提高Snort规则匹配速度的研究

Snort是一种基于规则匹配的误用入侵检测系统,基于规则的模式匹配是Snort检测引擎的主要机制,也是衡量其性能的重要指标.由于当前Snort采用的规则树结构过于简单,造成某些RTN下的OTN链比较庞大;匹配过程中,OTN各个选项的匹配顺序仍然局限于安全专家根据领域知识,人为而定,从而造成某些重要选项不能得到优先匹配,大大降低了Snort的匹配速度,严重影响检测效率.为解决上述问题,将数据挖掘技术应用到Snort入侵检测系统中,利用数据挖掘中的ID3算法,对Snort规则库中的规则进行挖掘,选取信息增益最大的属性作为Snort优先匹配的属性,从而提高了规则匹配的速度.

Research on increasing speed of rule-matching in snort

Snort is an intrusion detection system based on rule-matching.Rule-matching is an important mechanism of Snort,and a index of its capacity.For the rule-tree of snort is so simple that there are a lot of OTNS behind RTN;the matching-sequence of items of OTN is decided by security experts,therefore some important items are not matched first.In a word,the mechanism of rule-matching decreases snort's detection capacity greatly.To resolve these issues,data-mining technology is used in Snort intrusion detection system,and ID3 algorithm is used to mine snort's rules to get some important attributes having highest information-gain.Searching first in detec-tion process of snort,consequently the detection speed of snort is increased.