Research And Improvement Of Multi-Mode Matching Algorithm Based On Snort

Now,the rapid development of network technology has led to the development of a series of industries such as network equipment and network applications.In order to improve the security of complex networks,in addition to installing firewalls,many systems now use intrusion detection systems(Intrusion Detection System,IDS)based on misuse detection.Therefore,the study based on misuse detection IDS is of positive significance to improve the safety and reliability of the system.Snort and Security Onion are typical IDS.Because Snort code is open source,and its structure is clear,easy to modify,so this thesis select Snort as the main body of the thesis research,we also study and improve its matching algorithm and running mode.This thesis begins with an analyze the basic working principle and data matching technology of Snort,followed by find that the process of building a large-scale set of rules into a state machine will take a long time,so this thesis analyzes the classification of Snort rules.Therefore,this article analyzes the way Snort classifies rules,and proposes a rule organization based on index classification mapping table to refine rule sets and reduce the decision hierarchy when classifying rules.Also,An improved rule list inserted in turn by matching probability of success to minimize the average retrieval time of correlation rules traversing the list is presented.Experiment shows that the proposed algorithm can save 7.27% of the build time in the case of a single classification set and 8.27%construction time in the case of multiple classification sets.Secondly,due to the high traffic rate in the real environment,it would be too expensive to simply rely on the improvement of hardware performance to meet the requirements.A new multi-modal matching algorithm is given for compressing the state of Non-Deterministic Finite Automata(NFA)established by the matching algorithm through transform the accuracy match into a fuzzy match with higher accuracy,which in turn compresses the storage space required for the state jump table.In the case of 100,000 rule sets,the differential algorithm can save 61.09% of the memory of the original program,the compression ratio of the number of algorithm states reaches 62.37 %,and the reduction ratio can reach 97.69 % when the pattern string similarity is very high in the rule collection.Moreover,due to the differential approach,the number of characters built is reduced,and the retrieval time required to match is shortened,and the algorithm increases the detection rate by an average of 9.02%.In addition,in view of the popular large text use scene,a dynamic accelerated matching retrieval method according to the length of the rule is proposed.Experiment shows that the new multi-mode matching algorithm can increase the rate by 1.55% compared to the classic multi-mode matching algorithm.Non-Uniform Memory Access(NUMA)Architecture have been widely used in modern servers,based on the practical application of the NUMA and the characteristics of Snort's operation under different architectures,an optimization scheme for Snort runtime under the PHYTIUM platform is proposed.In order to access the remote memory as little as possible,and avoid the memory controller competition caused by multithreaded programs running on the same memory node,this thesis gives a Snort running mode based on the dynamic adjuster thread position according to the Snort runtime working traffic,which solves the problem of slow packet detection rate caused by two factors.The optimized packet detection method has a rate 1.13 times greater than the existing operating method.Experiments confirm that the proposed scheme can achieve a higher detection rate on the new architecture of the PHYTIUM machine.