Research On Snort Preprocessor And Rule Matching Optimization For Web Protection

With the continuous development of information technology,the increase of Internet applications,and the large increase in traffic in the network,information security in network faces greater challenges.The technology Web protection also developed from firewalls and anti-virus software to intrusion detection to combination of multiple technologies.The intrusion detection technology can detect the events or data passing through the nodes in target network,filter the insecure factors in the network,to ensure the security of the network information.As an active security defense technology,intrusion detection technology can defend against the defense methods such as firewalls.However,in the current network,the amount of data that intrusion detection needs to be processed is larger,and the data is more complex and variable.Therefore,how to effectively process data in the intrusion detection system and adapt to changes in the attack means is a problem that needs to be solved currently.According to the characteristics of the current network,this paper analyzes the characteristics of network packets and the basic theory of K-means algorithm,and proposes an improved method for K-means algorithm,and uses Snort's plug-in mechanism to improve Snort preprocessor.The combination of the k-means algorithm enables the Snort preprocessing plugin to cluster static data and classify real-time data.Analyze the shortcomings of intrusion detection in the current network,and propose an optimization method to apply the improved FP-Tree algorithm to the Snort rule matching plug-in.The main work of this paper includes:(1)Optimize the preprocessor and rule matching module of Snort intrusion detection system by improving k-means algorithm and FP-Tree algorithm.The improved k-means algorithm is used to cluster static data into normal data classes and abnormal data classes.The real-time data is divided into normal data or abnormal data by judging the distance,and then further processed by Snort deal with.The improved FP-Tree algorithm is used to perform rule mining from network data,and then generate rules that can be recognized by Snort,and then added to the Snort rule base to adapt to changes in attack methods.(2)The KDD CUP99 dataset was used to carry out the effectiveness experiments on the proposed two optimization methods,then summarized and analyzed the work of this paper.