改善以規則為基礎的入侵偵測系統封包比對效能之研究

Abstract

Rule-based的NIDS雖然具有偵測準確度高的關鍵優點，但是封包檢查的效能卻是一大瓶頸。隨著高速網路時代的來臨，NIDS將必須具備快速地檢查封包的能力，以免遭遇大量封包攻擊時，會讓可疑的封包有趁虛而入的機會。 在封包檢測的過程中，最耗時的程序就是字串比對，因此要加速封包比對的首要之道就是加速字串比對的過程。本篇論文參考目前知名的IDS開放原始碼—SNORT，以其架構做為基準，並將集群分析的概念套用在階層式的比對架構之上，來進行字串的分類與比對。本文中採用了兩種不同的的集群分析（Cluster Analysis）方法，一是用最長連續共同子字串（Longest Common Consecutive Substring）來做字串的分群，另一實驗是利用最長連續共同子序列（Longest Common Subsequence）來做分群。最後將分群的結果和原本的特徵規則相結合，利用分群後的群組來縮小封包的比對範圍，使得IDS的封包比對過程能更有效率。

Rule-based Network Intrusion Detection System（NIDS）has a critical advantage in high detection accuracy , however , the packet filtering performance of rule-based NIDS is a major bottleneck and vulnerable point on high-speed LANs . In many papers, it is asserted that, string matching is the performance bottleneck during the packet filtering procedure. Therefore, in order to improve the efficiency of NIDS, we need to speed up the performance of string matching. This paper is based on the architecture of SNORT, the most famous and widely adopted open source IDS, and then we present a new method to modify the string matching procedure of the original architecture. In our new method, we choose two different string matching algorithms to construct the pattern rule groups. One algorithm is Longest Common Consecutive Substring, and the other is Longest Common Subsequence. After clustering the pattern rules, we get the rule groups, and apply the groups to the original pattern rules. Finally, we examine the performance of the modified architecture, and we can find that the performance of IDS is clearly improved, because of the decreasing numbers of groups needed to be examined in string matching function.