CN104519056A - Double-jump-based single mode matching method - Google Patents
Double-jump-based single mode matching method Download PDFInfo
- Publication number
- CN104519056A CN104519056A CN201410769572.6A CN201410769572A CN104519056A CN 104519056 A CN104519056 A CN 104519056A CN 201410769572 A CN201410769572 A CN 201410769572A CN 104519056 A CN104519056 A CN 104519056A
- Authority
- CN
- China
- Prior art keywords
- string
- jump
- character
- pos
- pattern
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a double-jump-based single mode matching method. The method includes adopting an improved Sunday algorithm to complete matching of intrusion mode strings therein; if characters are unequal in the process of character matching, continuously jumping two steps and then matching. By the method, matching efficiency of an intrusion detection system is improved greatly, detection speed of the detection system is improved, and instantaneity of the detection system is improved indirectly. The double-jump-based single mode matching method is wide in application range and can be applied to aspects like self-adaptive immune network intrusion detection system and network content auditing.
Description
Technical field
The present invention relates to computer network security field, be specifically related to a kind of single pattern matching method jumped based on double jump.
Background technology
Intruding detection system is the reasonable supplement of fire compartment wall, tackles network attack by the Initiative Defense system of helping, and extends the safety management ability of system manager, improves the integrality of information security foundation structure.It is collected and analytical information from the some key points computer network system, checks in network whether have the behavior of violating security strategy and the sign attacked.Intruding detection system can be monitored network when not affecting network performance, provides internaling attack, the real-time guard of external attack and misoperation.
Pattern matching is the core of intruding detection system, it affects the detection efficiency of system, and content and the uricontent content of sp_pattern_match detecting and alarm plug-in unit to RuleOption is carried out pattern matching and is used BM algorithm in snort system famous in the industry, but adopt Sunday algorithm in actual applications efficiency be better than BM algorithm.
Sunday algorithm is a kind of Single Pattern Matching Algorithms that Danile M.Sunday proposed in nineteen ninety, and its core concept is that then jump character as much as possible once generation character does not mate.Sunday has a next storage of array jump step-length, when occurring that character is unequal in matching process, detect the identical characters of character late in pattern string of pattern string tail end alignment characters in main string, and by one of low order end and its alignment, then directly all skip when this character is not present in pattern string time, length is the pattern string jump step-length of m is m+1.
But Sunday algorithm still there will be the coupling of more redundancy in the process of pattern matching, matching efficiency, detection speed and detection real-time still have much room for improvement.
Summary of the invention
In order to overcome the deficiencies in the prior art, the invention provides a kind of single pattern matching method jumped based on double jump, it can solve the coupling that prior art still there will be more redundancy in the process of pattern matching, the problems such as matching efficiency, detection speed and detection real-time.
The technical solution used in the present invention is as follows:
Based on the single pattern matching method that double jump jumps, adopt and improve the coupling that Sunday algorithm completes intrusion model string wherein, if occur that character is unequal in character match process, then first vertical jump in succession two step, then mate.
The present invention adopts Sunday algorithm to complete the coupling of intrusion model string wherein, and has done improvement to Sunday algorithm.A jump array is only had based on traditional Sunday algorithmic match method, and a kind of single pattern matching method jumped based on double jump of the present invention adds a jump array on this basis, when there being character not mate in matching process, vertical jump in succession two step, decreases Redundancy Match to a greater degree.
Further, a kind of single pattern matching method jumped based on double jump of the present invention, comprises the following steps:
S21 initialization jump array next1 and next2;
S22 starts coupling;
If the match is successful for S23, just pattern string P [0 ... m-1] entirety moves right one, if it fails to match, to jump to the right S by jump array next1
1individual character, then carries out second step jump by next2, skips S2 character;
S24 judge mobile after pattern string whether arrive or exceed main string tail, then return S22 if not, if then terminate coupling, export the position of the character string that all and pattern string matches.
The present invention proposes the thought that continuous two steps are jumped, to P [0 ... m-1] and M [0 ... n-1] successive appraximation from left to right, when there being character unequal in comparison procedure, first use the thought of traditional Sunday algorithm according to current P [m-1] at M [0 ... n-1] in alignment bit rear one calculate P [0 ... m-1] jump step-length S to the right
1, then according to S
1and use next2 array to jump S to the right
2position, namely once jumped to the right when character is unequal S
1+ S
2position.This matching process further reduces Redundancy Match number of times on the basis of the matching process based on traditional Sunday algorithm, and efficiency is higher than the matching process based on traditional Sunday algorithm.
Further, the initialization rule of described jump array next1 is: as pattern string P [0,1 ... m-1] in exist and the identical character in main string M [pos+m] position, then by pattern string P [0,1 ... m-1] in these character rightmosts one and M [pos+m] position alignment, if there is not identical characters, then directly skip, by M [pos+m+1] position and the alignment of P [0] position, the alignment bit subscript of pattern string P start bit in main string M when wherein pos represents that each coupling starts, the length of m intermediate scheme string.
Further, the initialization rule of described jump array next2 is: after the first step is jumped, if exist and M [pos+m+S in pattern string
1-1] character that position is identical, then these character rightmosts one and M [pos+m+S
1-1] position alignment, if M [pos+m+S1-1]=P [m-1], then second step jumps is 0, if there is not the character identical with M [pos+m+S1-1] position, then directly skips, by M [pos+m+S1-1] position and the alignment of P [0] position.
Pattern string P [0 ... m-1] and main string M [0 ... n-1] when mating, when there being character unequal, the jump S1 of the first step must be greater than 0, second step jump S2 is more than or equal to 0, and the situation occurring equaling 0 is due to pattern string P [0 after first step jump ... m-1] trailing character and main string M [0 ... n-1] just the match is successful.
In the matching process, pattern string is not required still to compare from right to left by comparing from left to right, and for convenience of description, the present invention is described by comparative sequence from left to right, but is equally applicable to matching process from right to left.
Beneficial effect of the present invention: the present invention adopts the Sunday algorithm of improvement to complete the coupling of intrusion model string, thus substantially increase matching efficiency, improve the detection speed of detection system, and indirectly improve the real-time of detection system, a kind of single pattern matching method for application jumped based on double jump of the present invention extensively, can be applicable to the aspects such as self adaptation immunological network intruding detection system and Network Content Audit.
Accompanying drawing explanation
Fig. 1 is the matching process flow chart of the embodiment of the present invention 1;
Fig. 2 is the initial position schematic diagram before the embodiment of the present invention 1 pattern string and main start of string mate;
Fig. 3 is the position view that the embodiment of the present invention 1 completes the rear pattern string of first step jump for the first time and main string;
Fig. 4 is the position view that the embodiment of the present invention 1 completes the rear pattern string of second step jump for the first time and main string;
Fig. 5 is the position view that the embodiment of the present invention 1 completes the rear pattern string of second time first step jump and main string;
Fig. 6 is the position view that the embodiment of the present invention 1 completes the rear pattern string of second time second step jump and main string;
Fig. 7 is that the embodiment of the present invention 2 uses matching process of the present invention and based on the matching times of the matching process of traditional Sunday algorithm and the match is successful number of times comparison diagram;
Fig. 8 is the used time comparison diagram that the embodiment of the present invention 3 uses matching process of the present invention and mates pattern string based on the matching process of traditional Sunday algorithm.
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in further detail.
Embodiment 1:
The matching process of a kind of single pattern matching method jumped based on double jump of the present invention can be had a clear understanding of as shown in Figure 1:
S21 initialization jump array next1 and next2;
S22 starts coupling;
If the match is successful for S23, just pattern string P [0 ... m-1] entirety moves right one, if it fails to match, to jump to the right S by jump array next1 respectively
1individual character, then carries out second step jump by next2, skips S2 character;
S24 judge mobile after pattern string whether arrive or exceed main string tail, then return S22 if not, if then terminate coupling, export the position of the character string that all and pattern string matches.
Further, the initialization rule of described jump array next1 is: as pattern string P [0,1 ... m-1] in exist and the identical character in main string M [pos+m] position, then by pattern string P [0,1 ... m-1] in these character rightmosts one and M [pos+m] position alignment, if there is not identical characters, then directly skip, by M [pos+m+1] position and the alignment of P [0] position, the alignment bit subscript of pattern string P start bit in main string M when wherein pos represents that each coupling starts, the length of m intermediate scheme string.
Further, the initialization rule of described jump array next2 is: after the first step is jumped, if exist and M [pos+m+S in pattern string
1-1] character that position is identical, then these character rightmosts one and M [pos+m+S
1-1] position alignment, if M [pos+m+S1-1]=P [m-1], then second step jumps is 0, if there is not the character identical with M [pos+m+S1-1] position, then directly skips, by M [pos+m+S1-1] position and the alignment of P [0] position.
The present embodiment gets pattern string P=" bcdeafk " as shown in Figure 2, main string M=" abcdefaemkfgabcdeafkmw ", as seen from Figure 2, the unequal situation of character is there is in pattern string P in the middle of matching process, and pattern string P [0,1 ... m-1] in exist and the identical character in main string M [pos+m] position, i.e. e, so a rightmost e is moved on to M [pos+m] position, complete first time first step jump.Complete the position of the rear pattern string of first step jump for the first time and main string as shown in Figure 3.
Do not mate after completing first time first step jump, but proceed the jump of primary second step.Exist and M [pos+m+S in pattern string as seen from Figure 3
1-1] character that position is identical, i.e. f, then f rightmost in pattern string is moved S2 character to M [pos+m+S
1-1] position alignment.Complete the position of the rear pattern string of second step jump for the first time and main string as shown in Figure 4.
Complete after two steps are jumped and start coupling, find out as seen from Figure 4 and occur that character is unequal, continue the jump starting continuous two steps of continuous print.As can be seen from Fig. 4, pattern string P [0,1 ... m-1] in exist and the identical character in main string M [pos+m] position, i.e. a, so a rightmost a is moved on to M [pos+m] position, completes the second time first step and jumps.After this time jumping, the position of pattern string and main string as shown in Figure 5.
As can be seen from Figure 5, exist and M [pos+m+S in pattern string
1-1] character that position is identical, i.e. c, then c rightmost in pattern string is moved S2 character to M [pos+m+S
1-1] position alignment.Complete the position of the rear pattern string of second time second step jump and main string as shown in Figure 6.
As can be seen from Figure 6 complete second time second step jump after pattern string and main string the match is successful, now for once Redundancy Match.And by analysis to the matching process based on traditional Sunday algorithm, pattern string P=" bcdeafk " and mainly go here and there M=" abcdefaemkfgabcdeafkmw " the match is successful the coupling needed through three redundancies.
Embodiment 2:
The following passage of random selecting is as main string: but in a larger sense, we can not dedicate, we cannot consecrate, we can not hallow this ground. the brave ten, living and dead, who struggled here, have consecrated it far above our power to add or detract. the world will little note nor long retetber what we say here, but it can never forget whatthey did here. it is for us, the living, rather to be dedicated to thegreat task retaining before us, that frot these honored dead, we take increased devotion to that cause for which they gave the last full teasureof devotion, that this nation, under god, shall have a new birth of freedot, and that governtent of the people by the people and for the people shall notperish frot the earth. therefrom chooses ground, the, here, cause, earth as pattern string (experiment real process does not comprise space and punctuation mark).For each pattern string, record uses matching process of the present invention and based on the number of comparisons of the matching process of traditional Sunday algorithm and the match is successful number of times, verifies validity and the correctness of matching process of the present invention.This time experimental enviroment is that Intel Core i3 CPU, dominant frequency is 2.53GHz.Experimental result as shown in Figure 7.Wherein YC is the code name of matching process of the present invention, and S is the code name of the matching process based on traditional Sunday algorithm.As can be seen from experimental result, by the jump of continuous two steps, matching process of the present invention greatly reducing Redundancy Match number of times, saves match time, more efficient than the matching process based on traditional Sunday algorithm.
Embodiment 3:
The factors such as the resource allocation mechanism of hardware and operating system can make the time difference of at every turn mating, and the coupling used time can be within a time-domain, and the present embodiment generates the random string of 1000000 length as main string M, and generate length and be respectively 1,10,20,30,40,50,60,70, the random string of 80,90 length is as pattern string.Use matching process of the present invention and the matching process match pattern string in main string based on traditional Sunday algorithm respectively, each pattern matching 10000 times, the time-domain of used time of recording each pattern string respectively under two kinds of methods, and average.Experimental enviroment is Intel (R) Core (TM) i3 CPU, and dominant frequency is 2.93GHz, and as shown in Figure 8, wherein YC is the code name of matching process of the present invention to experimental data, and S is the code name of the matching process based on traditional Sunday algorithm.
As can be seen from Figure 8, matching process of the present invention greatly reduces the coupling used time, improves the detection speed of detection system.
Claims (3)
1., based on the single pattern matching method that double jump jumps, adopt and improve the coupling that Sunday algorithm completes intrusion model string wherein, it is characterized in that, if occur that character is unequal in character match process, then first vertical jump in succession two step, then mate, specifically comprise the following steps:
S21 initialization jump array next1 and next2;
S22 starts coupling;
If the match is successful for S23, just pattern string P [0 ... m-1] entirety moves right one, if it fails to match, to jump to the right S by jump array next1
1individual character, then carries out second step jump by next2, skips S2 character;
S24 judge mobile after pattern string whether arrive or exceed main string tail, then return S22 if not, if then terminate coupling, export the position of the character string that all and pattern string matches.
2. a kind of single pattern matching method jumped based on double jump according to claim 1, it is characterized in that, the initialization rule of described jump array next1 is: as pattern string P [0, 1 ... m-1] in exist and the identical character in main string M [pos+m] position, then by pattern string P [0, 1 ... m-1] in these character rightmosts one and M [pos+m] position alignment, if there is not identical characters, then directly skip, by M [pos+m+1] position and the alignment of P [0] position, the alignment bit subscript of pattern string P start bit in main string M when wherein pos represents that each coupling starts, the length of m intermediate scheme string.
3. a kind of single pattern matching method jumped based on double jump according to claim 1 and 2, it is characterized in that, the initialization rule of described jump array next2 is: after the first step is jumped, if exist and M [pos+m+S in pattern string
1-1] character that position is identical, then these character rightmosts one and M [pos+m+S
1-1] position alignment, if M [pos+m+S1-1]=P [m-1], then second step jumps is 0, if do not exist and M [pos+m+S
1-1] character that position is identical, then directly skip, by M [pos+m+S
1-1] position and the alignment of P [0] position.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410769572.6A CN104519056B (en) | 2014-12-15 | 2014-12-15 | A kind of single pattern matching method jumped based on double jump |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410769572.6A CN104519056B (en) | 2014-12-15 | 2014-12-15 | A kind of single pattern matching method jumped based on double jump |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104519056A true CN104519056A (en) | 2015-04-15 |
CN104519056B CN104519056B (en) | 2017-09-08 |
Family
ID=52793778
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410769572.6A Active CN104519056B (en) | 2014-12-15 | 2014-12-15 | A kind of single pattern matching method jumped based on double jump |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104519056B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105809038A (en) * | 2016-03-01 | 2016-07-27 | 江苏大学 | Component abnormity information searching method for monitoring log |
CN107220333A (en) * | 2017-05-24 | 2017-09-29 | 电子科技大学 | A kind of chracter search method based on Sunday algorithms |
CN111814009A (en) * | 2020-06-28 | 2020-10-23 | 四川长虹电器股份有限公司 | BF improved algorithm based on search engine retrieval information pattern matching |
CN112069303A (en) * | 2020-09-17 | 2020-12-11 | 四川长虹电器股份有限公司 | Matching search method and device for character strings and terminal |
CN113836367A (en) * | 2021-09-26 | 2021-12-24 | 杭州迪普科技股份有限公司 | Character reverse matching method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040190506A1 (en) * | 2003-03-24 | 2004-09-30 | International Business Machines Corp. | Method and apparatus for performing complex pattern matching in a data stream within a computer network |
CN103577598A (en) * | 2013-11-15 | 2014-02-12 | 曙光信息产业(北京)有限公司 | Matching method and device for pattern string and text string |
CN103873317A (en) * | 2012-12-18 | 2014-06-18 | 中国科学院空间科学与应用研究中心 | Method and system for detecting CCSDS (consultative committee for space data system) space link protocol |
-
2014
- 2014-12-15 CN CN201410769572.6A patent/CN104519056B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040190506A1 (en) * | 2003-03-24 | 2004-09-30 | International Business Machines Corp. | Method and apparatus for performing complex pattern matching in a data stream within a computer network |
CN103873317A (en) * | 2012-12-18 | 2014-06-18 | 中国科学院空间科学与应用研究中心 | Method and system for detecting CCSDS (consultative committee for space data system) space link protocol |
CN103577598A (en) * | 2013-11-15 | 2014-02-12 | 曙光信息产业(北京)有限公司 | Matching method and device for pattern string and text string |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105809038A (en) * | 2016-03-01 | 2016-07-27 | 江苏大学 | Component abnormity information searching method for monitoring log |
CN105809038B (en) * | 2016-03-01 | 2018-08-10 | 江苏大学 | A kind of component exception information lookup method towards monitoring journal |
CN107220333A (en) * | 2017-05-24 | 2017-09-29 | 电子科技大学 | A kind of chracter search method based on Sunday algorithms |
CN107220333B (en) * | 2017-05-24 | 2020-01-31 | 电子科技大学 | character search method based on Sunday algorithm |
CN111814009A (en) * | 2020-06-28 | 2020-10-23 | 四川长虹电器股份有限公司 | BF improved algorithm based on search engine retrieval information pattern matching |
CN111814009B (en) * | 2020-06-28 | 2022-03-01 | 四川长虹电器股份有限公司 | Mode matching method based on search engine retrieval information |
CN112069303A (en) * | 2020-09-17 | 2020-12-11 | 四川长虹电器股份有限公司 | Matching search method and device for character strings and terminal |
CN113836367A (en) * | 2021-09-26 | 2021-12-24 | 杭州迪普科技股份有限公司 | Character reverse matching method and device |
CN113836367B (en) * | 2021-09-26 | 2023-04-28 | 杭州迪普科技股份有限公司 | Method and device for character reverse matching |
Also Published As
Publication number | Publication date |
---|---|
CN104519056B (en) | 2017-09-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104519056A (en) | Double-jump-based single mode matching method | |
Yan et al. | Detecting malware with an ensemble method based on deep neural network | |
CN104252469B (en) | Method, equipment and circuit for pattern match | |
CN113408743B (en) | Method and device for generating federal model, electronic equipment and storage medium | |
US9336239B1 (en) | System and method for deep packet inspection and intrusion detection | |
JP2011523748A5 (en) | ||
Kukkala et al. | Latte: L stm self-att ention based anomaly detection in e mbedded automotive platforms | |
CN103279718B (en) | Based on the data integrity verification method of SBT during a kind of cloud stores | |
CN105007160A (en) | Message integrity protection method in quantum digital signature | |
KR102521586B1 (en) | Text key information extracting method, apparatus, electronic device and storage medium | |
Yang et al. | LCCDE: a decision-based ensemble framework for intrusion detection in the internet of vehicles | |
CN107103031A (en) | A kind of safe nearest _neighbor retrieval method in cloud computing | |
CN113010922A (en) | Tamper-proof energy industry internet multi-edge chain data sharing method | |
He et al. | The hybrid similar neighborhood robust factorization machine model for can bus intrusion detection in the in-vehicle network | |
CN117332411B (en) | Abnormal login detection method based on transducer model | |
CN107220333A (en) | A kind of chracter search method based on Sunday algorithms | |
Zhang et al. | Authenticating user's keystroke based on statistical models | |
Shahriar et al. | Canshield: Signal-based intrusion detection for controller area networks | |
CN107239500A (en) | A kind of character string matching method and system | |
Xu et al. | Multi-Featured Anomaly Detection for Mobile Edge Computing Based UAV Delivery Systems | |
Saaudi et al. | Probabilistic Graphical Model on Detecting Insiders: Modeling with SGD-HMM. | |
Yin et al. | P2P botnet detection based on association between common network behaviors and host behaviors | |
CN117938555A (en) | Log sequence and parameter anomaly detection method and system for cloud platform of Internet of vehicles | |
Jin et al. | BotCatcher: A Complementary Advantages and Deep Learning Based Scheme for Intrusion Detection | |
KR102477705B1 (en) | Method and apparatus for detecting attack in CAN BUS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Zhuhai Avenue, Guangdong city of Zhuhai Province, the 519000 Bay area near No. 65 Applicant after: Guangdong Science & Technology Vocational College Address before: 510640 No. 351 KELONG street, Guangzhou, Guangdong, Tianhe District Applicant before: Guangdong Science & Technology Vocational College |
|
COR | Change of bibliographic data | ||
GR01 | Patent grant | ||
GR01 | Patent grant |