Evaluation studies of three intrusion detection systems under various attacks and rule sets

Author

Thongkanchorn, Kittikhun ; Ngamsuriyaroj, Sudsanguan ; Visoottiviseth, Vasaka

Author_Institution

Fac. of Inf. & Commun. Technol., Mahidol Univ., Bangkok, Thailand

fYear

2013

fDate

22-25 Oct. 2013

Firstpage

1

Lastpage

4

Abstract

This paper investigates the performance and the detection accuracy of three popular open-source intrusion detection systems: Snort, Suricata and Bro. We evaluate all systems using various attack types including DoS attack, DNS attack, FTP attack, Scan port attack, and SNMP attack. The experiments were run under different traffic rates and different sets of active rules. The performance metrics used are the CPU utilization, the number of packets lost, and the number of alerts. The results illustrated that each attack type had significant effects on the IDS performance. But, Bro showed better performance than other IDS systems when evaluated under different attack types and using a specific set of rules. The results also indicated the drop of the accuracy when the three IDS tools activate the full rule set.

Keywords

computer network security; public domain software; Bro; CPU utilization; DNS attack; DoS attack; FTP attack; IDS performance; SNMP attack; Scan port attack; Snort; Suricata; lost packets; open-source intrusion detection systems; performance metrics; rule sets; traffic rates; Accuracy; Computer crime; Intrusion detection; Packet loss; Telecommunication traffic; Bro; Intrusion Detection System; Performance Evaluation; Snort; Suricata;

fLanguage

English

Publisher

ieee

Conference_Titel

TENCON 2013 - 2013 IEEE Region 10 Conference (31194)

Conference_Location

Xi´an

ISSN

2159-3442

Print_ISBN

978-1-4799-2825-5

Type

conf

DOI

10.1109/TENCON.2013.6718975

Filename

6718975