Optimization And Implementation Of Snort Intrusion Detection Method

The rapid development and wide application of computer network technology have greatly improved the convenience of people's lives and promoted the modernization of enterprise development.but,at the same time,it has also caused many problems,and the network security problem is one of the very serious problems.Therefore,in order to ensure the information security of individuals,enterprises,governments,and military units,it is necessary to update network security technologies in a timely manner to ensure network security.As one of the core technologies of network security,intrusion detection technology is a technology designed to ensure the security of computer systems and information that can detect abnormalities in time.The intrusion detection system with intrusion detection technology as the core is an important part of ensuring the security of the network environment.The function of the intrusion system and its detection efficiency and accuracy directly affect the quality of intrusion detection.The functionality,detection efficiency and accuracy of intrusion detection systems will directly affect the effectiveness of intrusion detection.An excellent intrusion detection system should have the following characteristics:(1)The detection time is short,and the alarm speed is fast;(2)It can effectively deal with the danger of unknown attacks and ensure the safety of the host.Common intrusion detection systems include Snort,Onion,NFR,etc.Snort Intrusion detection system stands out among many intrusion detection systems because of its open source,modular design and scalability.It has become the most widely used intrusion detection system.After continuous rewriting and research,it has also become the industry standard for the implementation of intrusion detection system.However,the current detection mechanism of Snort Intrusion detection system depends on its existing rule base.Compare the abnormal rules in the rule base with the actually obtained data,and judge the intrusion behavior according to the comparison results.This process requires a lot of matching work.In the face of fast and complex network environment,underreporting events are easy to occur.In addition,Snort detection module technically uses misuse detection technology,which lacks the detection ability in the face of unknown risks.In view of the above problems,this paper selects the lightweight open source intrusion detection system Snort as the research object,optimizes and expands its detection function,and enhances the detectability of the system and the ability to face unknown risks.The research work of this paper mainly has two aspects.On the one hand,optimize the detection efficiency of the original detection algorithm.In the intrusion detection mode,the biggest factor affecting the efficiency of Snort is the time consumed in the pattern matching module.Firstly,this paper analyzes the Snort algorithm and other improved Snort algorithms,analyzes their advantages and disadvantages,and puts forward a new improved algorithm according to their defects.The new algorithm increases the jump step size during pattern matching,reduces the number of matches,and speeds up the matching time.Thereby improving the detection efficiency of the original detection algorithm.The experimental results show that the matching speed of the new algorithm is significantly improved,and the matching time is reduced by half compared with the original algorithm.On the other hand,a new misuse detection module is added to Snort to improve the ability of Snort to detect unknown attacks.This article introduces the neural network classification plug-in.The new plug-in uses CNN bidirectional LSTM algorithm and cicids2017 data set to train the most appropriate model.The experimental results show that the classification accuracy of the new model is about 98%.At the same time,in the face of unknown intrusion behavior,the accuracy of intrusion detection is higher than 50%.Finally,the compiling and running work of the improved Snort system under the Windows environment is completed.And build a complete intrusion detection system on this basis,the system matching time is shorter,and it can effectively detect unknown attack behaviors.