1 / 19

Research and optimization of pattern matching algorithm based on Intrusion Detection System

Research and optimization of pattern matching algorithm based on Intrusion Detection System. Author : QIN Hai-sheng, LI Xin-hua, WEI Hai-lan, LI Jun-hui Publisher: International Conference on Business Management and Electronic Information 2011 Presenter: Zi-Yang Ou Date: 2011/9/14.

jane-pollard
Download Presentation

Research and optimization of pattern matching algorithm based on Intrusion Detection System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research and optimization of pattern matching algorithm based on Intrusion Detection System Author: QIN Hai-sheng, LI Xin-hua, WEI Hai-lan, LI Jun-hui Publisher: International Conference on Business Management and Electronic Information 2011 Presenter: Zi-Yang Ou Date: 2011/9/14

  2. Outline • Introduction • Pattern Matching Algorithm • Single Pattern Matching Algorithm • Many Pattern Matching Algorithm • Experimental Analysis

  3. Introduction • Intrusion detection system, as the second line of defense after the firewall in computer security system, can well improve the Computer security performance. • At present intrusion detection system analysis module uses the pattern matching technology.

  4. Pattern Matching Algo. • Pattern matching, that is character string matching, to find a certain character string in the target character string T = t1t2…tn to exactly matched with given pattern strings P = p1p2…pm. • Single pattern matching: In text T, only one pattern string can be matched. • Many pattern matching: In text T, several pattern strings can be matched at the same.

  5. Single Pattern Matching Algo. • BM algorithm • BMHS algorithm • Improved single pattern matching algorithm : BMHSL

  6. BM • Align pattern strings P and text T from left to right, but the matching operation starts from right to left. • If the matching fails, 2 Offset functions Badchar and Goodsuffix in preprocessing will work out the distance which pattern strings P moves toward right, and align T and P again to match.

  7. BM • Goodsuffix : Substring U in the pattern strings has already been matched with one substring in T, if there is still a character string U in P , pattern strings will be moved some distance to make next substring U match, or leap over the whole distance.

  8. BM a b c d e j u s t I n j u s t j u s t j u s t a b c a b a b c a ba b c a b a b

  9. BMHS • If the character T[k+1] does not exist in the pattern strings, move toward m+1. a b c d e j u s t I n j u s t j u s t a b c a b a b c a ba b c a b a b

  10. BMHSL • 1. Reduce the unnecessary matching (English) 2. To move the distance as long as possible • character set Σ1 in P ; Σ 2 in T • the frequency t in P of every character in Σ 1 ∩Σ 2 • find out character K which appears least and record the locate[i] of K appearing in text T and the distance d[i] • If T[k+1] belongs to Σ 1, moves to locate[i+1] • Else, • if d[i]+d[i+1] +...+d[i+j]>m+1, move to locate[i+ j]

  11. BMHSL a f f d g e f c c f g h f g h f g h =>d[2]+d[3] > 4, move to locate[3] f g h f g h K=f locate[i] of K : 2, 3, 7, 10 d[i] : 1, 4, 3

  12. Many Pattern Matching Algo. • When several pattern strings need to match, using Single pattern matching has low efficiency. • AC algorithm • AC-BM algorithm • Improved AC-BM algorithm : AC-BML

  13. AC • In the preprocess stage, AC algorithm form several pattern strings into Tree finite state automata. • The matching process starts from the root of the tree. If the scanning shows the character is not the next character of pattern strings, it turns to another situation which is the suffix of current situation.

  14. AC

  15. AC-BM • In 1993, on the basis of AC, Jang Jong used the leap idea of BM and proposed AC-BM. • In the preprocess stage, according to the idea of AC. • In the matching process, align the pattern strings with shortest length of character of pattern tree with the right of target string, then match from right to left of pattern tree. • When matching fails, pattern tree needs to move left. Goodsuffix is the same as BM’s.

  16. AC-BM a b b c f b a e b b c f g h h b d a b b c f b d

  17. AC-BML • When several pattern strings have the same prefix, Single pattern matching algorithm can solve this situation and improve the efficiency of the whole matching process. • Using the basis of AC - BM algorithm combing BMHSL algorithm. • Apply BMHSL to the same prefix of pattern strings, find out all the locations wi where character string in the text can match with prefix and record them. • Align the root node of pattern tree with the location of w1 in the text string directly at the beginning.

  18. If the matching fails, more the pattern tree left, and the distance can be determined by the following functions. • Badchar function is the same as AC-BM’s. • distance (i) =Wi-Wi-1 • If the value of distance(i) is greater, move the pattern tree to wi-1 to match. • If the value of Badchar(c) is greater, make distance (i) to be Wi-Wi-2, then compare the value of two functions again.

  19. Experimental Analysis

More Related