Study Of The Pattern Matching Algorithm In The Network Intrusion Detecting System

With the increasingly serious problem of network security, network intrusiondetection systems (NIDS) with its own characteristics make up the shortcomings oftraditional security measures, and have become an important part of computer and anynetwork security architecture and play an important role in the defense strategy of sitesecurity officers. The continued growth in both network traffic and intrusion signaturedatabases makes the performance of these systems increasingly challenging andimportant.Most deployed NIDS follow a signature-based approach where attacks areidentified by matching each input event against predefined signatures that modelmalicious activity, for example, the powerful lightweight network intrusion detectionsystem Snort. This paper describes the feature, architecture, working flow of Snort, andthe pattern matching algorithms used by Snort system are especially analyzed in thispaper. Through the study onBoyer-Moore Horspool (BMH) algorithm, a faster single-pattern matchingalgorithm was raised. Meanwhile a significantly faster and more efficient approach toperform multiple patterns matching in a string is described in this paper. The proposedmatch algorithm combines the concept of deterministic finite state automata (for shortDFSA) and the new single pattern matching algorithm to achieve better performance. Ingeneral, it can take full advantage of the information that cannot match in one matchingprocess, skip as many characters.Actual experiments were held and the result shows that the new multiple patternmatching algorithms is able to perform pattern match operations sub linearly, i.e., itdoes not need to inspect every character of the string to perform pattern matchoperations.Moreover, the number of patterns and the length of each pattern take littleeffect on the efficiency of this algorithm.Improved algorithm was tested in Snort2.8.6system. Comparison with theprimary system，this thesis has reached the time consumed with improving detectingsystem falling off to some extent， has confirmed the validity and pragmatismimproving.