City Research Online

Diversity in Open Source Intrusion Detection Systems

Gashi, I. ORCID: 0000-0002-8017-3184 and Asad, H. (2018). Diversity in Open Source Intrusion Detection Systems. Paper presented at the SAFECOMP 2018, 18-21 Sep 2018, Västerås, Sweden.

Abstract

We present an analysis of the diversity that exists in the rules and blacklisted IP addresses of the Snort and Suricata Intrusion Detection Systems (IDSs). We analysed the evolution of the rulesets and blacklisted IP addresses of these two IDSs over a 5-month period between May and October 2017. We used three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. Analysing the differences in these systems allows us to get insights on where the diversity in the behaviour of these systems comes from and how does it evolve over time. This gives insight to Security architects on how they can combine and layer these systems in a defence-in-depth deployment. To the best of our knowledge a similar experiment has not been performed before. We will also show results on the observed diversity in behaviour of these systems, when they analysed the network data of the DMZ network of City, University of London.

Publication Type: Conference or Workshop Item (Paper)
Additional Information: This is the author-created version of a conference paper to be published in Lecture Notes in Computer Science. The final authenticated version is to be available online at: https://link.springer.com/bookseries/558
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: School of Mathematics, Computer Science & Engineering > Computer Science > Software Reliability
URI: http://openaccess.city.ac.uk/id/eprint/19901
[img]
Preview
Text - Accepted Version
Download (855kB) | Preview

Export

Downloads

Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login