入侵偵測系統被廣泛的運用在辨識、抵擋各種已知的網路攻擊行為。幾乎所有的入侵偵測系統都具有分析封包的內容以判定這是否是惡意攻擊行為的能力，這是因為它分析了封包的內容和已知的攻擊做比較，所以才能以辨識出可能的惡意攻擊行為。這種比較一個字串是
否符合許多不同的字串的演算法，就是系統的核心。有一個在時間和空間上有好的效能的演算法，對入侵偵測系統來說非常重要。
多樣式搜尋有許多的方式，最古老的AC 利用有限狀態機作為搜尋的核心，利用狀態的轉換來找出符合條件的樣式。Wu-Manber 則是利用shift table 和hash table 做兩段式的搜尋，當shift table 發現需要進一步的比對時，才會利用hash table 作更詳細的比對。而FNP 特別針對短的字串做搜尋，當所要找的字串短時，可以很輕易的在很快的時間內找出來。這些演算法有共同的特點，在每一次的字元的比較中，都只能夠找出某個特定位置是否符合所有的樣式，而不能在一次的字元比較中剔除不同位置有可能的出現的樣式。這使得每次的字元比較變得較無效率。
在這篇論文內，我們提出一個新的針對入侵偵測系統設計的演算法，這個演算法針對這個特點做改進，使得每次的比對都可以刪除不同位置的樣式，讓每次的字元比較能有更好的效率。此演算法的基礎是比較樹，並且利用 (pattern, offset) 而不是單純的pattern 來搜尋可能符合的pattern，每個樹上的結點都有一個位置告訴我們下一次比較所要比較的字元在哪裡。實驗的結果，也說明我們的方法在字串長的時候，在空間及時間上的使用比其它方法來的好。

Intrusion Detection Systems (IDSs) have been widely used for identifying and blocking all kinds of known network attacks. Almost every intrusion detection system has an ability to characterize attack behaviors through comparing contents of packet with all known attack patterns. The core of these intelligent systems is multi-pattern matching algorithms. Time and space efficient algorithms are therefore very important for intrusion detection systems.
There are many algorithms for multi-pattern matching. The oldest Aho-Corasick scheme exploits a finite state machine to trace matching patterns. On the other hand, Wu-Manber uses shift table and hash table to achieve two-phase searching. When the shift table finds suspicious payload,
it searches the collision chain in the hash table for further verification. FNP is specifically designed for short patterns. When the patterns are short, it can find them very fast. All these algorithms have the same characteristic. In a single octet comparion, they can only eliminate patterns with the same offset. They cannot eliminate patterns with different offsets. The disadvantage limits the efficacy of per-octet comparions, rendering a great deal of redundant work.
In the thesis, we propose a new algorithm to address such drawback. Our design allows every octet comparion to eliminate as many patterns with the same and different offsets as possible. The algorithm is based on comparison tree and uses (pattern, offset) pair instead of only pattern itself to find possible matching patterns. Every tree node has a position value which can tell you where octet comparison should be made next. The experimental evaluations substantiate that the proposed algorithm outperforms current state-of-the-art schemes by a wide margin.

[Aho75] Aho, A.V. and M.J. Corasick, “Efficient String Matching:An Aid to Bibliographic Search,” Commun. ACM, 1975. 18(6): p. 333-340.
[Ant04] Antonatos, S., K.G. Anagnostakis, and E.P. Markatos. “Generating realistic workloads for network intrusion detection systems,” in ACM Workshop on Software and Performance. 2004.
[Bac01] R. Bace and P. Mell. “Intrusion Detection Systems,” National Institute of Standards and Technology (NIST), Special Publication 800-31, 2001.
[Boy77] Boyer, R.S. and J.S. Moore, “A fast string searching algorithm,” Communications of the ACM, 1977. 20(10): p. 762-772.
[Def05] DEFCON, “The Shmoo Group - Capture the RootFu!” http://www.shmoo.com/cctf/. 2005.
[Dha03] S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. Lockwood. “Deep packet inspection using parallel bloom filters,” In 11th Symposium on High Performance Interconnects, August 2003.
[Eat02] Eatherton, W., Z. Dittia, and G. Varghese. “Tree bitmap : Hardware oftware ip lookups with incremental updates,” 2002.
[Els05] Elson, J., “tcpflow -- A TCP Flow Recorder”
http://www.circlemud.org/~jelson/software/tcpflow/. 2005.
[Liu04] Liu, R.-T. Huang, N-F. Chen, C-H. Kao, C-N. “A Fast String-Matching Algorithm for Network Processor-Based Intrusion Detection System,” in Information Technology:
Coding and Computing. 2004. Las Vegas, NV, USA.
[Mar02] E.P. Markatos, S. Antonatos, M. Polychronakis, and K.G. Anagnostakis. “Exclusionbased signature matching for intrusion detection,” In Proceedings of the IASTED
International Conference on Communications and Computer Networks (CCN), pages 146–152, November 2002.
[MW94] U. Manber and S. Wu,“GLIMPSE: A Tool to Search Through Entire File Systems,”Usenix Winter 1994 Technical Conference, San Francisco (January 1994), p. 23−32.
[Sno05] “Snort - the de facto standard for intrusion detection/prevention”http://www.snort.org/. 2005.
[Sym06] Symantec, “Symantec Internet Security Threat Report Trends for July 05 –December 05 Volume IX” http://www.symantec.com/. 2006.
[Tuc04] Tuck, N. Sherwood, T. Calder, B. Varghese, G. ‘‘Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection,’’ in INFOCOM. 2004. Hong Kong.
[Wu92] Wu S., and U. Manber, “Agrep — A Fast Approximate Pattern-Matching Tool,”Usenix Winter 1992 Technical Conference, San Francisco (January 1992), p. 153−162.
[Wu94] Wu, S. and U. Manber, “A Fast Algorithm for Multi-Pattern Searching,” 1994.