面向入侵检测系统的模式匹配算法研究.PDF

Vo1. 44 No. 9 第 44 卷第9 期 计算机科学 2017 年 9 月 COMPUTER SCIENCE Sep.2017 面向入侵检测系统的模式匹配算法研究 徐周波张永超古天龙宁黎华 (桂林电子科技大学广西可信软件重点实验室 桂林 541004) 摘 要入侵检测系统Snort 检测的基本原理是模式匹配。为了提高模式匹配算法的效率，材、两方面对 Snort 中的 BM 算法进行改进。首先，为了增大模式串移动的距离，改进算法利用了与模式串最右端对齐的下一个及第二个文本 字符，以及这两个字符再向右偏移模式串长度所对应字符在模式串中的出现情况，最大移动距离达到了 2m+2。其 次，为了增大失配时大的移动距离出现的概率，利用了最右端字符与其下一个字符的组合概率特性。最后，对算法进 行了性能测试。测试结果表明改进算法减少了窗口移动次数和字符比较次数，提高了匹配效率。 关键词入侵检测，Snort ，模式匹配，BM 改进算法 中图法分类号 TP312 文献标识码 A 001 10. 11896/j. issn. 1002-137叉 2017.09.025 Research on Pattem Matching Algorithm in Intrusion Detection System XU Zhou-bo ZHANG Yong-chao GU Tian-long NING Li-hua (Guangxi Key Laboratory of Trusted Software ,Guilin University of Electronic Technology ,Guilin 541004 ,China) Abstract As an network intrusion detection system ,Snort s detection principle is based on pattern matching. In order to improve the efficiency of the matching algorithm ,the BM algorithm in Snort was improved from two aspects. Firstly , in order to increase the moving distance when missing match ,the two characters following the character which is aligned with the rightmost location of the pattern in the text and the two corresponding characters moved by length of the pat tern are taken into consideration. And the most moving distance is 2m+2. Furthermore ,the appearance frequency of the bigger moving distance when missing match is increased by using the probability characteristic of the combination of the rightmost and its next characters. Finally , experiments on these algorithms were conducted. The experimental results show