1. Field of the Invention
The present invention relates to a method and apparatus for storing an intrusion rule, and more particularly, to a method and apparatus for storing an intrusion rule which uses an optimized hash function table to implement a hash function in a high-speed hardware-based intrusion detection system for detecting network intrusions in real time, to minimize the memory use, enhance the performance and decrease the size of the intrusion detection system.
2. Description of the Related Art
Information exchange through networks is now one of the major features of modern society, and influences many aspects of life. Malicious information intrusion has increased accordingly and become a substantial threat to society as a whole. Therefore it is becoming more important to protect information systems including networks.
The object of a network intrusion detection system is to detect certain packets traveling through a network. This is because in an actual intrusion attempt, packets are transmitted through a network. The most widely used intrusion detection method is a pattern matching method based on an intrusion rule.
An intrusion rule is a set of characteristics of known intrusions. These characteristics include a variety of items, including source and destination addresses of packets, types of protocols, values of predetermined fields, and information on whether or not predetermined bytes are included. All these items indicate values or ranges within the protocol header or payload of a packet.
Accordingly, if each item of the intrusion rule is compared with a packet and examined, it can be accurately determined whether or not the packet is part of an intrusion. That is, the pattern matching method based on the intrusion rule can be said to determine whether or not a packet passing through a network is part of an intrusion by comparing and examining data of the packet which actually passes through the network with the corresponding rule defined in relation to intrusion.
An intrusion detection system to protect a high-speed network is generally based on hardware. This is because high-speed detection is required in order to detect intrusion in real time for a Gigabit or higher level network, and the performance of a software based intrusion system is limited. In order to provide a high-speed rule-based intrusion detection function in a hardware-based intrusion detection system, high speed operation of the intrusion detection system is essential.
A variety of research to speed up the intrusion detection function has been undertaken, and at present, the performance of pattern matching using a hash function is known to be good. In the pattern matching using the hash function, comparison of patterns is performed through calculation, and the complexity of the comparison itself is beneficially low.
Problems with this method are that collisions of the hash function must be prevented, and the size of the hash function table must be reduced.
If the size of the hash function table increases, the size of a memory required for pattern matching increases. In a hardware-based system, the complexity and cost of implementation increase as the memory size increases. Therefore, it has become important to reduce of the size of the hash function table and thus the size of the memory used by the pattern matching function.