发明名称 |
Device and method for data matching and device and method for network intrusion detection |
摘要 |
The present invention discloses a device and method for data matching and a device and method for network intrusion detection. The method for data matching includes: searching in a regular expression set one or more complex regular expressions causing a sharp increase in number of states generated based on a regular expression during interaction; constructing a corresponding simplified expression for each complex regular expression; compiling a simplified state machine; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; and matching data based on the simplified state machine and the one or more substate machines. The present invention further discloses a device for data matching employing the method for data matching and a device and method for intrusion detection employing the device and method for data matching. |
申请公布号 |
US9258317(B2) |
申请公布日期 |
2016.02.09 |
申请号 |
US201313797171 |
申请日期 |
2013.03.12 |
申请人 |
NSFOCUS INFORMATION TECHNOLOGY CO., LTD. |
发明人 |
Yao Gang;Han Xiao;Zhang Tao;Han Peng;Cheng Lijun |
分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
代理机构 |
J.C. Patents |
代理人 |
J.C. Patents |
主权项 |
1. A method for network intrusion detection by data matching based on a regular expression set comprising one or more regular expressions, implemented by a processor executing instructions stored on a non-transitory processor readable medium, comprising steps of:
searching in the regular expression set for one or more complex regular expressions which cause expansion in the number of states generated based on the regular expression during interaction; constructing a corresponding simplified expression for each of the one or more searched-out complex regular expressions by connecting all character string feature of the searched-out complex regular expression and deleting a character string feature that appears frequently; compiling only one simplified state machine based on the constructed simplified expression and remaining regular expressions in the regular expression set except for the one or more searched-out complex regular expressions; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; obtaining network data; and matching the obtained network data based on the simplified state machine and the one or more substate machines to judge whether the network data is network intrusion data. |
地址 |
Beijing CN |