Implementation and Evaluation of Network Intrusion Detection Systems

Performance evaluation of Network Intrusion Detection Systems (NIDS) has been carried out to identify its limitations in high speed environment. This has been done by employing evasive and avoidance strategies simulating real-life normal and attack traffic flows on a sophisticated Test-Bench. Snort, an open source Intrusion Detection System, has been selected as an evaluation platform. In this paper, Snort has been evaluated on host and virtual configurations using different operating systems and hardware implementations. Evaluation methodology is based on the concept of stressing the system by injecting various traffic loads (packet sizes, bandwidth and attack signatures) and analyzing its packet handling and detection capacity. We have observed few performance issues with Snort which has resulted into packet drop and low detection rate. Finally, we have analyzed the factors responsible for it and have recommended techniques to improve systems packet handling and detection capability.

[1]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[2]  Hugo Cornwall,et al.  Hackers Handbook , 1986 .

[3]  Monis Akhlaq,et al.  High Speed NIDS using Dynamic Cluster and Comparator Logic , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[4]  Monis Akhlaq,et al.  Smart Logic - Preventing Packet Loss in High Speed Network Intrusion Detection Systems , 2009, ISDF.

[5]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[6]  Rogier Dittner,et al.  An Introduction to Virtualization , 2007 .

[7]  J. Skudutis,et al.  Investigation of the Intrusion Detection System "Snort" Performance , 2008 .

[8]  Monis Akhlaq,et al.  Evaluating Intrusion Detection Systems in High Speed Networks , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[9]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.