침입 탐지 시스템에서의 효율적인 시그니쳐 검사 방법에 대한 연구

Abstract

The network traffic for malicious activities on the Internet is increasing steadily and becoming more sophisticated over time. For quick and accurate detection of malicious network traffic, intrusion detection systems such as Snort are used. Although the accuracy of packet inspection might increase by inspecting packet payloads thoroughly, it is hard to achieve fast detection with this method. In this paper, Growing Prefix Indexing (GPI) is proposed for efficient signature inspection on intrusion detection systems. In GPI, the first few characters of a signature are selected as an index, and signatures that share the same index are grouped together. The maximum number of signatures per index is limited for balanced distribution of signatures. The packet inspection results with GPI are presented in this paper, which show the amount of strings to be examined can be dramatically reduced with GPI, which also leads to faster packet inspection. Although the experiments were done with Snort signatures, the indexing can also be applied to other signature-based intrusion detection systems.