Research On Pattern Matching Algorithm In Snort Intrusion Detection System

With the rapid development of Internet technology and the expansion of modern web applications, the network security is facing serious challenges, in the traditional encryption and firewall technology cannot completely meet the demand of network security, intrusion detection technology which is a new means of security protection plays an important role in the field of network security. Snort system is an open-sourcing and lightweight network intrusion detection system, pattern matching algorithm is the core detection technology of the Snort system, which has a close relationship with the performance of the whole system, so it is of great significance to study snort pattern matching algorithms in the system.Firstly, Snort intrusion detection system are analyzed in detail, the authors analyzes its general structure, working process and detection rules, and further study several typical pattern matching algorithms, including single mode KMP algorithm, BM algorithm, BOM and multi-mode AC algorithm, WM algorithm and SBOM algorithm, and points out the deficiency of SBOM algorithm.Secondly, in view of the SBOM algorithm which used automaton to identify the model string substring, seriously consumes the insufficient of the storage space, put forward an improved multiple pattern matching HSBOM algorithm. The algorithm builds a hash table instead of SBOM during preprocessing algorithm Factor Oracle Automatic machine to a centralized storage mode all substrings information, the algorithm significantly reduced storage space. Use the search process in the shortest pattern string length to determine the size of the search window, and in the current window has been read from the text to identify the longest suffix forward, the use of hash function recursively compute the hash value of the current suffix to find hash table to identify the pattern string substring quick match.Finally, the Snort intrusion detection system basing on Windows environment is constructed and the multiple patterns matching HSBOM algorithm put forward is applied to the system. Then, through a series of experiments prove that HSBOM algorithm compared to AC, WM algorithm, SBOM algorithm saves storage space and accelerates the speed of matching, improves the overall performance of the Snort system.