计算机应用 ›› 2011, Vol. 31 ›› Issue (11): 2961-2964.DOI: 10.3724/SP.J.1087.2011.02961

• 信息安全 • 上一篇    下一篇

用于网络入侵检测的模式匹配新方法

樊爱京1,杨照峰2   

  1. 1. 平顶山学院 网络计算中心,河南 平顶山 467002
    2. 平顶山学院 软件学院,河南 平顶山 467002
  • 收稿日期:2011-05-03 修回日期:2011-06-21 发布日期:2011-11-16 出版日期:2011-11-01
  • 通讯作者: 樊爱京
  • 作者简介:樊爱京(1970-),男,河南内乡人,副教授,硕士,主要研究方向:计算网络安全;杨照峰(1978-),男,河南襄城人,讲师,硕士,主要研究方向:计算网络安全。

New method of pattern-matching for network intrusion detection

FAN Ai-jing1,YANG Zhao-feng2   

  1. 1. Network Computer Center, Pingdingshan University,Pingdingshan Henan 467002, China
    2. School of Software Engineering, Pingdingshan University, Pingdingshan Henan 467002, China
  • Received:2011-05-03 Revised:2011-06-21 Online:2011-11-16 Published:2011-11-01
  • Contact: FAN Ai-jing

摘要: 针对新一代网络入侵检测系统(NIDS)的创建需要先进的模式匹配引擎,提出一种模式匹配的新方案,利用基于硬件的可编程状态机技术(B-FSM)来实现确定性处理过程。该技术可以在一个输入流中同时获取大量模式,并高效地映射成转换规则。通过对网络入侵检测系统中普遍采用的规则集(Snort)进行实验,实验结果表明该方法具有存储高效、执行速度快、动态可更新等特点,可以满足NIDS的需要。

关键词: 网络入侵检测系统, 可编程状态机, 模式匹配, 转换规则

Abstract: New generations of Network Intrusion Detection Systems (NIDS) create the need for advanced pattern-matching engines. This paper presented a new scheme for pattern-matching, which adopted a hardware-based programmable state machine technology to achieve deterministic processing rates. A lot of patterns can be obtained in one input stream by Balanced Routing Table-based FSM (B-FSM), and transition rules can be mapped effectively. Experiments had been done with Snort used widely in network intrusion detection systems. The experimental results show that the method is effective in storage, fast in operation, and renewable dynamically. The method proposed in this paper can satisfy the requirement of NIDS.

Key words: Network Intrusion Detection System (NIDS), Balanced Routing Table-based FSM (B-FSM), pattern-matching, transition rule