Device and method for data matching and device and method for network intrusion detection

摘要

The present invention discloses a device and method for data matching and a device and method for network intrusion detection. The method for data matching includes: searching in a regular expression set one or more complex regular expressions causing a sharp increase in number of states generated based on a regular expression during interaction; constructing a corresponding simplified expression for each complex regular expression; compiling a simplified state machine; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; and matching data based on the simplified state machine and the one or more substate machines. The present invention further discloses a device for data matching employing the method for data matching and a device and method for intrusion detection employing the device and method for data matching.

主权项

1. A method for network intrusion detection by data matching based on a regular expression set comprising one or more regular expressions, implemented by a processor executing instructions stored on a non-transitory processor readable medium, comprising steps of:
searching in the regular expression set for one or more complex regular expressions which cause expansion in the number of states generated based on the regular expression during interaction; constructing a corresponding simplified expression for each of the one or more searched-out complex regular expressions by connecting all character string feature of the searched-out complex regular expression and deleting a character string feature that appears frequently; compiling only one simplified state machine based on the constructed simplified expression and remaining regular expressions in the regular expression set except for the one or more searched-out complex regular expressions; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; obtaining network data; and matching the obtained network data based on the simplified state machine and the one or more substate machines to judge whether the network data is network intrusion data.