City Research Online

Diversity in Open Source Intrusion Detection Systems

Gashi, I. ORCID: 0000-0002-8017-3184 & Ul Asad, H. (2018). Diversity in Open Source Intrusion Detection Systems. In: Computer Safety, Reliability, and Security. SAFECOMP 2018. SAFECOMP 2018, 18-21 Sep 2018, Västerås, Sweden.


We present an analysis of the diversity that exists in the rules and blacklisted IP addresses of the Snort and Suricata Intrusion Detection Systems (IDSs). We analysed the evolution of the rulesets and blacklisted IP addresses of these two IDSs over a 5-month period between May and October 2017. We used three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. Analysing the differences in these systems allows us to get insights on where the diversity in the behaviour of these systems comes from and how does it evolve over time. This gives insight to Security architects on how they can combine and layer these systems in a defence-in-depth deployment. To the best of our knowledge a similar experiment has not been performed before. We will also show results on the observed diversity in behaviour of these systems, when they analysed the network data of the DMZ network of City, University of London.

Publication Type: Conference or Workshop Item (Paper)
Additional Information: This is the author-created version of a conference paper published in Lecture Notes in Computer Science. The final authenticated version is available online at:
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: School of Science & Technology > Computer Science > Software Reliability
[thumbnail of DiversityInIDSs_SafeComp2018_Accepted_v01.pdf]
Text - Accepted Version
Download (855kB) | Preview


Add to AnyAdd to TwitterAdd to FacebookAdd to LinkedinAdd to PinterestAdd to Email


Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login