CN101060411A - A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system - Google Patents
A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system Download PDFInfo
- Publication number
- CN101060411A CN101060411A CNA2007100179204A CN200710017920A CN101060411A CN 101060411 A CN101060411 A CN 101060411A CN A2007100179204 A CNA2007100179204 A CN A2007100179204A CN 200710017920 A CN200710017920 A CN 200710017920A CN 101060411 A CN101060411 A CN 101060411A
- Authority
- CN
- China
- Prior art keywords
- suffix
- prefix
- character
- text
- pattern
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The related multi-mode matching method I NIDS field comprises: building SHIFT table, SUFFIX table and PREFIX table; scanning for search. This invention improves matching speed and NIDS efficiency obviously.
Description
Affiliated technical field:
The present invention relates to network invasion monitoring (NIDS) technical field, be specifically related to a kind of multi-mode matching method that improves intruding detection system detection rates and efficient.
Background technology:
In recent years along with the appearance in succession of express network technology; the raising of network speed has all proposed challenge to 3 links of data acquisition, analysis engine, response mechanism of intrusion detection; the speed of any one link is unable to catch up with network speed, all can not realize the real-time guard network security.Most of existing NIDS has only tens detection speed, and along with 100,000,000, the extensive application of gigabit networking, the processing speed of NIDS becomes the bottleneck that influence the intruding detection system application.In NIDS, intercept and capture each packet of network, analyze, mate wherein whether have the feature of certain attack, require a great deal of time and system resource.Along with the network bandwidth increases gradually, require detection system need strengthen the packet amount of unit interval IT and also will significantly promote the processing speed of packet, otherwise just have a large amount of network data packet loss, thereby greatly influence the detectability of network N IDS.According to the mode of operation of network N IDS, must monitor flows through shares all interior packets of the network segment, then each packet is carried out pattern matching operation.If the detection speed of NIDS does not catch up with the transmission speed of network data, detection system will be missed partial data bag wherein so, thereby causes failing to report, and the accuracy of system and validity are affected.Pattern matching is the employed network data packet inspection technical based on attack signature of NIDS, advantages such as its analysis speed is fast, rate of false alarm is little are that other analytical methods are incomparable, in a lot of commercial intrusion detection products and research project, for example Dragon, Bro, Snort have adopted pattern matching algorithm.Yet along with various invasion attacking wayses constantly increase, it is also increasing to carry out the required feature database of pattern matching, causes in the situation that adopts same hardware resource and pattern matching algorithm, and system is to the decline of packet processing speed.Therefore for express network, improving intruding detection system detection rates and efficient is the subject matter that present intruding detection system presses for solution.
A kind of BM algorithm has been proposed in the prior art, the characteristics of algorithm are to consider in the coupling comparison procedure, many situations are that many characters of front all mate and several last characters do not match, at this moment will waste many times if take from left to right mode to scan, therefore, change mode scan pattern and text into, like this in case find when occurring the character that does not have in the pattern in the text, just pattern, text " to be slipped over " segment distance significantly from right-to-left.But because this algorithm is that it can only improve the wall scroll rule matching efficiency to the repeating of monotype, can't improve the efficient of whole rule set coupling, promptly in the time of regular number linear growth, the linear decline of matching efficiency.Therefore the problem of prior art existence is: when inbreak detection rule collection quantity was huge, its matching efficiency was very low.
Summary of the invention:
The present invention will provide a kind of multi-mode matching method that improves intruding detection system detection rates and efficient, with overcome that prior art exists when inbreak detection rule collection quantity is huge, the low-down technical problem of its matching efficiency.
Technical scheme of the present invention is: a kind of multi-mode matching method that improves intruding detection system detection rates and efficient, comprise the steps,
(1) preliminary treatment set of modes:
Move the foundation of table (SHIFT table): when structure moves table, need to consider the comparison of character string B, the value of B should be log
c2M
M is the total sizes of all patterns, M=k*m (m is the minimum length of set of patterns, and k is the number of pattern),
C is alphabetic(al) size;
Moving table is that the character string of B all comprises an inlet for each possible size, and its size should be so | ∑ |
B(∑ is the fixed character collection)
The foundation of suffix table (SUFFIX table): when movement value is 0, be with B character substring of text suffix and some the pattern suffix match in the set of patterns; Use salted hash Salted to minimize the pattern quantity that need compare, use the index of the integer cryptographic Hash of B the character that is calculated when making up mobile showing as another table, this table is called as suffix table SUFFIX, i inlet SUFFIX[i of suffix table], the cryptographic Hash that comprises the last B of an index point character is the mode list of i, and mode list is designated as PATTERN_LIST;
(2) scanning search.
In the above-mentioned steps (1), when movement value is 0, also introduced another table, be called prefix table PREFIX, PREFIX[i] comprised the cryptographic Hash of all patterns A character prefix.
The concrete steps of above-mentioned steps (2) scanning search are:
1. calculate the cryptographic Hash h of the current B that the is scanned character of text;
2. check SHIFT[h] value: if>0, mobile text also forwards step (1) to; Otherwise, forward step (3) to;
3. calculate the cryptographic Hash (from current position m character) left of text prefixes, be called text_prefix;
4. check that each satisfies SUFFIX[h]≤p<SUFFIX[h+1] index p, satisfy to forward step 2.5 to, do not satisfy forwarding end to;
5. as PREFIX[p]=during text_prefix, directly enter step 2.6 matched text and current pattern (present mode is by PATTERN_LIST[p] provide), finish whole process; Forward end to as not satisfying.
In the above-mentioned steps (1), the value of B is 2, and the value of A is 2.The value of A, B is selected as required.
Compared with prior art, advantage of the present invention is:
1, comparative quantity is few: move identical inlet in the table owing to use salted hash Salted that a plurality of character strings are mapped to, thereby compressed the size of mobile table; For fear of all comparing, use salted hash Salted to minimize the pattern quantity that need compare in the foundation of suffix table (SUFFIX table) with each pattern; When movement value was 0, text need travel through SUFFIX[i] value mode list pointed is to carry out the pattern suffix match, and in order further to reduce the scope of pattern search, the acceleration search process has been introduced another table, is called prefix table PREFIX.
2, time weak point, the efficient height: the BM algorithm is that single character is compared, and the present invention is the comparison to character string, thereby has shortened operation time greatly, thereby greatly improves matching efficiency.The time of the whole scanning process of this algorithm cost is O (BN/m) (N is the size of text, and m is a minimal mode length, and p is the quantity of pattern, and M=m*p is the length overall of pattern), and when m>B, the average time complexity of this algorithm is sublinear.The total time complexity of this algorithm is O (M)+O (BN/m)=O (M+BN/m).
Description of drawings:
Accompanying drawing is the flow chart that the present invention is based on the multi-pattern matching algorithm of BM thought.
Embodiment:
To describe the present invention by embodiment in intruding detection system and accompanying drawing below.
Step of the present invention is:
(1) preliminary treatment set of modes: move table (SHIFT table), the foundation of suffix table (SUFFIX table) and prefix table (PREFIX table).
When structure moves table, consider that a block size is the comparison of the character string of B, rather than single character compares; Move table with deciding when text is scanned, inspection can be skipped in what characters in the text.
The value of getting B is 2, and the value of A is 2;
Calculate the cryptographic Hash of all patterns A character prefix and put into PREFIX[i];
(2) scanning search:
2.1 calculate the cryptographic Hash h of the current B that the is scanned character of text;
2.2 check SHIFT[h] value: if>0, mobile text also forwards step 2 to.1; Otherwise, forward step 2.3 to;
2.3 calculate the cryptographic Hash of text prefixes, be called text_prefix;
Satisfy SUFFIX[h 2.4 check each]≤p<SUFFIX[h+1] index p, satisfy to forward step 2.5 to, do not satisfy forwarding end to;
2.5 as PREFIX[p]=during text_prefix, directly enter step 2.6 matched text and current pattern, finish whole process; Forward end to as not satisfying.
Can select the value of B and the value of A according to actual conditions.But we think and choose B=2 and A=2 for optimum.
It should be noted last that: above execution mode is the unrestricted technical scheme of the present invention in order to explanation only, although the present invention is had been described in detail with reference to above-mentioned execution mode, those of ordinary skill in the art is to be understood that: still can make amendment or be equal to replacement the present invention, and any modification that does not break away from the spirit and scope of the present invention is replaced with local, and it all should be encompassed in the claim scope of the present invention.
Claims (4)
1, a kind of multi-mode matching method that improves intruding detection system detection rates and efficient comprises the steps:
(1) preliminary treatment set of modes:
Move the foundation of table (SHIFT table): when structure moves table, need to consider the comparison of character string B, the value of B should be log
c2M
M is the total sizes of all patterns, M=k*m (m is the minimum length of set of patterns, and k is the number of pattern),
C is alphabetic(al) size;
Moving table is that the character string of B all comprises an inlet for each possible size, and its size should be so | ∑ |
B(∑ is the fixed character collection)
The foundation of suffix table (SUFFIX table): when movement value is 0, be with B character substring of text suffix and some the pattern suffix match in the set of patterns; Use salted hash Salted to minimize the pattern quantity that need compare, use the index of the integer cryptographic Hash of B the character that is calculated when making up mobile showing as another table, this table is called as suffix table SUFFIX, i inlet SUFFIX[i of suffix table], the cryptographic Hash that comprises the last B of an index point character is the mode list of i, and mode list is designated as PATTERN_LIST;
(2) scanning search.
2, the multi-mode matching method that improves intruding detection system detection rates and efficient as claimed in claim 1, it is characterized in that: in the described step (1), when movement value is 0, also introduced another table, be called prefix table PREFIX, PREFIX[i] comprised the cryptographic Hash of all patterns A character prefix.
3, the multi-mode matching method that improves intruding detection system detection rates and efficient as claimed in claim 2 is characterized in that: the concrete steps of described step (2) scanning search are:
1. calculate the cryptographic Hash h of the current B that the is scanned character of text;
2. check SHIFT[h] value: if>0, mobile text also forwards step (1) to; Otherwise, forward step (3) to;
3. calculate the cryptographic Hash (from current position m character) left of text prefixes, be called text_prefix;
4. check that each satisfies SUFFIX[h]≤p<SUFFIX[h+1] index p, satisfy to forward step 2.5 to, do not satisfy forwarding end to;
5. as PREFIX[p]=during text_prefix, directly enter step 2.6 matched text and current pattern (present mode is by PATTERN_LIST[p] provide), finish whole process; Forward end to as not satisfying.
4, the multi-mode matching method that improves intruding detection system detection rates and efficient as claimed in claim 3 is characterized in that: in the described step (1), the value of B is 2, and the value of A is 2, and the value of A, B is selected as required.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100179204A CN101060411B (en) | 2007-05-23 | 2007-05-23 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100179204A CN101060411B (en) | 2007-05-23 | 2007-05-23 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101060411A true CN101060411A (en) | 2007-10-24 |
| CN101060411B CN101060411B (en) | 2013-04-03 |
Family
ID=38866320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100179204A Expired - Fee Related CN101060411B (en) | 2007-05-23 | 2007-05-23 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101060411B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101409623B (en) * | 2008-11-26 | 2010-09-01 | 湖南大学 | Mode matching method facing to high speed network |
| CN104202249A (en) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | Method and device of message forwarding |
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
| CN105701093A (en) * | 2014-11-24 | 2016-06-22 | 中兴通讯股份有限公司 | Automaton -based pattern matching method and device |
| CN108809908A (en) * | 2017-05-04 | 2018-11-13 | 中国科学院声学研究所 | A kind of url filtering method and system based on window selection |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1160899C (en) * | 2002-06-11 | 2004-08-04 | 华中科技大学 | Distributed dynamic network security protecting system |
| CN1581768A (en) * | 2003-08-04 | 2005-02-16 | 联想(北京)有限公司 | Invasion detecting method |
| CN1282333C (en) * | 2004-02-24 | 2006-10-25 | 中国科学院计算技术研究所 | Multiline program loading equialization method of invading detection |
-
2007
- 2007-05-23 CN CN2007100179204A patent/CN101060411B/en not_active Expired - Fee Related
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101409623B (en) * | 2008-11-26 | 2010-09-01 | 湖南大学 | Mode matching method facing to high speed network |
| CN104954346A (en) * | 2014-03-31 | 2015-09-30 | 北京奇虎科技有限公司 | Attack recognition method based on object analysis and device thereof |
| CN104954346B (en) * | 2014-03-31 | 2018-12-18 | 北京奇安信科技有限公司 | Attack recognition method and device based on object analysis |
| CN104202249A (en) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | Method and device of message forwarding |
| CN105701093A (en) * | 2014-11-24 | 2016-06-22 | 中兴通讯股份有限公司 | Automaton -based pattern matching method and device |
| CN108809908A (en) * | 2017-05-04 | 2018-11-13 | 中国科学院声学研究所 | A kind of url filtering method and system based on window selection |
| CN108809908B (en) * | 2017-05-04 | 2020-05-26 | 中国科学院声学研究所 | URL filtering method and system based on window selection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101060411B (en) | 2013-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101060411A (en) | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system | |
| CN101030221A (en) | Large-scale and multi-key word matching method for text or network content analysis | |
| CN101075917A (en) | Method and apparatus for predicting network attack behaviour | |
| CN112738015A (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN105208037A (en) | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection | |
| US10009372B2 (en) | Method for compressing matching automata through common prefixes in regular expressions | |
| CN112532642B (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| KR100960117B1 (en) | Signature Pattern Matching Method, the System for the Same and Computer Readable Medium Storing a Signature Pattern | |
| CN1578227A (en) | Dynamic IP data packet filtering method | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN103412858A (en) | Method for large-scale feature matching of text content or network content analyses | |
| CN112202738A (en) | Industrial control situation sensing system and method based on machine learning | |
| CN101039179A (en) | Method and system for warning accurately intrusion detection | |
| Wang et al. | Practical regular expression matching free of scalability and performance barriers | |
| Yuan et al. | An improved pattern matching algorithm | |
| CN112069303A (en) | Matching search method and device for character strings and terminal | |
| Alamri et al. | Analysis of machine learning for securing software-defined networking | |
| Weng et al. | Deep packet pre-filtering and finite state encoding for adaptive intrusion detection system | |
| CN1783838A (en) | High speed block detecting method based on stated filter engine | |
| CN102685098B (en) | Recombination-free multi-mode matching method for out-of-order data package flow | |
| Muhaya et al. | Polymorphic malware detection using hierarchical hidden markov model | |
| CN1317855C (en) | Invasion detecting system and its invasion detecting method | |
| CN112632533A (en) | Malicious code detection method based on sliding local attention mechanism | |
| CN1510592A (en) | Key word matching specifications for rapid network fluid characteristic test | |
| CN115333874B (en) | Industrial terminal host monitoring method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130403 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |