| In recent years, with the rapid development of Internet, the network security problem get more attention of society. As the attacks becomes more complex, Intrusion Detection Systems make up the shortcoming of traditional network firewall, and it plays a more and more important role in network security. At present, deep packet inspection(DPI) technology is a main technology used in network intrusion detection. It checks both the packet’s head and content. The most common form of deep packet inspection scheme is based on the filtering rules. In this type of solution, the experts first analysis of the various types of harmful packets, study their common characteristics, and then in the form of text or regular expression to describe some of the characteristics, one type of harmful packet’s key characteristic will be written as a rule, all of the rule compose the rule set. System will detect the packets according to these rules.Snort is one of very successful Intrusion Detection Systems. To dectect the packet, the traditional approach is to compare all the rules with one packet, but with the increasing number of rules, such strategy already cannot satisfy the requirement of efficiency. The current practical approach is to combine Snort rules with automaton. First, compile all the rules into a set of DFA, then extracted key features from each DFA. Packet filter with these key features first, through the filter to determine whether the packet need precise filtration with DFA. Through preliminary filtration most of the normal packets can be released, and the efficiency is increased.This paper mainly studied the following problem:(1) Analyze the Snort rules, first unifying all options into PCRE, then compile the PCRE into DFA(2) As some of DFA can not extract enough key features, study how to reduce the hit ratio of these DFAs in preliminary filter stage.(3) In order to improve the efficiency, implement parallel computing of preliminary filtration and precise filtration. |
PDF Full Text Request