| Misuse detecting is one of the most important detecting methods of NIDS. With the increasing of net data transferring and the enlarging of system regulation database, the situation becomes more and more serious as the speed of this method can not meet the need of the speed of net transferring. In this thesis, detecting rule engineer of NIDS will be analyzed, and the research on how to speed up its performance will be done in detail.The rules used by NIDS can be divided into two groups: the content rules and the non-content rules. In most of researches, more attention is paid on the content rules. By using some multi-pattern methods, the detecting can be speeded up on the content rules. But practically, the speed of whole NIDS will not be improved evidently.In order to speed up the detecting entirely, some typical NIDS will be analyzed, and their principles of detecting engineer will be investigated, especially the methods for speeding up detection. After stating these principles, a new method of detecting packets will be presented in this thesis.The main principle of the new method is that the processing is layered. The detecting order will be changed completely. When detecting, the packet will pass every rule option one by one. Data structure and research arithmetic can be used in this method, and deeper speeding up can be made at the meanwhile.A new detecting engineer is designed with this method, and it can also be applied to some existing systems. In this thesis, the alteration to snort for implementing the new detecting engineer will be proposed and designed.In order to examine its capability of speed and the consuming of memory, a test model has been made. Rules and test data used are produced manually at the meantime. The test shows that this model can speed up the detecting speed, but it consumes much memory on building up the detecting system. So there are still somequestions that remain to answer. |
PDF Full Text Request