Analysis and Comparative Performance of Open-Source Intrusion Detection systems

Regardless of the many advances in network security over the past years, the internet remains a hostile environment for networked computer networks and systems [1]. The US Department of Homeland Security and numerous other industry organizations report significant upsurges in cyberattacks against industrial control systems. In 2018 alone, the US reported about 80,000 cyber-attacks per day, amounting to 30 million cyber-attacks annually. The sophistical of cyber threats are also increasing, with the likelihood that they will likely be physically destructive, causing significant losses in the future. Attacks by sophisticated worms such as Stuxnet and exploits infrequently used computer programs, including Adobe Acrobat, are current examples of the level and frequency of malicious cyber threats crafted in today’s technology [2].

Consequently, organizations need to advance the development of new security technologies to defend against the increasingly sophisticated tide of malicious events penetrating their networks and systems [2]. Best practice in computer network and system security command that “defense-in-depth” defined as the strategy of developing multiple defense layers around critical infrastructures to protect system data is an effective posture to defend against the increasingly sophisticated attacks. A critical aspect of network and system security monitoring is the integration of intrusion-detection and intrusion-prevention mechanisms within the defense-in-depth strategy. Intrusion-detection systems (IDSs) monitor and log the traffic navigating for signs of unwanted or malicious activity and send an alert upon detecting suspicious events [1].

The philosophy behind a network IDSs is to have a technology that can track all the traffic on its part of the available network. It continuously monitors this traffic based on defined rules within the network and activates an action on the packets matching one of the stated rules from the network’s set of rules [3]. One could think of the functionality of an IDS as comparable to that of antivirus software, scanning activities regarded as spiteful and acting on them accordingly [3]. IDSs are computer programs that perform intrusion detection by matching observable behaviors against suspicious configurations. In real-time intrusion detection, strategies based on data mining often fall into either one of the two classifications: misuse detection and anomaly detection. Under misuse detection, every instance in the system data is marked as “normal” or “intrusive,” and a learning algorithm is trained over the marked data [1].

There are currently two major categories of intrusion-detection, signature-based and anomaly-based. Anomaly-based detection analyses a network or system traffic from a holistic view, searching for traffic falling outside the category of normal activity, analyzing and taking to alleviate the anomaly. Anomaly detection effectively identifies new, formerly unidentified threats in a comparatively small network setting [4]. The signature-based intrusion-detection programs try to match computer network and system traffic data to the pre-loaded signature database. The signature rules, in this case, emanate from the formally identified malicious traffic and can be custom designed to match any traffic that traverses the network. After matching the signature rule, the detection system creates an alert sent to the analysts for appropriate action [2]. With the increased frequency and complexity of cyberattacks in the modern age, IDSs have become significantly vital to wide audiences [3]. Consequently, IT and software experts have been working to advance the IDS technology and have generated several open source and proprietary products to respond to increasingly sophisticated attacks [4].

This study analyses and compares the performance of the two widely used open-source IDSs engines globally: Snort and Suricata, to help users decide which open-source IDS suits their needs. There are several proprietary and open-source IDS engines available in the market. However, it could prove challenging to manipulate, configure, and evaluate the efficacy of propriety products. This does not mean that proprietary solutions do not provide such functionality, but for equal comparison, this research will only concentrate on open-source IDS solutions, specifically, Snort and Suricata.

Study shows that Snort IDS solution is probably the most recognized open-source IDS software available today and has been around for over a decade. Snort is an open-source IDS developed in 1998 by Sourcefire Inc. and created by Martin Roesch. Snort can perform real-time network traffic investigation and packet logging on IP networks and is compatible with most commonly used operating systems, including Windows, Linux, FreeBSD, Mac OS X, and UNIX. Community Snort Rules and Snort detection software are GNU GPL v.2 licensed [5]. Snort’s two primary components are attractive for some cases: detection engine that uses modular plug-in architectures and flexible language rules to define the traffic to be gathered. Snort’s detection rules, alert output, and process components are plug-ins. This means that they all can be configured and turned off and on individually [6]. Snort applies a single-threaded engine, which experts consider outdated because multi-core hardware and multilayer CPU are most common today. Therefore, Sort IDS can only work optimally with a single processor core by default. The only way of solving this challenge is to let Snort operate as multiple processes, with every process assigned a different processor core. However, this will likely make intrusion detection more complex since the user must replace the default network socket packet capture library [6].

In recent years, Suricata has been equated to Snort IDS. The two open-source IDS share similar rule syntax. However, Suricata appears to be more preferred because of the multi-threaded design than the single-threaded analysis design for Snort. The operating mode of Suricata is similar to Snort’s and has the same rule syntax and data flow. There is no significant difference connecting Suricata to the network. The overall data flow in Suricata is also the same as Snort, starting with packet capture, decoding, processing, and analysis. This implies that Snort and Suricata can apply similar rules [7]

However, the two IDS vary in internal engines, determining their applicability and efficiency. Suricata structure also has the HTP Library, an HTTP normalizer, and a parser. The feature integrates and offers advanced HTTP streams processing for Suricata. Suricata operates a multi-threaded strategy different from the single-threaded engine used by Snort. Suricata’s threads can use either one or more Thread Modules, input and output queue handlers, to obtain packets from different threads or the universal packet pool [7]. Suricata has a higher RAM and CPU utilization compared to Snort in most instances on all operating systems. However, its dropped packets percentage is lower than Snort in many experiments of simulated attacks. Furthermore, Suricata is a rule-based IDS, taking advantage of externally established sets of rules to monitor sniffed network or system traffic and generate alerts in the event of suspicious activity [3]. Considering the few but important differences, it is likely that Suricata and Snort perform differently based on the efficiency and speed of the system and network analysis. This will be tested in this study using the experimentation approach.

References

[1]G. Bada, W. Nabare and D. Quansah, “Comparative Analysis of the Performance of Network Intrusion Detection Systems: Snort, Suricata and Bro Intrusion Detection Systems in Perspective”, International Journal of Computer Applications, vol. 176, no. 40, pp. 39-44, 2020. Available: 10.5120/ijca2020920513.

[2]Y. Jia, J. Wang, C. Poskitt, S. Chattopadhyay, J. Sun and Y. Chen, “Adversarial attacks and mitigation for anomaly detectors of cyber-physical systems”, International Journal of Critical Infrastructure Protection, vol. 34, p. 100452, 2021. Available: 10.1016/j.ijcip.2021.100452.

[3]Vinayakumar R, Soman KP and P. Poornachandran, “A Comparative Analysis of Deep Learning Approaches for Network Intrusion Detection Systems (N-IDSs)”, International Journal of Digital Crime and Forensics, vol. 11, no. 3, pp. 65-89, 2019. Available: 10.4018/ijdcf.2019070104.

[4]H. Kwon, T. Kim and M. Lee, “Advanced Intrusion Detection Combining Signature-Based and Behavior-Based Detection Methods”, Electronics, vol. 11, no. 6, p. 867, 2022. Available: 10.3390/electronics11060867.

[5]G. Grimes, “Network security managers’ preferences for the Snort IDS and GUI add-ons”, Network Security, vol. 2005, no. 4, pp. 19-20, 2005. Available: 10.1016/s1353-4858(05)70228-2.

[6]B. Gdowski, R. Kościej and M. Niemiec, “Heuristic-based Intrusion Detection Functionality in a Snort Environment”, Information & Security: An International Journal, vol. 50, pp. 23-36, 2021. Available: 10.11610/isij.5010.

[7]J. Seok, M. Choi, J. Kim and J. Park, “A Comparative Study on Performance of Open Source IDS/IPS Snort and Suricata”, Journal of the Korea Society of Digital Industry and Information Management, vol. 12, no. 1, pp. 89-95, 2016. Available: 10.17662/ksdim.2016.12.1.089.