composition, processing and detection, etc; In chapter 4, this article focuses on the several single-pattern matching algorithms, which are the most popular algorithms in the network and also the most commonly used in kinds of intrusion·detection systems, including BM (Boyer-Moore) algorithm and its two classic improved algorithms. On this basis, other two improved algorithms, named BMI-1 (Boyer-Moore Improvement, BMI) and BMI-2, have been proposed. BMI-1 algorithm essentially improves the pre-process of BM, which manages to increase the distance of text string pointer shifts to the right, and reduce the number of shifts. With the same purpose, BMI-2 algorithm improves both the pre-process and the matching-process at the same time. Text test shows that BMI-1 and BMI-2 have better matching efficiency than the other three algorithms, especially the BMI-2 algorithm; Finally, combining with improved BMI-2 algorithm, this article optimizes the Snort system in depth to its internal detection processing module and match function. Experiment shows that the Snort system with BM and the improved Snort system with BMI-2 have the same results, both getting the same size of alerts. However, Snort-2.8.4 using BMI-2 instead of BM can enhance the performance of Snort.