摘要： 模式匹配既是网络入侵检测系统(NIDS)的核心技术，也是NIDS中消耗资源最多的部分，并正在成为NIDS的性能瓶颈。现有的模式匹配算法大多采用静态定义的优化策略，没有考虑网络流量和入侵检测规则的特性。该文提出一种自适应的模式匹配算法AMPM，动态统计网络流量和规则组的特性，根据统计结果自动选择最合适的模式匹配算法。测试表明，AMPM使现有NIDS的性能提高了9.4%~29.1%，且对于大规则集具有更好的适应性。

关键词: 自适应, 模式匹配, 入侵检测, 网络安全

Abstract: Pattern matching computations dominate in the overall cost of running a Network Intrusion Detection System(NIDS). With network speed and the number of rules constantly increasing, pattern matching as a key component, is becoming the bottleneck in NIDS. Existing approaches to match pattern mostly apply statically-defined optimizations that do not take into account the characteristics of the network traffic and attack signatures. This paper proposes an adaptive multi-pattern matching algorithm specifically designed for network intrusion detection system, called AMPM. AMPM dynamically captures traffic and rules properties and intelligently selects the best suitable algorithm to detect packets. Experimental results show that the performance of existing NIDS applying AMPM improved by 9.4%~29.1% and AMPM is more appropriate for large rule set.

Key words: adaptive, pattern matching, intrusion detection, network security

中图分类号: 

• TP309