CN101409623B - Mode matching method facing to high speed network - Google Patents
Mode matching method facing to high speed network Download PDFInfo
- Publication number
- CN101409623B CN101409623B CN2008101437299A CN200810143729A CN101409623B CN 101409623 B CN101409623 B CN 101409623B CN 2008101437299 A CN2008101437299 A CN 2008101437299A CN 200810143729 A CN200810143729 A CN 200810143729A CN 101409623 B CN101409623 B CN 101409623B
- Authority
- CN
- China
- Prior art keywords
- pattern string
- coupling
- string
- pattern
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a method for matching mode facing a high-speed network. The method comprises the following steps: a computer extracts a characteristic value for each data flow attacking a network and compiles the data flow to a rule model according to rule language; in network communication, the computer matches a captured data packet and the rule model by a detecting system; if matching succeeds, the detecting system determines the captured data packet as an attack action. The matching step of the invention is combined with the existing BM method to realize innovation from the two aspects of comparing ways and moving strategy, thereby greatly improving matching efficiency. The method is applicable in quick character matching fields which require network invasion detection, network invasion protection, computer virus condition code matching and the like under high-speed network environment.
Description
Technical field
The present invention is a kind of method of character string pattern matching, is applicable to that the intrusion detection of high speed network environment lower network, network intrusions protection, computer virus condition code coupling etc. need carry out the application in the field of character match.
Background technology
Method for mode matching is a lot of at present, the wherein most widely used method for mode matching that just is based on the realization of BM method principle.The BM method for mode matching is a kind of accurate single matching process, and this method is utilized heuristic strategies to skip the unnecessary number of comparisons that relatively reduces pattern string and text to improve matching efficiency.With pattern string and text left justify, rising left one by one by the pattern string right-hand member, character compares when mating.Incipient stage mates suffix and the text of pattern string earlier, attempt (no matter it fails to match or successfully) finishing once after, utilize shift function with pattern string certain distance of sliding to the right, the suffix from pattern string mates again.
The core of famous lightweight intruding detection system Snort is detected and has just been adopted the BM method to carry out the coupling of rule in the engine.But, make that the efficient of string matching is not high enough because this method not have the suffix that mated of consideration and causes neighbouring relations between the current character that it fails to match.
Summary of the invention
The problem to be solved in the present invention is; by analyzing existing method for mode matching; defective at existing character string matching method; adapt to current express network to the high efficiency demand of pattern matching; a kind of method for mode matching towards express network is proposed; be the HPMM method, be used for the field that the intrusion detection of high speed network environment lower network, network intrusions protection and computer virus condition code coupling etc. need be carried out character match, improve matching efficiency.
Solution of the present invention is, in conjunction with the manner of comparison of BM method, proposes a kind of method for mode matching towards express network, at first extracted characteristic value and write it as mode of rule according to rule language by the data flow of computer to every kind of attacking network; In the network service, computer mates packet and the described mode of rule that captures by detection system; If the match is successful, then detection system is judged as attack with it; Described coupling specifically comprises the steps:
(1) establishes text string T=T in the described packet that captures
1Tn (length is n)
The pattern string P=P of described mode of rule
1... P
m(length is m), (n〉〉 m)
(2) provide the sliding distance function
Above-mentioned function has provided the position of any character c in pattern string that may occur in the text string
(3) provide the function of the frequency of judging that character occurs in pattern string;
(4) T[1] and P[1] alignment, to P[m] and T[m] coupling;
If P[m] and T[m] mate and get nowhere, (5) calculate the distance that pattern string moves right then set by step, and respective distance moves to right; If P[m] and T[m] the match is successful, comparison pattern P[1 then] with the corresponding character of text, if P[1] coupling is unsuccessful, (5) move to right pattern string then set by step; If p[1] the match is successful, then successively to P[m-1] P[2] P[m-2] P[3] ... mate, and the like, finish up to coupling.
(5) calculate the distance that moves right, it moves step and is:
1): when losing coupling, at first calculate, be made as T[k], inspire the position k+Skip[k that moves to right that obtains by last character of text string], its value is designated as k
1
2): calculate character late T[k+1] inspire the position k+1+Skip[k+1 that moves to right that obtains by text string], its value is designated as k
2
3): judge k
1, k
2Size, if k
1K
2, judge T[k+1 again] and at the pattern string frequency of occurrence, judge T[k+1 with the function B (c) in step (2)] frequency that occurs at pattern string.(T[k+1])=1, i.e. T[k+1 if B] only occur once at pattern string, then with pattern string end and T[k+1+m] locate to align and carry out the coupling of a new round; (T[k+1])=0, i.e. T[k+1 if B] only occur greater than once, then with pattern string end and T[k at pattern string
1] locate to align and carry out the coupling of a new round; If k
2〉=k
1, then with pattern string end and T[k
2] align and carry out the coupling of a new round.
Above-mentioned method for mode matching HPMM provided by the invention towards express network, realize that from two aspects of manner of comparison and shift strategy innovation breaks through in conjunction with the BM method: the one, broken traditional from left to right or matching way from right to left, the matching order that employing replaces to the centre position from the pattern two ends, reduced in BM method matching process, the a part of suffix and the text matches of appearance pattern, the unnecessary comparison under the situation and the prefix of pattern does not match; The 2nd, consider the uniqueness of a letter after the character string simultaneously, improve the probability of occurrence of maximum displacement m+1.The present invention is suitable for the field application that the intrusion detection of high speed network environment lower network, network intrusions protection and computer virus condition code coupling etc. need be carried out quick character match.
Description of drawings
Fig. 1 is the shift strategy schematic diagram of method for mode matching of the present invention;
Fig. 2 is the test data result of BM and HPMM method among the embodiment;
Fig. 3 is a test packet type statistics among the embodiment;
Fig. 4 is the comparison of using the processing time of BM method and HPMM method among the Snort;
Fig. 5 is the comparison of using the required memory of BM method and HPMM method among the Snort;
Fig. 6 is a HPMM method overview flow chart;
Fig. 7 is the Snort workflow diagram.
Embodiment
Present embodiment is application and the performance test of HPMM method in lightweight intruding detection system Snort, as can be seen from Figure 7, lightweight intruding detection system Snort is made up of Packet Sniffer, preprocessor, detection engine, four basic modules of alarm output module.Its basic functions parts are Packet Sniffers, Packet Sniffer is the beginning of Snort work, Snort handles with preprocessor earlier after obtaining packet, then through detecting the strictly all rules chain in the engine, if there are the data that meet rule chain to be detected.Snort has three kinds of mode of operations: sniffer, packet record device, Network Intrusion Detection System.The sniffer pattern only is a read data packet and be presented on the terminal as stream continuously from the network; Packet record pattern writes down packet on hard disk; The network invasion monitoring pattern is the most complicated, and is configurable, and it can allow Snort phase-split network data flow with some rules of match user definition, and takes certain action according to testing result.Snort is exactly earlier every kind of attack to be extracted its characteristic value and according to rule language it to be write as rule, resolves and rule match catching the packet that comes then again, then is attack if the match is successful.Be in operation, intruding detection system is carried out analyzing and processing with the packet of flowing through in the Audit data of current operation system and the network, therefrom filter out and security-related information, then the attack mode in itself and the database is complementary, when finding the behavior of coupling is arranged, thinking has intrusion behavior to take place, and just responds mobile thinking such as Fig. 1 then according to certain strategy.
Concrete matching process comprises the steps:
(1) establishes text string T=T in the described packet that captures
1Tn (length is n)
The pattern string P=P of described mode of rule
1... P
m(length is m), (n〉〉 m)
(2) provide the sliding distance function
Above-mentioned function has provided the position of any character c in pattern string that may occur in the text string
(3) provide the function of the frequency of judging that character occurs in pattern string;
(4) T[1] and P[1] alignment, to P[m] and T[m] coupling;
If P[m] and T[m] mate and get nowhere, (5) calculate the distance that pattern string moves right then set by step, and respective distance moves to right; If P[m] and T[m] the match is successful, comparison pattern P[1 then] with the corresponding character of text, if P[1] coupling is unsuccessful, (5) move to right pattern string then set by step; If p[1] the match is successful, then successively to P[m-1] P[2] P[m-2] P[3] ... mate, and the like, finish up to coupling.
(5) calculate the distance that moves right, it moves step and is:
1): when losing coupling, at first calculate, be made as T[k], inspire the position k+Skip[k that moves to right that obtains by last character of text string], its value is designated as k
1
2): calculate character late T[k+1] inspire the position k+1+Skip[k+1 that moves to right that obtains by text string], its value is designated as k
2
3): judge k
1, k
2Size, if k
1K
2, judge T[k+1 again] and at the pattern string frequency of occurrence, judge T[k+1 with the function B (c) in step (2)] frequency that occurs at pattern string.(T[k+1])=1, i.e. T[k+1 if B] only occur once at pattern string, then with pattern string end and T[k+1+m] locate to align and carry out the coupling of a new round; (T[k+1])=0, i.e. T[k+1 if B] only occur greater than once, then with pattern string end and T[k at pattern string
1] locate to align and carry out the coupling of a new round; If k
2〉=k
1, then with pattern string end and T[k
2] align and carry out the coupling of a new round.
Present embodiment is applied to Snort respectively with BM method and HPMM method and compares, and operating process is:
(1) finds the position at BM method place in the Snort source file.
The BM method is applied in the mSearch function in the mstring.c file in the Snort source file, calls among the function uniSearchReal of mSearch function in detecting plug-in unit sp_pattern_match.c.
(2) realization of BM method in the mSearch function is replaced with the HPMM method and realize, and revise relevant parameters and interface.
The core of HPMM method realizes that program realizes with the C language by the method flow of Fig. 6.
(3) increase relevant variable, test macro performance.
In Preprocess (Packet*P) function in Snort source files of program detect.c, increased the timing variable of computing time, be used for calculating the time of implementation, three variablees in this function, have been increased, before carrying out, function increases current time start, carry out ending at this function and increase finish, both differ the time spenttime. that draws the function execution because display result is in the Util.c file at last, so add an output statement in the back as a result in output, in order to show time of implementation spenttime.
(4) compiling Snort source file regenerates the Snort executable program.
In the VC environment, generate the snort.exe file of having used the HPMM method, get ready, configuration network environment and relevant parameters are set in the configuration file snort.conf of Snort then for Snort is installed.Under (SuSE) Linux OS, after installing Libpcap, utilize Snort is installed, treat can begin systematic function is tested after Snort successfully installs.The performance comparison step:
(1) the rule matching method processing time relatively
Snort is operated in the intrusion detection pattern carries out data acquisition (gathering 1000 packets, type of data packet such as Fig. 3), use the data of gathering to use BM method and HPMM method to test respectively then, compare the time that they are dealt with separately.Result such as Fig. 3, shown in Figure 4, the HPMM method has reduced mobile number of times and then has reduced matching times owing to improved the probability that maximum displacement occurs, and makes reduce 20% than BM method detection time.
(2) system resources consumption relatively
Carry out time ratio in, I have also carried out two kinds of method comparisons on internal memory uses, as shown in Figure 5, for identical style library, the required memory of BM method almost be the HPMM method required 60%, the HPMM method has exchanged the raising of speed for the increase of internal memory, constantly descend at current DRAM price, calculator memory constantly increases, and under the ever-increasing situation of invasion feature, uses the HPMM method to have realistic meaning.
(3) system's packet loss test
Unsuitable rule is with great consumes memory or cause packet loss, and system is carried out pressure test, can verify limit disposal ability, is exactly the Treatment Analysis data capability of verifying it for NIDS.Packet loss may be owing to the not enough or regular improper too much CPU that consumes of hardware.By strengthening the packet loss of data traffic detection system, find out that from the warning message that produces under the big more situation of data traffic, the packet loss of using the system of BM method obviously increases, and the packet loss of application HPMM method system is not obvious.
Above test result shows that relatively, original system is save memory relatively on performance for the system before and after improving, and it is fast to improve back system matches speed, more cheap for present internal memory, increase the internal memory ratio and be easier to realize, so the improvement of new system has realistic meaning very much.
Claims (1)
1. the method for mode matching towards express network is at first extracted characteristic value and is write it as mode of rule according to rule language by the data flow of computer to every kind of attacking network; In the network service, computer mates packet and the described mode of rule that captures by detection system; If the match is successful, then detection system is judged as attack with it, it is characterized in that, described coupling comprises the steps:
(1) establishes text string T=T[1 in the described packet that captures] ... T[n], wherein length is n;
The pattern string P=P[1 of described mode of rule] ... P[m], wherein length is m, n>>m;
(2) provide the sliding distance function
Above-mentioned function has provided the position of any character c in pattern string that may occur in the text string;
(3) provide the function of the frequency of judging that character occurs in pattern string;
(4) T[1] and P[1] alignment, to P[m] and T[m] coupling;
If P[m] and T[m] mate and get nowhere, (5) calculate the distance that pattern string moves right then set by step, and respective distance moves to right; If P[m] and T[m] the match is successful, comparison pattern P[1 then] with the corresponding character of text, if P[1] coupling is unsuccessful, (5) move to right pattern string then set by step; If p[1] the match is successful, then successively to P[m-1] P[2] P[m-2] P[3] ... mate, and the like, finish up to coupling;
(5) calculate the distance that moves right, it moves step and is:
1): when losing coupling, at first calculate, be made as T[k], inspire the position k+Skip[k that moves to right that obtains by last character of text string], its value is designated as k
1
2): calculate character late T[k+1] inspire the position k+1+Skip[k+1 that moves to right that obtains by text string], its value is designated as k
2
3): judge k
1, k
2Size, if k
1>k
2, judge T[k+1 again] and at the pattern string frequency of occurrence, judge T[k+1 with the function B (c) in step (3)] frequency that occurs at pattern string; (T[k+1])=1, i.e. T[k+1 if B] only occur once at pattern string, then with pattern string end and T[k+1+m] locate to align and carry out the coupling of a new round; (T[k+1])=0, i.e. T[k+1 if B] only occur greater than once, then with pattern string end and T[k at pattern string
1] locate to align and carry out the coupling of a new round; If k
2>=k
1, then with pattern string end and T[k
2] align and carry out the coupling of a new round.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101437299A CN101409623B (en) | 2008-11-26 | 2008-11-26 | Mode matching method facing to high speed network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101437299A CN101409623B (en) | 2008-11-26 | 2008-11-26 | Mode matching method facing to high speed network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101409623A CN101409623A (en) | 2009-04-15 |
| CN101409623B true CN101409623B (en) | 2010-09-01 |
Family
ID=40572432
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101437299A Expired - Fee Related CN101409623B (en) | 2008-11-26 | 2008-11-26 | Mode matching method facing to high speed network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101409623B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577598B (en) * | 2013-11-15 | 2017-02-15 | 曙光信息产业(北京)有限公司 | Matching method and device for pattern string and text string |
| CN104243487A (en) * | 2014-09-28 | 2014-12-24 | 网神信息技术(北京)股份有限公司 | Rule matching method and rule matching device of security gateway |
| CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
| CN107181738B (en) * | 2017-04-25 | 2020-09-11 | 中国科学院信息工程研究所 | Software intrusion detection system and method |
| CN110489997A (en) * | 2019-08-16 | 2019-11-22 | 北京计算机技术及应用研究所 | A kind of sensitive information desensitization method based on pattern matching algorithm |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1691581A (en) * | 2004-04-26 | 2005-11-02 | 彭诗力 | Multi-pattern matching algorithm based on characteristic value and hardware implementation |
| CN101060411A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
-
2008
- 2008-11-26 CN CN2008101437299A patent/CN101409623B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1691581A (en) * | 2004-04-26 | 2005-11-02 | 彭诗力 | Multi-pattern matching algorithm based on characteristic value and hardware implementation |
| CN101060411A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Non-Patent Citations (2)
| Title |
|---|
| 赵远.一种面向入侵检测与防御的快速模式匹配方法.《湖南大学硕士学位论文》.2009,第1-69页. * |
| 陈鹏等.网络入侵检测系统中多模式匹配算法的研究.《科学技术与工程》.2005,第5卷(第13期),第914-916,920页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101409623A (en) | 2009-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wespi et al. | Intrusion detection using variable-length audit trail patterns | |
| Cui et al. | Tupni: Automatic reverse engineering of input formats | |
| US10558805B2 (en) | Method for detecting malware within a linux platform | |
| US9990583B2 (en) | Match engine for detection of multi-pattern rules | |
| US7854002B2 (en) | Pattern matching for spyware detection | |
| Murtaza et al. | A host-based anomaly detection approach by representing system calls as states of kernel modules | |
| CN101409623B (en) | Mode matching method facing to high speed network | |
| Xue et al. | Detection and classification of malicious JavaScript via attack behavior modelling | |
| JP6527295B2 (en) | Attack code detection device, attack code detection method and attack code detection program | |
| Ye et al. | NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces. | |
| CN103679030B (en) | Malicious code analysis and detection method based on dynamic semantic features | |
| CN112039196A (en) | Power monitoring system private protocol analysis method based on protocol reverse engineering | |
| CN105138916A (en) | Multi-track malicious program feature detecting method based on data mining | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| CN109413047A (en) | Determination method, system, server and the storage medium of Behavior modeling | |
| KR102151318B1 (en) | Method and apparatus for malicious detection based on heterogeneous information network | |
| Luchaup et al. | Deep packet inspection with DFA-trees and parametrized language overapproximation | |
| CN103166942B (en) | A kind of procotol analytic method of malicious code | |
| Grégio et al. | Tracking memory writes for malware classification and code reuse identification | |
| CN102769607B (en) | Malicious code detecting method and system based on network packet | |
| Muhaya et al. | Polymorphic malware detection using hierarchical hidden markov model | |
| CN103139169A (en) | Virus detection system and method based on network behavior | |
| CN108418793A (en) | The string matching method and device of multi-mode | |
| CN111190813B (en) | Android application network behavior information extraction system and method based on automatic testing | |
| Qi et al. | A Malware Variant Detection Method Based on Byte Randomness Test. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100901 Termination date: 20121126 |