摘要
提出了一种动态Cache策略,将最近一段时间内经常用到的少量规则结点指针存储在一个Cache块中。当攻击密度上升到一定阈值时,在Snort检测引擎中动态加载Cache块,接下来捕获的每一个数据包都首先和Cache块中存储的指针所指向的规则结点进行匹配。当网络攻击密度降低到一定阈值时,在Snort检测引擎中动态卸载Cache块,避免攻击密度较低时二次匹配带来的额外开销。实验表明,动态Cache策略可以提高Snort检测引擎在高强度攻击下的检测效率,降低漏报率。
A dynamic Cache strategy is put forward, in which the recent frequently used rule node pointers are stored in a Cache block. When the density of intrusion attack is enhanced to some point, the Cache is dynamically loaded in Snort detection engine, and each packet captured is firstly matched with the rule node in Cache block. When the density of intrusion attack is degraded to some point, the Cache block is unloaded from Snort detection engine dynamically, so that the extra cost caused by twice rule matching is avoided. The experiments show that the dynamic Cache strategy can improve the detection efficiency under high attack density and degrade the rate of missing alert.
出处
《计算机应用与软件》
CSCD
北大核心
2008年第3期260-262,共3页
Computer Applications and Software
