research and optimization of pattern matching algorithm based on intrusion detection system
DESCRIPTION
Research and optimization of pattern matching algorithm based on Intrusion Detection System. Author : QIN Hai-sheng, LI Xin-hua, WEI Hai-lan, LI Jun-hui Publisher: International Conference on Business Management and Electronic Information 2011 Presenter: Zi-Yang Ou Date: 2011/9/14. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/1.jpg)
1
Research and optimization of pattern matching algorithm based on Intrusion Detection System
Author:QIN Hai-sheng, LI Xin-hua, WEI Hai-lan, LI Jun-huiPublisher:International Conference on Business Management and Electronic Information 2011Presenter:Zi-Yang OuDate:2011/9/14
![Page 2: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/2.jpg)
Outline Introduction
Pattern Matching Algorithm
Single Pattern Matching Algorithm
Many Pattern Matching Algorithm
Experimental Analysis
2
![Page 3: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/3.jpg)
Introduction Intrusion detection system, as the second line of defense
after the firewall in computer security system, can well
improve the Computer security performance.
At present intrusion detection system analysis module uses the pattern matching technology.
3
![Page 4: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/4.jpg)
Pattern Matching Algo. Pattern matching, that is character string matching, to find
a certain character string in the target character string T =
t1t2…tn to exactly matched with given pattern strings P
= p1p2…pm.
Single pattern matching:
In text T, only one pattern string can be matched.
Many pattern matching:
In text T, several pattern strings can be matched at the same.
4
![Page 5: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/5.jpg)
Single Pattern Matching Algo. BM algorithm
BMHS algorithm
Improved single pattern matching algorithm : BMHSL
5
![Page 6: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/6.jpg)
BM Align pattern strings P and text T from left to right, but the
matching operation starts from right to left.
If the matching fails, 2 Offset functions Badchar and Goodsuffix in preprocessing will work out the distance which pattern strings P moves toward right, and align T and P again to match.
6
![Page 7: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/7.jpg)
BM
Goodsuffix : Substring U in the pattern strings has already been matched with one substring in T, if there is still a character string U in P , pattern strings will be moved some distance to make next substring U match, or leap over the whole distance.
7
![Page 8: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/8.jpg)
BM
a b c d e j u s t I n
j u s t
j u s t
j u s t
a b c a b a b
c a b a b
c a b a b
8
others
j u s t
4 3 2 1 4
![Page 9: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/9.jpg)
BMHS If the character T[k+1] does not exist in the pattern strings,
move toward m+1.
a b c d e j u s t I n
j u s t
j u s t
a b c a b a b
c a b a b
c a b a b9
![Page 10: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/10.jpg)
BMHSL
1. Reduce the unnecessary matching (English)
2. To move the distance as long as possible character set Σ1 in P ; Σ 2 in T the frequency t in P of every character in Σ 1 ∩Σ 2 find out character K which appears least and record the
locate[i] of K appearing in text T and the distance d[i] If T[k+1] belongs to Σ 1, moves to locate[i+1] Else, if d[i]+d[i+1] +...+d[i+j]>m+1, move to locate[i+ j]
10
![Page 11: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/11.jpg)
BMHSL
a f f d g e f c c f g h
f g h
f g h => d[2]+d[3] > 4, move to locate[3]
f g h
f g h
K=f
locate[i] of K : 2, 3, 7, 10
d[i] : 1, 4, 3
11
![Page 12: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/12.jpg)
Many Pattern Matching Algo. When several pattern strings need to match, using Single
pattern matching has low efficiency.
AC algorithm
AC-BM algorithm
Improved AC-BM algorithm : AC-BML
12
![Page 13: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/13.jpg)
AC In the preprocess stage, AC algorithm form several
pattern strings into Tree finite state automata.
The matching process starts from the root of the tree. If the scanning shows the character is not the next character of pattern strings, it turns to another situation which is the suffix of current situation.
13
![Page 14: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/14.jpg)
AC
14
![Page 15: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/15.jpg)
AC-BM In 1993, on the basis of AC, Jang Jong used the leap idea
of BM and proposed AC-BM. In the preprocess stage, according to the idea of AC. In the matching process, align the pattern strings with
shortest length of character of pattern tree with the right of target string, then match from right to left of pattern tree.
When matching fails, pattern tree needs to move left.
Goodsuffix is the same as BM’s.
15
![Page 16: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/16.jpg)
AC-BM
a b b c f b a e b b c f g h
h b
d
a b b c
f
b d
16
![Page 17: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/17.jpg)
AC-BML
When several pattern strings have the same prefix, Single pattern matching algorithm can solve this situation and improve the efficiency of the whole matching process.
Using the basis of AC - BM algorithm combing BMHSL algorithm.
Apply BMHSL to the same prefix of pattern strings, find out all the locations wi where character string in the text can match with prefix and record them.
Align the root node of pattern tree with the location of w1 in the text string directly at the beginning.
17
![Page 18: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/18.jpg)
If the matching fails, more the pattern tree left, and the distance can be determined by the following functions.
Badchar function is the same as AC-BM’s. distance (i) =Wi-Wi-1 If the value of distance(i) is greater, move the pattern tree
to wi-1 to match. If the value of Badchar(c) is greater, make distance (i) to
be Wi-Wi-2, then compare the value of two functions again.
18
![Page 19: Research and optimization of pattern matching algorithm based on Intrusion Detection System](https://reader035.vdocuments.site/reader035/viewer/2022070401/56813654550346895d9dd9e3/html5/thumbnails/19.jpg)
Experimental Analysis
19