Effectiveness of Intrusion Detection Systems in High-speed Networks

Main Article Content

Qinwen Hu
Muhammad Rizwan Asghar
Nevil Brownlee


Computer Networking, Telecommunications, Intrusion Detection Systems


Network Intrusion Detection Systems (NIDSs) play a crucial role in detecting malicious activities within networks. Basically, a NIDS monitors network flows and compares them with a set of pre-defined suspicious patterns. To be effective, different intrusion detection algorithms and packet capturing methods have been implemented. With rapidly increasing network speeds, NIDSs face a challenging problem of monitoring large and diverse traffic volumes; in particular, high packet drop rates can have a significant impact on detection accuracy. In this work, we investigate three popular open-source NIDSs: Snort, Suricata, and Bro along with their comparative performance benchmarks. We investigate key factors (including system resource usage, packet processing speed and packet drop rate) that limit the applicability of NIDSs to large-scale networks. Moreover, we also analyse and compare the performance of NIDSs when configurations and traffic volumes are changed.

Abstract 1270 | PDF Downloads 13


Abaid, Z., Rezvani, M., & Jha, S. (2014). MalwareMonitor: an SDN-based framework for securing large networks. Paper presented at the Proceedings of the 2014 CoNEXT on Student Workshop.

Alhomoud, A., Munir, R., Disso, J. P., Awan, I., & Al-Dhelaan, A. (2011). Performance evaluation study of intrusion detection systems. Procedia Computer Science, 5, 173-180.

Deri, L. (2005). nCap: Wire-speed packet capture and transmission. Paper presented at the End-to-End Monitoring Techniques and Services, 2005. Workshop on.

Garcia-Teodoro, P., Diaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1), 18-28.

Khoumsi, A., Krombi, W., & Erradi, M. (2014). A formal approach to verify completeness and detect anomalies in firewall security policies. Paper presented at the International Symposium on Foundations and Practice of Security.

Liu, X., Burmester, M., Wilder, F., Redwood, W. O., & Butler, J. (2014). Zero-Day Vulnerabilities. Coast Guard Journal of Safety & Security at Sea, Proceedings of the Marine Safety & Security Council, 71(4).

MetaFlows. Open Source IDS Multiprocessing With PF RING. Retrieved from https://www.metaflows.com/features/pf_ring

Paulauskas, N., & Skudutis, J. (2008). Investigation of the intrusion detection system" Snort" performance. Elektronika ir elektrotechnika, 15-18.

Ring, P. PF Ring Introduction. Retrieved from http://www.ntop.org/products/packet-capture/pf_ring

Salah, K., & Kahtani, A. (2010). Performance evaluation comparison of Snort NIDS under Linux and Windows Server. Journal of Network and Computer Applications, 33(1), 6-15.

SANS. (2016). Open Source IDS High Performance Shootout. Retrieved from https://www.sans.org/reading-room/whitepapers/intrusion/opensource-ids-high-performance-shootout-35772

Shukla, J., Singh, G., Shukla, P., & Tripathi, A. (2014). Modeling and analysis of the effects of antivirus software on an infected computer network. Applied Mathematics and Computation, 227, 11-18.

Symantec. (2016). Internet security threat report. Retrieved from https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

Wright, M. A. (2000). Virtual Private Network Security. Network Security, 2000(7), 11-14.

Yu, S.-y., Brownlee, N., & Mahanti, A. (2014). Performance and Fairness Issues in Big Data Transfers. Paper presented at the Proceedings of the 2014 CoNEXT on Student Workshop.