The Research And Improvement Of Pattern Matching Base On Snort Intrusion Detection System

With the rapid development of computer networks,new network attack means emerge in endlessly.Protection against network attack is drawing more and more public attention.As an active attack protection measure,intrusion detection detects potential malicious behavior,by scanning characteristic and sensitive fields in the network.Intrusion Detection System(IDS),a network security product using the intrusion detection technology,is a rational supplement of the conventional firewall,playing an important and irreplaceable role in today's network environment,and thus becoming a research hotspot in the field of network security.Snort is a free and open source lightweight intrusion detection system.It contains full function of network IDS,including packet capture,packet analysis,preprocessing(packet recombination&deal with additional header or trailer),packet inspection and so on.Through deployed in some key network nodes,Snort can catch that abnormal traffic from network data flow and give an early warning,by matching the data captured from network with a group of pre-defined rules.In this process,Snort will execute pattern matching frequently,so pattern matching is one core module of Snort intrusion detection system.This thesis mainly analyzes the pattern matching algorithm in intrusion detection system,including the existing two kinds of pattern matching algorithm(single pattern matching algorithm&multiple pattern matching algorithm).According to Snort system default using BM algorithm(single pattern matching algorithm)and AC algorithm(multiple pattern matching algorithm),this thesis presented an improved BM algorithm,which changed the original approach of starting the initial matching from the right end of the pattern string,instead by dynamic taking full advantage of the characteristics of the pattern string during the pre-treatment process,which will be first matched during each matching,thereby improving the matching efficiency of BM algorithm.In addition,to resolve the zooming memory consumption with sustained increasing matching rules of IDS,the thesis also present an improved AC algorithm,which can optimize memory of AC automaton,through building a syllable table to reducing the scale of AC automaton.Finally,experimental verified both BM and AC improved algorithm have a well performance.