入侵检测系统中模式匹配算法的研究与改进

入侵检测系统的性能很大程度上取决于规则检测的效率,模式匹配算法是规则检测引擎的核心算法。对模式匹配算法进行了研究,重点分析了多模式匹配算法Wu—Manber算法。针对Wu—Manber算法在单字节模式串下移动距离短的不足,并结合网络数据包和入侵检测系统中规则的特点,提出了一种适合入侵检测系统的改进的模式匹配算法。该算法利用位示图方法解决了单字节模式串匹配的问题,增加了移动距离,提高了检测数据包与规则匹配的速度,提升了系统运行的效率。     

入侵检测系统中模式匹配算法的研究与改进

入侵检测系统的性能很大程度上取决于规则检测的效率,模式匹配算法是规则检测引擎的核心算法。对模式匹配算法进行了研究,重点分析了多模式匹配算法Wu—Manber算法。针对Wu—Manber算法在单字节模式串下移动距离短的不足,并结合网络数据包和入侵检测系统中规则的特点,提出了一种适合入侵检测系统的改进的模式匹配算法。该算法利用位示图方法解决了单字节模式串匹配的问题,增加了移动距离,提高了检测数据包与规则匹配的速度,提升了系统运行的效率。     

网络入侵检测系统中的模式匹配算法优化研究

在网络安全问题的研究中,模式匹配是网络安全入侵检测中一种常用检测算法,由于网络规模越来越大,传统的模式匹配算由于入侵数目和空间消耗太大,常出现无效匹配和漏配现象,导致检测准确率低等难题.为了提高检测准确率及加快检测速度,提出了一种改进的模式匹配网络入侵榆测算法(IACBM).IACBM 首先在侵检测中引入了BMH和QS算法的跳跃思想,简化跳跃规则,有效防止了无效匹配和漏配,然后匹配方式采用单模式匹配(BM)算法和多模式匹配(AC)算法相结合的混合方式,增强了入侵检测算法的灵活性,最后利用DARPA网络入侵数据对IACBM算法进行验证性实验.实验结果表明,相对于传统网络模式匹配入侵检测算法BM、AC和ACBM,IACBM入侵检测速度加快,同时检测准确率平均提高5%以上.IACBM算法是一种高效、安全的网络入侵检测算法.     

基于SOPC网络处理器入侵检测的研究

在入侵检测中,模式匹配算法的改进对检测速度的提高是有限的,不是解决问题的根本策略.本文设计了一个基于硬件的入侵检测系统原型,系统采用基于网络处理器的硬件策略取代传统入侵检测的软件策略,将入侵检测的主要工作,如数据采集及过滤、数据包的调度、多模式匹配等用硬件实现.它们都是在基于FPGA上实现的,并可以根据实际需要增加硬件和自定义指令来提高系统性能.测试表明该系统的性能与传统方法相比有显著的提高,很好地解决了入侵检测中的速度瓶颈问题.     

基于协议分析的入侵检测系统设计

针对传统入侵检测系统计算量大、漏报率和误报率高等缺点,在设计入侵检测系统时,采用与传统模式匹配算法相结合的基于协议分析的入侵检测模型,在linux平台下从网络数据包构造、数据包捕获、数据包协议分析、入侵规则建立、模式匹配、入侵事件检测和入侵响应几方面进行系统设计,通过分析系统性能,表明该入侵检测系统拥有检测速度快,漏报率低等特点.     

基于入侵检测的模式匹配算法的改进研究

针对入侵检测系统针对入侵检测系统对基于攻击特征的网络数据包的检测效率低和丢包率高的问题,在分析典型的模式匹配算法的基础上,结合入侵检测模式匹配特点,提出了一种改进的匹配算法。首先找到模式串中无重复字符集,然后在目标串中找到字符集中出现频率最小的字符进行目标串的模式匹配。实验证明,此算法对于入侵检测的模式匹配具有良好的匹配效率。     

入侵检测系统中的快速多模式匹配算法

网络入侵检测系统常常依赖于精确的模式匹配技术，依赖于算法的选择、实现以及使用频率。这种模式匹配技术可能成为入侵检测系统的瓶颈，为了跟上快速增长的网络速度和网络流量，Snort(开放源代码的网络入侵检测系统)中采用了快速多模式匹配算法，本文描述了Snort中一种引入注目的快速多模式匹配算法及其对系统性能的改进。     

多模式匹配算法在网络入侵自动检测中的应用

为了可以对计算机网络安全进行有效的保护,同时提高计算机网络入侵检测的功能及其效率,提出多模式匹配算法在网络入侵自动检测中的应用。首先快速检测引擎初始化,快速有效地区别规则集合;其次构造模式匹配链表,读取系统配置文件的规则;最后检测网络数据包,确保计算机网络安全。通过实验结果的对比,可以明显看出,相比于传统算法,多模式匹配算法在网络入侵自动检测中的应用要更具有实用性,对入侵数据的检测能够进行高速处理,相同时间范围内,多模式匹配算法的超调量远超传统算法。     

一种面向入侵检测的快速多模式匹配算法

随着网络速度和入侵检测规则的持续增长,模式匹配正在成为网络入侵检测系统的性能瓶颈。提出了一种新的Wu-Manber类型的模式匹配算法,通过将模式分组,对不同子模式组采用不同匹配方法,显著提高了模式匹配的效率。对比实验表明,当模式组中含有长度小于3的模式时,新算法性能比原算法平均提高了29%~44%。     

网络入侵检测系统模式匹配算法研究

模式匹配算法是网络入侵检测中的关键所在,它直接影响到网络入侵检测系统的实时检测性能.引入4种模式匹配算法,分析其工作原理,通过实验对上述4种算法进行了性能测试.根据实验结果,得出了不同算法的应用范围,为今后入侵检测系统开发者选择模式匹配算法提供了有价值的参考.     

AC-BM算法的改进及其在入侵检测中的应用

分析了入侵检测和网络流量中存在的问题。如果没有很快的处理速度，字符串匹配就会成为一个瓶颈。对于网络入侵检测系统来说，单一的字符串搜索包负载是缺乏效率的。它不能跟上日益增长的网络速度。因此，提出了一种改进的AC—BM算法。它是多模式匹配的算法。正如本文中所显示的一样，由于采用了改进的AC—BM算法，网络入侵枪测的性能有了改善。     

A fast pattern matching algorithm with multi-byte search unit for high-speed network security

A signature-based intrusion detection system identifies intrusions by comparing the data traffic with known signature patterns. In this process, matching of packet strings against signature patterns is the most time-consuming step and dominates the overall system performance. Many signature-based network intrusion detection systems (NIDS), e.g., the Snort, employ one or multiple pattern matching algorithms to detect multiple attack types. So far, many pattern matching algorithms have been proposed. Most of them use single-byte standard unit for search, while a few algorithms such as the Modified Wu-Manber (MWM) algorithm use typically two-byte unit, which guarantees better performance than others even as the number of different signatures increases. Among those algorithms, the MWM algorithm has been known as the fastest pattern matching algorithm when the patterns in a rule set rarely appear in packets. However, the matching time of the MWM algorithm increases as the length of the shortest pattern in a signature group decreases.In this paper, by extending the length of the shortest pattern, we minimize the pattern matching time of the algorithm which uses multi-byte unit. We propose a new pattern matching algorithm called the L⁺¹-MWM algorithm for multi-pattern matching. The proposed algorithm minimizes the performance degradation that is originated from the dependency on the length of the shortest pattern. We show that the L⁺¹-MWM algorithm improves the performance of the MWM algorithm by as much as 20% in average under various lengths of shortest patterns and normal traffic conditions. Moreover, when the length of the shortest pattern in a rule set is less than 5, the L⁺¹-MWM algorithm shows 38.87% enhancement in average. We also conduct experiments on a real campus network and show that 12.48% enhancement is obtained in average. In addition, it is shown that the L⁺¹-MWM algorithm provides a better performance than the MWM algorithm by as much as 25% in average under various numbers of signatures and normal traffic conditions, and 20.12% enhancement in average with real on-line traffic.     

An efficient parallel-network packet pattern-matching approach using GPUs

In the past few years, the increase in interest usage has been substantial. The high network bandwidth speed and the large amount of threats pose challenges to current network intrusion detection systems, which manage high amounts of network traffic and perform complicated packet processing. Pattern matching is a computationally intensive process included in network intrusion detection systems. In this paper, we present an efficient graphics processing unit (GPU)-based network packet pattern-matching algorithm by leveraging the computational power of GPUs to accelerate pattern-matching operations and subsequently increase the overall processing throughput. According to the experimental results, the proposed algorithm achieved a maximal traffic processing throughput of over 2 Gbit/s. The results demonstrate that the proposed GPU-based algorithm can effectively enhance the performance of network intrusion detection systems.     

Performance evaluation of a 3D multi-view-based particle filter for visual object tracking using GPUs and multicore CPUs

This paper presents a deep and extensive performance analysis of the particle filter (PF) algorithm for a very compute intensive 3D multi-view visual tracking problem. We compare different implementations and parameter settings of the PF algorithm in a CPU platform taking advantage of the multithreading capabilities of the modern processors and a graphics processing unit (GPU) platform using NVIDIA CUDA computing environment as developing framework. We extend our experimental study to each individual stage of the PF algorithm, and evaluate the quality versus performance trade-off among different ways to design these stages. We have observed that the GPU platform performs better than the multithreaded CPU platform when handling a large number of particles, but we also demonstrate that hybrid CPU/GPU implementations can run almost as fast as only GPU solutions.     

CPU/GPU 异构环境下图像协同并行处理模型

随着GPU通用计算能力的不断发展,一些新的更高效的处理技术应用到图像处理领域.目前已有一些图像处理算法移植到GPU中且取得了不错的加速效果,但这些算法没有充分利用CPU/GPU组成的异构系统中各处理单元的计算能力.文章在研究GPU编程模型和并行算法设计的基础上,提出了CPU/GPU异构环境下图像协同并行处理模型.该模型充分考虑异构系统中各处理单元的计算能力,通过图像中值滤波算法,验证了CPU/GPU环境下协同并行处理模型在高分辨率灰度图像处理中的有效性.实验结果表明,该模型在CPU/GPU异构环境下通用性较好,容易扩展到其他图像处理算法.     

一种可扩展的高效入侵监测平台技术

为了在更高带宽的网络中进行有效的入侵检测分析,研究了入侵检测中的数据获取技术,提出了一种可扩展的高效入侵监测框架SEIMA(scalable efficient intrusion monitoring architecture).在SEIMA结构模型中,通过将高效网络流量负载分割器与多个并行工作的入侵检测传感器相结合,从而可以将入侵检测扩展应用到更高的网络带宽中;通过使用高效地址翻译技术和缓冲区管理机制实现了旁路操作系统的高性能用户级网络报文传输模型,以便提高单传感器的报文处理性能;通过采用有限自动机的方法构建了基于用户层的多规则报文过滤器以消除多余数据包的处理开销.模拟环境和实际环境下的测试结果表明,SEIMA在提高网络入侵检测系统数据获取效率的同时,能够降低系统CPU的利用率,从而可以将更多的系统资源用于更复杂的数据分析过程.     

Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection

Network intrusion detection systems (NIDSs), especially signature-based NIDSs, are being widely deployed in a distributed network environment with the purpose of defending against a variety of network attacks. However, signature matching is a key limiting factor to limit and lower the performance of a signature-based NIDS in a large-scale network environment, in which the cost is at least linear to the size of an input string. The overhead network packets can greatly reduce the effectiveness of such detection systems and heavily consume computer resources. To mitigate this issue, a more efficient signature matching algorithm is desirable. In this paper, we therefore develop an adaptive character frequency-based exclusive signature matching scheme (named ACF-EX) that can improve the process of signature matching for a signature-based NIDS. In the experiment, we implemented the ACF-EX scheme in a distributed network environment, evaluated it by comparing with the performance of Snort. In addition, we further apply this scheme to constructing a packet filter that can filter out network packets by conducting exclusive signature matching for a signature-based NIDS, which can avoid implementation issues and improve the flexibility of the scheme. The experimental results demonstrate that, in the distributed network environment, the proposed ACF-EX scheme can positively reduce the time consumption of signature matching and that our scheme is promising in constructing a packet filter to reduce the burden of a signature-based NIDS.     

Adaptive block size for dense QR factorization in hybrid CPU–GPU systems via statistical modeling

QR factorization is a computational kernel of scientific computing. How can the latest computer be used to accelerate this task? We investigate this topic by proposing a dense QR factorization algorithm with adaptive block sizes on a hybrid system that contains a central processing unit (CPU) and a graphic processing unit (GPU). To maximize the use of CPU and GPU, we develop an adaptive scheme that chooses block size at each iteration. The decision is based on statistical surrogate models of performance and an online monitor, which avoids unexpected occasional performance drops. We modify the highly optimized CPU–GPU based QR factorization in MAGMA to implement the proposed schemes. Numerical results suggest that our approaches are efficient and can lead to near-optimal block sizes. The proposed algorithm can be extended to other one-sided factorizations, such as LU and Cholesky factorizations.     

高速IDS系统中读写缓冲区的互斥机制

在网络入侵检测系统中,通常需要在内存中开辟缓冲区对网络报文进行采集和分析,但是传统的读写缓冲区的互斥机制在高速网络环境中的效率都不甚理想,无法满足对高速IDS系统的性能需求。该文提出的一种基于并发锁机制的双缓冲区互斥机制可以改善传统锁机制的资源利用率,很好地解决了报文到达流和报文处理能力之间的性能瓶颈问题,显著地提高了IDS系统的性能。     

引入偏移量递阶控制的网络入侵HHT检测算法

在强干扰背景低信噪比下对网络潜质入侵信号的准确检测是决定网络安全的关键。传统的Hilbert-Huang变换(HHT)入侵信号检测算法在求解入侵信号的瞬时频率特征时,因包络线失真引起的边界控制误差,会造成频谱泄漏,从而导致检测性能较差。提出了一种基于时间-频率联合分布特征和偏移量递阶控制HHT匹配的网络入侵信号检测算法,即构建网络潜质入侵数学演化模型,把复杂的入侵信号分解成IMF单频信号,得到入侵检测系统的状态转移方程,基于Hilbert变换对入侵信号进行离散解析化处理,构建入侵信号解析模型。对每个入侵信号经验模态分解后的解析模型IMF分量用Hilbert变换进行谱分析,通过递阶控制调整HHT频谱偏移,将残差信号投影与入侵信号的Hilbert边际谱进行匹配,减小包络线失真引起的边界控制误差,抑制频谱泄漏,实现对入侵信号的精确检测和参数估计。实验表明,该算法进行网络入侵信号检测时,具有较强的抗干扰性,能从低信噪比背景下有效检测出入侵信号,检测性能有较大提高。