City Research Online

Dynamical Analysis of Diversity in Rule-Based Open Source Network Intrusion Detection Systems

Asad, H. and Gashi, I. ORCID: 0000-0002-8017-3184 (2021). Dynamical Analysis of Diversity in Rule-Based Open Source Network Intrusion Detection Systems. Empirical Software Engineering,


Diverse layers of defence play an important role in the design of defence-in-depth architectures. The use of Intrusion Detection Systems (IDSs) are ubiquitous in this design. But the selection of the "right" IDSs in various configurations is an important decision that the security architects need to make. Additionally, the ability of these IDSs to adapt to the evolving threat-landscape also needs to be investigated. To help with these decisions, we need rigorous quantitative analysis. In this paper, we present a diversity analysis of open-source IDSs, Snort and Suricata, to help security architects tune/deploy these IDSs. We analyse two types of diversities in these IDSs; configurational diversity and functional diversity. In the configurational diversity analysis, we investigate the diversity in the sets of rules and the Blacklisted IP Addresses (BIPAs) these IDSs use in their configurations. The functional diversity analysis investigates the differences in alerting behaviours of these IDSs when they analyse real network traffic, and how these differences evolve. The configurational diversity experiment utilises snapshots of the rules and BIPAs collected over a period of 5 months, from May to October 2017. The snapshots have been collected for three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. The functional diversity investigates the alerting behaviour of these two IDSs for a sample of the real network traffic collected in the same time window. Analysing the differences in these systems allows us to get insights into where the diversity in the behaviour of these systems comes from, how does it evolve and whether this has any effect on the alerting behaviour of these IDSs. This analysis gives insight to security architects on how they can combine and layer these systems in a defence-in-depth deployment.

Publication Type: Article
Additional Information: This article has been accepted for publication and will be published in Empirical Software Engineering, Springer.
Publisher Keywords: Security, Diversity of Security Tools, Evolution of Diversity, Intrusion Detection Systems
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: School of Mathematics, Computer Science & Engineering > Computer Science
Date available in CRO: 03 Sep 2021 14:52
Date deposited: 3 September 2021
Date of acceptance: 1 September 2021
[img] Text - Accepted Version
This document is not freely accessible due to copyright restrictions.

To request a copy, please use the button below.

Request a copy



Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login