A Comparative Experimental Design and Performance Analysis of Snort-Based Intrusion Detection System in Practical Computer Networks

As one of the most reliable technologies, network intrusion detection system (NIDS) allows the monitoring of incoming and outgoing traffic to identify unauthorised usage and mishandling of attackers in computer network systems. To this extent, this paper investigates the experimental performance of Snort-based NIDS (S-NIDS) in a practical network with the latest technology in various network scenarios including high data speed and/or heavy traffic and/or large packet size. An effective testbed is designed based on Snort using different muti-core processors, e.g., i5 and i7, with different operating systems, e.g., Windows 7, Windows Server and Linux. Furthermore, considering an enterprise network consisting of multiple virtual local area networks (VLANs), a centralised parallel S-NIDS (CPS-NIDS) is proposed with the support of a centralised database server to deal with high data speed and heavy traffic. Experimental evaluation is carried out for each network configuration to evaluate the performance of the S-NIDS in different network scenarios as well as validating the effectiveness of the proposed CPS-NIDS. In particular, by analysing packet analysis efficiency, an improved performance of up to 10% is shown to be achieved with Linux over other operating systems, while up to 8% of improved performance can be achieved with i7 over i5 processors.

[1]  Jay Beale,et al.  Snort Intrusion Detection and Prevention Toolkit , 2007 .

[2]  Steve Mansfield-Devine,et al.  Social Networking: Anti-social networking: exploiting the trusting environment of Web 2.0 , 2008 .

[3]  Jennifer Golbeck,et al.  Analyzing the Social Web , 2013 .

[4]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[5]  Nor Badrul Anuar,et al.  Intrusion response systems: Foundations, design, and challenges , 2016, J. Netw. Comput. Appl..

[6]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[7]  George Varghese,et al.  Detecting evasion attacks at high speeds without reassembly , 2006, SIGCOMM 2006.

[8]  Norbik Bashah Idris,et al.  A parallel technique for improving the performance of signature-based network intrusion detection system , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[9]  John Pescatore DDoS Attacks Advancing and Enduring : A SANS Survey , 2015 .

[10]  Wanlei Zhou,et al.  Generating regular expression signatures for network traffic classification in trusted network management , 2012, J. Netw. Comput. Appl..

[11]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[12]  Jong Kim,et al.  PolyI-D: Polymorphic Worm Detection Based on Instruction Distribution , 2006, WISA.

[13]  Anne E. James,et al.  Network Intrusion Detection Systems in High-Speed Traffic in Computer Networks , 2013, 2013 IEEE 10th International Conference on e-Business Engineering.

[14]  Doohwan Oh,et al.  A Distributed Signature Detection Method for Detecting Intrusions in Sensor Systems , 2013, Sensors.

[15]  Sungryoul Lee,et al.  Kargus: a highly-scalable software-based intrusion detection system , 2012, CCS.

[16]  Jugal K. Kalita,et al.  Network attacks: Taxonomy, tools and systems , 2014, J. Netw. Comput. Appl..

[17]  Mike Hall,et al.  Capacity Verification for High Speed Network Intrusion Detection Systems , 2002, RAID.

[18]  Khaled Salah,et al.  Performance evaluation comparison of Snort NIDS under Linux and Windows Server , 2010, J. Netw. Comput. Appl..

[19]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[20]  Monis Akhlaq,et al.  Evaluating Intrusion Detection Systems in High Speed Networks , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[21]  Claire Elliott,et al.  Botnets: To what extent are they a threat to information security? , 2010, Inf. Secur. Tech. Rep..

[22]  Edward Guillen,et al.  Weaknesses and strengths analysis over network-based intrusion detection and prevention systems , 2009, 2009 IEEE Latin-American Conference on Communications.

[23]  Po-Ching Lin,et al.  Re-examining the performance bottleneck in a NIDS with detailed profiling , 2013, J. Netw. Comput. Appl..

[24]  Jugal K. Kalita,et al.  Network defense: Approaches, methods and techniques , 2015, J. Netw. Comput. Appl..

[25]  Hua Song,et al.  Real-time intrusion detection for high-speed networks , 2005, Comput. Secur..

[26]  Errin W. Fulp,et al.  A taxonomy of parallel techniques for intrusion detection , 2007, ACM-SE 45.

[27]  O. Gemikonakli,et al.  Towards connecting people, locations and real-world events in a cellular network , 2015, Telematics Informatics.

[28]  Anne E. James,et al.  Improving network intrusion detection system performance through quality of service configuration and parallel technology , 2015, J. Comput. Syst. Sci..

[29]  Brij B. Gupta,et al.  A Recent Survey on DDoS Attacks and Defense Mechanisms , 2011 .

[30]  Lam-for Kwok,et al.  Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection , 2014, J. Netw. Comput. Appl..