Abstract: In order to improve the detecting efficiency and reduce the rate of dropping packets of Network Intrusion Detection System（NIDS）, aiming at the existing problems of oversize RTN rule list and overlength average match length in the traditional rule list, by means of adding media type nodes, direction nodes and common OTN nodes to rule list, a thrice-decomposition method is proposed. This improvement can dramatically shorten the average match length of OTN nodes in NIDS. Various experimental results show that the improvement above can not only improve the detecting efficiency of NIDS, but also reduce the rate of dropping packets. More importantly, completeness of NIDS can be greatly promoted.

Key words: intrusion detection, rule list, media type nodes, direction nodes, common OTN nodes

摘要： 网络入侵检测系统在大流量下常出现较高的丢包率，针对该问题，从规则链表入手研究。针对传统链表中RTN链表过大、平均匹配长度过长的问题，提出通过增设多媒体类型结点、方向结点以及共性规则体结点对传统规则链表进行三次分解的方法来提高检测效率。通过三次分解后，系统对链表OTN结点的平均匹配长度大幅缩短。实验结果表明，使用该方法在提高网络入侵检测系统对多媒体数据检测效率的同时，还可有效降低丢包率，同时完备性也得到提高。

关键词: 入侵检测, 规则链表, 多媒体类型结点, 方向结点, 共性规则体结点