Performance Comparison of Intrusion Detection Systems and Application of Machine Learning to Snort System

TL;DR

This paper compares the performance of Snort and Suricata IDSs at 10 Gbps, and introduces an optimized SVM with firefly algorithm to improve Snort's detection accuracy and reduce false positives.

Contribution

It provides the first performance comparison of two IDSs at 10 Gbps and applies hybrid machine learning algorithms to enhance Snort's detection capabilities.

Findings

Suricata processes higher traffic with lower packet drop but uses more resources.

Snort has higher detection accuracy but more false positives.

Optimized SVM with firefly algorithm achieved 8.6% FPR and 2.2% FNR.

Abstract

This study investigates the performance of two open source intrusion detection systems (IDSs) namely Snort and Suricata for accurately detecting the malicious traffic on computer networks. Snort and Suricata were installed on two different but identical computers and the performance was evaluated at 10 Gbps network speed. It was noted that Suricata could process a higher speed of network traffic than Snort with lower packet drop rate but it consumed higher computational resources. Snort had higher detection accuracy and was thus selected for further experiments. It was observed that the Snort triggered a high rate of false positive alarms. To solve this problem a Snort adaptive plug-in was developed. To select the best performing algorithm for Snort adaptive plug-in, an empirical study was carried out with different learning algorithms and Support Vector Machine (SVM) was selected. A hybrid version of SVM and Fuzzy logic produced a better detection accuracy. But the best result was achieved using an optimised SVM with firefly algorithm with FPR (false positive rate) as 8.6% and FNR (false negative rate) as 2.2%, which is a good result. The novelty of this work is the performance comparison of two IDSs at 10 Gbps and the application of hybrid and optimised machine learning algorithms to Snort.