Research On Pattern Matching Algorithm In Collaborative Intrusion Detection System

With the rapid development of the Internet, the potential attacks and the loss they bring have been greater. Security issues have become the important factors to restrict its development. How to discover the intrusion and prevent its attacks efficiently have become the research focus in recent years.Intrusion detection is an active defense strategy to ensure security, it can make up for the traditional network security technology effectively. Intrusion detection includes host-based intrusion detection and network-based intrusion detection. Host intrusion detection detects the intrusion information from the host system log. Network intrusion detection collects data from key nodes of network to detect the intrusion information. With the development of high-speed networks, intrusion behaviors are becoming cooperative, distributed and massive. This paper focuses on the research of network intrusion detection technology. Most of the network intrusion detection systems use misuse detection technology which is based on pattern matching algorithm. The pattern matching efficiency problems have seriously restricted the whole detection system’s performance. These problems stated above led to the heavy burden of detection engine, which brings about the possibility of packets loss and error detection.In this paper, we first analyze the traditional pattern matching algorithms, including BM algorithm, AC algorithm and WM algorithm. We improve the WM algorithm which is used in Snort form two aspects. On one hand to improve the shift table, on the other hand to propose improved algorithm(EWM algorithm) by extending the shortest patterns. From the experiment results we find that the pattern matching efficiency has been improved significantly. For high-speed network environment, network intrusion detection system often works under distributed coordination mode and set multiple detection engines at key nodes of network to finish the intrusion detection corporately. We introduce improved load balancing strategy which is suitable for network intrusion detection system and propose dynamic structure of packets distribution table. Based on these, the packets distribution efficiency of load balancer has been improved, so as to the overall anti-load capacity of the distributed network intrusion detection system.