KR102055326B1 - Network intrusion detection system based on accessing memory with character distributed type, and method thereof - Google Patents

Abstract

The present invention relates to a network intrusion detection system and method thereof based on character distributed memory access. According to an embodiment of the present invention, the storage device 200 is configured as a first character distributed storage module 200u-1 to an nth character distributed storage module 200u-n (where n is two or more, which is the same or different natural number). A first step of logically dividing; And
After extracting the character corresponding to the first character of the signature, and extract the PSID (Pre-State ID) for the extracted character, the first character distributed storage module (200u-1) to n-th character of the storage device 200 Extracts the character distribution storage module 200u matching the extracted characters from the distributed storage module 200u-n and performs signature detection for each character to perform memory access distribution for each character on the storage device 200. Two steps; It may include.
By doing so, the state transition table is stored in one memory and the existing method of accessing one memory according to states is divided into state-by-character tables and distributed and stored according to each character. By switching to accessing the star table, it can significantly improve the efficiency of signature and PCRE lookups.

Description

Network intrusion detection system based on accessing memory with character distributed type, and method

The present invention relates to a network intrusion detection system based on the character distributed memory access, and a method thereof. More specifically, the bottleneck through the distribution of memory by character in a method for improving the signature and PCRE detection performance of signature-based security equipment ( The present invention relates to a network intrusion detection system based on character distributed memory access and a method for solving the problem.

As a system for responding to the security problems caused by the recent explosion of Internet usage, signature-based security devices organized into each intrusion list have been in the spotlight, but the payload of each packet Comparing all registered signatures and payloads by separating (payload) takes too much time and has a practically impossible limitation.

As a result, security devices support Perl Compatible Regular Expressions (PCRE) engines to detect attacks that have many variations and cannot be represented as fixed strings. It's a reality that uses shortcuts.

More specifically, signatures are searched using non-deterministic finite automata (NFA) or deterministic finite automata (DFA) to overcome the time-consuming limitations of conventional signature-based security devices. Doing.

In such non-deterministic finite automata (NFA) or deterministic finite automata (DFA), each state number is used to set the next cleavable state number around the first character of the string on the signature on the Goto-graph. In this case, the target state number can be reached.

That is, referring to FIG. 1, a state transition table represented by a Goto table and a failure table in a conventional signature and a PCRE search processor 10 is inputted on one memory device 20 to be software or hardware. When retrieving signatures through memory accesses by a processor, the performance increases as the state transition table and the number of memory accesses increase as the number and size of signatures increase. In order to overcome this problem, we attempt to increase the number of processing processes or increase the performance of the processing processes in a hardware way, but the memory bottleneck is eliminated as the traffic volume increases with a single memory. There is a limitation that cannot be done.

Korean Patent Application No. 10-1999-0056027 "APPARATUS FOR SEARCHING A PREAMBLE SIGNATURE OF ARANDOM ACCESS CHANNEL"

The present invention is to solve the above problems, the state transition table (state transition table) to store the state transition table (state transition table) and the existing method of accessing one memory according to the state by dividing the state transaction table into a character-by-character table It is to provide a network intrusion detection system and method based on a character distributed memory access to dramatically improve the efficiency of signature and PCRE search by storing and switching to a table for each character according to the character. .

In addition, the present invention solves the bottleneck problem by distributing the memory by character, while also moving to the loop or initial state number for a specific state number that performs the same function as setting the transition function. To provide a character distributed memory access based network intrusion detection system and method thereof.

However, the objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned will be clearly understood by those skilled in the art from the following description.

In order to achieve the above object, according to an embodiment of the present invention, a method for searching for network intrusion based on a character distributed memory access may include: storing the storage unit 200 in a first character distributed storage module 200u-1 to an nth character distributed; A first step of logically dividing the storage module into a storage module 200u-n (where n is a natural number equal to or different from the entire constituent character as two or more); And extracting a character corresponding to the first character of the signature, and then extracting a PSID (Pre-State ID) for the extracted character, and the first character distributed storage modules 200u-1 to nth of the storage device 200. Extracting the character distribution storage module 200u matching the extracted characters from the character distribution storage module 200u-n and performing signature detection for each character to perform memory access distribution for each character on the storage device 200. Second step; Characterized in that it comprises a.

In order to achieve the above object, according to another embodiment of the present invention, a character distributed memory access based network intrusion search method may include extracting a character corresponding to a first character of a signature from the character distributed access device unit 100. Extracting a PSID (Pre-State ID) for the extracted character; Character-distributed storage in which the character-distributed access device 100 matches a character extracted by the first character-distributed storage module 200u-1 to the n-th character-distributed storage module 200u-n of the storage device 200. A second step of extracting the module 200u; In the PSID_V table (PSID_Valid table 210) of the character distributed storage module 200u from which the character distributed access device 100 is extracted, the character corresponding to the next state number is extracted for the character extracted from the state number corresponding to the PSID. A third step of confirming information of one bit (1, 0) for notifying whether a progress state number or a state number ID (SID) is present; And when the bit of the PSID position of the PSID_V table 210 identified in the third step is '1' (bit of PSID_V table = '1'), PSID_V. After adding up the number of '1's up to the corresponding bit to the row corresponding to the PSID value in the PSID_V table 210, the VC table (VC table) corresponding to the row matching the summed number ( A fourth step of extracting an SID value on a SID table (SID table) 230 to be matched with the value of 220; Characterized in that it comprises a.

At this time, in the character distributed memory access based network intrusion detection method according to another embodiment of the present invention, the first step, the character distributed access device 100 extracts a character corresponding to the first character of the signature Before generating a packet ID of data.

In addition, according to another embodiment of the present invention, after the fourth step, the character distributed memory access based network intrusion search method may include the character distributed access device 100 corresponding to the next character using the SID information as the PSID information. Extracts the character distribution storage module 200u that matches the character extracted from the first character distribution storage module 200u-1 to the nth character distribution storage module 200u-n of the storage device 200 to the next character. A fifth step of performing the processes of the first to fourth steps for all the signature lists; It is preferable to further include.

In addition, in the method for detecting network intrusions based on character distributed memory access according to another embodiment of the present invention, the fourth step may include: PSID positions of the PSID_V table 210 identified in the third step. If the bit is '0' (bit of PSID_V table = '0'), the character distributed access unit 100 moves the PSID_V table 210 out of the move table 240. Extracting SID information by using location information matching the location bit value of step 4-1; It is preferable to further include.

In addition, in the character distributed memory access based network intrusion detection method according to another embodiment of the present invention, after the step 4-1, the character distributed access device 100 moves to a move table 240. Step 4-2 of determining whether the bit value of the position corresponding to the position bit value of the PSID_Valid table 210 is "0" (Bit of Move table = '0'); It is preferable to further include.

Further, according to another embodiment of the present invention, in the method of searching for network intrusion based on the character distributed memory access, after the step 4-2, the PSID_V table 210 of the move table 240 is performed. If the bit value of the position matching the location bit value of the ") " is " 0 ", the character distributed access device 100 moves to the predetermined initial state SID, and then, Extracting the character distribution storage module 200u matching the character extracted from the first character distribution storage module 200u-1 to the n-th character distribution storage module 200u-n, and then performing the above steps on the first character. Steps 4-3 to perform the fourth step according to the all signature list; It is preferable to further include.

In order to achieve the above object, a network intrusion search system based on a character distributed memory access according to an embodiment of the present invention includes a first character distributed storage module 200u-1 to an nth character distributed storage module 200u-n. a storage unit 200 logically divided into two or more (n is a natural number equal to or different from the entire constituent character); And extracting a character corresponding to the first character of the signature, and then extracting a PSID (Pre-State ID) for the extracted character, and the first character distributed storage modules 200u-1 to nth of the storage device 200. Extracting the character distribution storage module 200u matching the extracted characters from the character distribution storage module 200u-n and performing signature detection for each character to perform memory access distribution for each character on the storage device 200. Character distributed access device unit 100; It may include.

Network intrusion detection system based on the character distributed memory access and the method according to an embodiment of the present invention, the existing method of storing a state transition table (state transition table) in one memory and access one memory according to the state By dividing the state transaction table into a table for each character and distributing it to access the table for each character according to the character, it is possible to dramatically improve the efficiency of signature and PCRE search.

In addition, the character distributed memory access based network intrusion detection system and method according to another embodiment of the present invention, while solving the bottleneck problem through the memory distribution for each character while maintaining the same function as setting the transition function Moving to a loop or initial state number for a particular state number to perform also provides an effect that can be solved together.

FIG. 1 is a diagram for describing a memory bottleneck phenomenon by the conventional signature and the PCRE search processor 10.
2 is a diagram illustrating a network intrusion detection system based on character distributed memory access according to an embodiment of the present invention.
FIG. 3 illustrates a configuration of a PSID_V table 210 formed in the character distribution storage module 200u of the storage device 200 in the system for network intrusion detection based on the character distributed memory access according to an embodiment of the present invention. It is a figure which shows.
4 is a VC table (Valid Count table) 220 and the SID formed in the character distributed storage module 200u of the storage device 200 in the character distributed memory access based network intrusion search system according to an embodiment of the present invention. A diagram showing the configuration of a (State ID) table (SID table) 230 is shown.
FIG. 5 is a view illustrating a configuration of a move table 240 formed in the character distribution storage module 200u of the storage device 200 in the character intrusion memory access based network intrusion search system according to an embodiment of the present invention. 2 shows a relationship between a move table 240 and a SID_V table PSID_Valid table 210. FIG.
6 is a flowchart illustrating a method for detecting network intrusions based on character distributed memory access according to an embodiment of the present invention.

As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in detail with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

Terms including ordinal numbers such as first and second may be used to describe various components, but the components are not limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

For example, without departing from the scope of the present invention, the first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component. The term and / or includes a combination of a plurality of related items or any item of a plurality of related items.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in the commonly used dictionaries should be construed as having meanings consistent with the meanings of the context of the related art, and are not to be construed in ideal or excessively formal meanings unless expressly defined in this application. Do not.

Hereinafter, with reference to the accompanying drawings will be described with reference to the accompanying drawings, a preferred embodiment of the character distributed memory access based network intrusion detection system and method thereof according to the present invention. In this process, the thickness of the lines or the size of the components shown in the drawings may be exaggerated for clarity and convenience of description. In addition, terms to be described below are terms defined in consideration of functions in the present invention, which may vary according to the intention or convention of a user or an operator. Therefore, definitions of these terms should be made based on the contents throughout the specification.

2 is a diagram illustrating a network intrusion detection system based on character distributed memory access according to an embodiment of the present invention. FIG. 3 illustrates a configuration of a PSID_V table 210 formed in the character distribution storage module 200u of the storage device 200 in the system for network intrusion detection based on the character distributed memory access according to an embodiment of the present invention. It is a figure which shows. 4 is a VC table (Valid Count table) 220 and the SID formed in the character distributed storage module 200u of the storage device 200 in the character distributed memory access based network intrusion search system according to an embodiment of the present invention. A diagram showing the configuration of a (State ID) table (SID table) 230 is shown. FIG. 5 is a view illustrating a configuration of a move table 240 formed in the character distribution storage module 200u of the storage device 200 in the character intrusion memory access based network intrusion search system according to an embodiment of the present invention. 2 shows a relationship between a move table 240 and a SID_V table PSID_Valid table 210. FIG.

First, referring to FIG. 2, the character distributed memory access based network intrusion search system 1 may include a character distributed access device unit 100 and a storage device unit 200 as two large components. .

In addition, the character distributed access device 100 includes a transceiver 110, a controller 120, and an input / output interface (I / F) 130, and the controller 120 includes a character extraction module 121. ), The state search module 122, the first progress state extraction module 123, and the second progress state extraction module 124.

In the present specification, the module may mean a functional and structural combination of hardware for performing the technical idea of the present invention and software for driving the hardware. For example, the module may mean a logical unit of a predetermined code and a hardware resource for performing the predetermined code, and means a physically connected code or does not necessarily mean one kind of hardware. It can be easily inferred by the average expert in the art.

On the other hand, the storage unit 200 is a non-volatile memory (NVM), even if the power is not supplied to maintain the stored data is not erased, flash memory (Flash Memory), MRAM (Magnetic Random Access Memory) , Phase-change random access memory (PRAM), ferroelectric RAM (FRAM), or the like, or may be transformed into volatile memory or other memory storage devices.

In addition, the storage device 200 may be logically configured as a first character distributed storage module 200u-1 to an nth character distributed storage module 200u-n (where n is two or more, the same as or different from the entire composition character). Can be distinguished.

Hereinafter, the network intrusion detection system based on the character distributed memory access will be described in detail with reference to the components of the controller 120 of the character distributed access device unit 100.

When the packet, payload or user data is input from an external communication network or an external device through the transceiver 110, the character extracting module 121 is n-tuple (m-tuple) (m). Is a packet ID separated by a natural number equal to or different from n), and a character corresponding to the first character of the signature is extracted from a character string extracted from payload or user data. Thereafter, the extracted character and the PSID (Pre-State ID) and the packet ID of the extracted character are transmitted to the PSID state search module 122. To this end, the character extraction module 121 has a separate memory for storing the first character of the pre-registered signature or accesses to the storage device 200 for storing the first character of the pre-registered signature in advance. I / F 130 may be controlled in order to detect whether or not it is correct.

The state retrieval module 122 receives the packet ID, character and PSID (Pre-State ID) extracted by the character extraction module 121, and then stores the first character distributed storage module 200u− in the storage device 200. The character distribution storage module 200u matching the extracted character is extracted from the 1) th to n th character distribution storage modules 200u-n. Thereafter, the state search module 122 performs the next state on the character extracted from the state number corresponding to the PSID in the PSID_Valid table 210 (FIG. 3B) included in the extracted character distribution storage module 200u. It is checked whether information of one bit (1, 0) for notifying whether a progress state number or a SID (State number ID) corresponding to the number is present is "1".

That is, the state retrieval module 122 accesses the PSID_Valid table 210 with the received PSID bits to determine whether the PSID location is available ('1'). As a result, it is possible to search whether the character corresponding to the received PSID (Pre-State ID) corresponds to the character assigned to the extracted character distribution storage module 200u.

On the other hand, PSID_V table (PSID_Valid table) 210 is a string of each state on the state transition table (State transition table) generated to search for signatures in the conventional Non-deterministic Finite Automata (NFA) or Deterministic Finite Automata (DFA) scheme Corresponds to a table generated by converting (Cr) and converting each cell into 1-bit (1, 0) information for notifying whether a state number or a state number ID (SID) exists next to each cell. By configuring a table for each character constituting each state transition table, one state transaction configured in the storage unit 200 corresponding to one memory device by the character distributed access device unit 100 is provided. Memory bottlenecks can be distributed by accessing each character table rather than a state transition table. It provides a function to solve the bottleneck phenomenon.

If the bit of the PSID position of the PSID_V table 210 is '1' (bit of PSID_V table = '1'), the first progress state extraction module 123 may determine the PSID_V table 210. VC table (Valid Count table) 220 corresponding to the row matching the summed number after adding up the number of '1' up to the corresponding bit in the row corresponding to the PSID value among the rows (see FIG. 4A). The SID value on the SID (State ID) table (SID table) 230 (see FIG. 4B) to be matched may be extracted by summing the values.

Here, the SID table 230 is stored together with the VC table 220 in the character distribution storage module 200u extracted by the state retrieval module 122 to thereby form the SID_V table PSID_V table. The number of '1's up to the corresponding bit and the value of the VC table 220 are added to the row corresponding to the PSID value among the 210 values as the match value, and the SID of the column corresponding to the match value. Allows the value to be extracted as the SID value corresponding to the next progress state number to proceed.

That is, the first progress state extraction module 123 accesses the SID table 230 and analyzes the match ('1': match) information and the SID information, and then combines the SID information with the packet ID. By providing to the character extraction module 121, it is possible to proceed to the above-described process for the next character corresponding to the signature.

More specifically, the first progress state extraction module 123 provides the SID information to the character extraction module 121, so that the storage device corresponding to the next character is converted into the SID information as the PSID information under the control of the character extraction module 121. After extracting the character distribution storage module 200u matching the extracted characters from the first character distribution storage module (200u-1) to n-th character distribution storage module (200u-n) of the unit 200, the extracted information It may be provided to the state search module 122 with the packet ID.

When the bit of the PSID position of the PSID_V table 210 is '0' (bit of PSID_V table = '0'), the second progress state extraction module 124 moves the table 240. In FIG. 5B, the SID information is provided to the packet ID and the character extraction module 121 using the position information matching the position bit value of the PSID_V table 210, thereby adding to the next character corresponding to the signature. To proceed.

Here, the move table 240 is formed to have the same structure as the cell grid m × l of the PSID_V table 210, and thus, the PSID_V table 210 corresponding to the sequence number of the received PSID (Pre-State ID) is provided. If there is no progress state number in the case that the PSID bit is '0' (bit of PSID_V table = '0'), each state is expressed to return to the state number corresponding to the initial state SID and to repeat the input PSID. You can create a cell with one bit (0 or 1).

Accordingly, when the value extracted from the move table 240 is '0' (bit of Move table = '0'), the second progress state extraction module 124 may proceed with the predetermined initial state SID. SID value corresponding to the progress state number can be provided to the character extraction module 121, when the value extracted from the move table (Move table 240) is '1' (bit of Move table = '1') By providing the input PSID to the character extraction module 121 (Keep now state), it provides an effect that can set the transition function while solving the bottleneck (bottleneck) problem through the memory distribution for each character.

6 is a flowchart illustrating a method for detecting network intrusions based on character distributed memory access according to an embodiment of the present invention. Referring to FIG. 6, the character distributed access device unit 100 generates a packet ID of data received from the outside, extracts a character corresponding to the first character of the signature, and then selects a PSID for the extracted character. State ID) is extracted (S11).

After the step S11, the character distributed access device 100 may extract the characters extracted from the first character distributed storage module 200u-1 to the nth character distributed storage module 200u-n of the storage device 200. Extract the character distribution storage module 200u matching with (S12).

After the step S12, the character distributed access device 100 performs the character extracted from the state number corresponding to the PSID in the extracted PSID_V table 210 of the extracted character distributed storage module 200u. Information of 1 bit (1, 0) for indicating whether a progress state number or a SID (State number ID) corresponding to the next state number is present is checked (S13).

After the step S13, the character distributed access device unit 100 determines whether the 1-bit information checked in step S13 is "1" (S14).

As a result of the determination in step S14, when the bit of the PSID position of the PSID_V table 210 identified in step S13 is '1' (bit of PSID_V table = '1'), the character distributed access device The unit 100 adds the number of '1's up to the corresponding bit to the row corresponding to the PSID value in the PSID_V table 210, and then VC corresponding to the row matching the summed number. The SID value on the SID (State ID) table (SID table) 230 to be matched by adding the values of the table VC table 220 is extracted (S15).

After the step S15, the character distributed access device 100 distributes the first character distributed storage module 200u-1 to the nth character of the storage device 200 corresponding to the next character using the SID information as the PSID information. The character distribution storage module 200u matching the extracted character in the storage module 200u-n is extracted and the processes of steps S11 to S15 for the next character are performed according to all signature lists (S16). .

On the other hand, if the bit of the PSID position of the PSID_V table 210 identified in step S13 as a result of step S14 is '0' (bit of PSID_V table = '0'), the character The distributed access device unit 100 extracts SID information using location information matching the location bit value of the PSID_V table 210 in the move table 240 (S17).

After the step S17, the character distributed access device 100 may determine that the bit value of the position that matches the position bit value of the PSID_V table 210 in the move table 240 is "0". It is determined whether or not (Bit of Move table = '0') (S19).

As a result of the determination in step S19, when the bit value of the position that matches the position bit value of the PSID_V table 210 in the move table 240 is "0", the character distributed access device The unit 100 moves to a predetermined initial state SID, and then, in the first character distributed storage module 200u-1 to the nth character distributed storage module 200u-n of the storage device 200 corresponding to the next character. The character distribution storage module 200u matching the extracted character is extracted and the processes of steps S11 to S15 for the next character are performed according to all signature lists (S20).

On the other hand, when the bit value of the position matching the position bit value of the PSID_V table (PSID_Valid table) 210 of the move table 240 is "1", as a result of the determination in step S19, the character distribution type The access device 100 moves to the PSID extracted in step S11, and then the first character distributed storage module 200u-1 to the nth character distributed storage module of the storage device 200 corresponding to the next character. The character distribution storage module 200u matching the extracted character at 200u-n is extracted and the processes of steps S11 to S15 for the next character are performed according to all signature lists (S21).

The invention can also be embodied as computer readable code on a computer readable recording medium. Computer-readable recording media include all kinds of recording devices that store data that can be read by a computer system.

Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disks, optical data storage devices, and the like, which are also implemented in the form of carrier waves (eg, transmission over the Internet). It also includes.

The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion. And functional programs, codes and code segments for implementing the present invention can be easily inferred by programmers in the art to which the present invention belongs.

As described above, the present specification and drawings have been described with respect to preferred embodiments of the present invention, although specific terms are used, it is only used in a general sense to easily explain the technical contents of the present invention and to help the understanding of the present invention. It is not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention can be carried out in addition to the embodiments disclosed herein.

1: Network Intrusion Detection System based on Character Distributed Memory Access
100: character distributed access device
110: transceiver
120: control unit
121: character extraction module
122: state search module
123: First Progress State Extraction Module
124: second progress state extraction module
130: I / O I / F
200: storage unit
200u-1: first character distributed storage module
200u-n: nth character distributed storage module

Claims (8)

delete A first step of the character distributed access device unit 100 extracting a character corresponding to the first character of the signature and then extracting a PSID (Pre-State ID) for the extracted character;
Character distributed storage device that the character distributed access device 100 is matched with the characters extracted from the first character distributed storage module (200u-1) to n-th character distributed storage module (200u-n) of the storage device 200 Extracting the module 200u;
In the PSID_V table (PSID_Valid table 210) of the character distributed storage module 200u from which the character distributed access device 100 is extracted, the character corresponding to the next state number is extracted for the character extracted from the state number corresponding to the PSID. A third step of confirming information of one bit (1, 0) for notifying whether a progress state number or a state number ID (SID) is present; And
If the character distributed access device 100 has a bit of the PSID position of the PSID_V table 210 identified in the third step is '1' (bit of PSID_V table = '1'), the PSID_V table After adding up the number of '1's up to the corresponding bit to the row corresponding to the PSID value among the (PSID_V table) 210, the VC table corresponding to the row matching the summed number (VC table) 220 A fourth step of extracting the SID value on the SID table (SID table) 230 to be matched with the sum of Characteristic distributed memory access based network intrusion detection method comprising a.
The method of claim 2, wherein the first step,
Character distributed access device 100 generates a packet ID of the data before extracting the character corresponding to the first character of the signature, character distributed memory access based network intrusion detection method.
The method according to claim 3, After the fourth step,
The character distributed access device 100 uses the SID information as the PSID information, so that the first character distributed storage module 200u-1 to the nth character distributed storage module 200u-n of the storage device 200 corresponding to the next character. A fifth step of extracting a character distribution storage module 200u matching the extracted character from the first step) and performing the first to fourth steps for the next character according to all the signature lists; Characteristic distributed memory access based network intrusion detection method further comprises.
The method of claim 3, wherein the fourth step,
If the bit of the PSID position of the PSID_V table 210 identified in the third step is '0' (bit of PSID_V table = '0'), the character distributed access device 100 A fourth step of extracting SID information using location information matching the location bit value of the PSID_V table 210 of the move table 240; Characteristic distributed memory access based network intrusion detection method further comprises.
The method according to claim 5, After the 4-1 step,
Whether the bit value of the position where the character distributed access device 100 matches the position bit value of the PSID_V table 210 in the move table 240 is "0" (Bit of Move) step 4-2 of determining table = '0'); Characteristic distributed memory access based network intrusion detection method further comprises.
The method according to claim 6, After the step 4-2,
If the bit value of the position that matches the position bit value of the PSID_V table 210 of the move table 240 is "0", the character distributed access device unit 100 determines the initial state. After moving to the SID, the character dispersion is matched with the character extracted from the first character distribution storage module 200u-1 to the n-th character distribution storage module 200u-n of the storage unit 200 corresponding to the next character A fourth to third step of extracting the storage module 200u and performing the first to fourth steps of the next character according to all the signature lists; Characteristic distributed memory access based network intrusion detection method further comprises.
delete

Images