ANALYZING SURICATA ALERT DETECTION PERFORMANCE ISSUES BASED ON ACTIVE INDICATOR OF COMPROMISE RULES

Didit Hari Kuncoro Raharjo; Muhammad Salman

doi:10.52436/1.jutif.2023.4.3.1013

Didit Hari Kuncoro Raharjo Department of Electrical Engineering, Faculty of engineering, Indonesia
Muhammad Salman Department of Electrical Engineering, Faculty of engineering, Indonesia

DOI: https://doi.org/10.52436/1.jutif.2023.4.3.1013

Keywords: Detection, IoC, Performance, Suricata

Abstract

Many studies have been related to the Intrusion Detection System (IDS) performance analysis. Still, most focus on inspection performance on high-capacity networks with packet drop percentage as a performance parameter. Few studies are related to performance analysis in the form of detection accuracy based on the number of rules activated. This research will analyze the performance of IDS Suricata based on the number of active rules in the form of Indicator of Compromise (IoC), including IPRep, HTTP, DNS, MD5, and JA3. The analysis method focuses on the detection accuracy of varying the number of active rules up to 1 million, expressed in 5 scenarios. In scenarios 1 to 4, where IoC rules are tested separately, the reduction in detection accuracy performance starts to occur when the number of active rules is at 100,000 and continues to decrease when the number reaches 1 million. However, in scenario 5, where the IoC rules are tested together, the percentage of rules detection accuracy decreases when the number of active rules from each IoC is less than 10,000. The percentage decrease in detection accuracy performance in scenario five can occur with an average reduction of 19.64%. Even further in scenario 5, when the total number of rules reaches 1,000,000 or 200,000 from each IoC, IDS Suricata fails to detect all rules (detection percentage is 0%). This research show that the higher number of rules activated, the decrease in the Suricata IDS performance in terms of detection accuracy.

Downloads

Download data is not yet available.

References

N. Iyengar, "Evaluation of Network Based IDS and Deployment of multi-sensor IDS," arXiv preprint arXiv:2007.11654, 2020.

P. Alekar, "Survey on Intrusion Detection System (IDS)," International Journal of Technology Research and Management, vol. 5, no. 7, pp. 1-5, 2018.

H. Hindy et al., "A taxonomy and survey of intrusion detection system design techniques, network threats and datasets," Faculty of Engineering, Electronic and Electrical Engineering, University of Strathclyde Institutional, 2018. [Online]. Available: https://strathprints.strath.ac.uk/id/eprint/64653

K. Sengaphay, S. Saiyod, and N. Benjamas, "Creating snort-IDS rules for detection behavior using multi-sensors in private cloud," in Information Science and Applications (ICISA) 2016: Springer, 2016, pp. 589-601.

H. Hindy et al., "A taxonomy and survey of intrusion detection system design techniques, network threats and datasets," 2018.

M. Bertovič, "Utilization of Threat Intelligence in Information Security," Computing and Information Center, Czech Technical University in Prague., 2017.

H. Almohannadi, I. Awan, J. Al Hamar, A. Cullen, J. P. Disso, and L. Armitage, "Cyber threat intelligence from honeypot data using elasticsearch," in 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), 2018: IEEE, pp. 900-906.

C. Pace, "The threat intelligence handbook: A practical guide for security teams to unlocking the power of intelligence," Annapolis, CyberEdge Group, 2018.

J. Althouse. "TLS Fingerprinting with JA3 and JA3S - Salesforce Engineering Blog." https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/ (accessed 11 Jan, 2023).

Q. Hu, S.-Y. Yu, and M. R. Asghar, "Analysing performance issues of open-source intrusion detection systems in high-speed networks," Journal of Information Security and Applications, vol. 51, p. 102426, 2020.

W. Park and S. Ahn, "Performance Comparison and Detection Analysis in Snort and Suricata Environment," Wireless Personal Communications, vol. 94, no. 2, 2017.

K. Wong, C. Dillabaugh, N. Seddigh, and B. Nandy, "Enhancing Suricata intrusion detection system for cyber security in SCADA networks," in 2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE), 2017: IEEE, pp. 1-5.

A. Waleed, A. F. Jamali, and A. Masood, "Which open-source IDS? Snort, Suricata or Zeek," Computer Networks, vol. 213, p. 109116, 2022.

B. R. Murphy, "Comparing the performance of intrusion detection systems: Snort and Suricata," Colorado Technical University, 2019.

B. Brumen and J. Legvart, "Performance analysis of two open source intrusion detection systems," in 2016 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2016: IEEE, pp. 1387-1392.

T. Ernawati, M. F. Fachrozi, and D. D. Syaputri, "Analysis of Intrusion Detection System Performance for the Port Scan Attack Detector, Portsentry, and Suricata," (in English), IOP Conference Series. Materials Science and Engineering, vol. 662, no. 5, 2019, doi: https://doi.org/10.1088/1757-899X/662/5/052013.

C. Hoover, "Comparative Study of Snort 3 and Suricata Intrusion Detection Systems," Bachelor of Science, Computer Science and Computer Engineering, University of Arkansas, 2022. [Online]. Available: https://scholarworks.uark.edu/csceuht/105

T. Lukaseder, J. Fiedler, and F. Kargl, "Performance evaluation in high-speed networks by the example of intrusion detection," arXiv preprint arXiv:1805.11407, 2018.

J. Guo, H. Guo, and Z. Zhang, "Research on High Performance Intrusion Prevention System Based on Suricata," Highlights in Science, Engineering and Technology, vol. 7, pp. 238-245, 2022.

D. H. K. Raharjo, A. Nurmala, R. D. Pambudi, and R. F. Sari, "Performance Evaluation of Intrusion Detection System Performance for Traffic Anomaly Detection Based on Active IP Reputation Rules," in 2022 3rd International Conference on Electrical Engineering and Informatics (ICon EEI), 2022: IEEE, pp. 75-79.

R. Rohith, M. Moharir, and G. Shobha, "SCAPY-A powerful interactive packet manipulation program," in 2018 international conference on networking, embedded and wireless systems (ICNEWS), 2018: IEEE, pp. 1-5.

M. Purzynski and P. Manev, "Suricata Extreme Performance Tuning," presented at the Suricon 2016, 2016. [Online]. Available: https://suricon.net/suricon-2016-washington-dc/.

F. Klassen. "TCPReplay Sample Captures." https://tcpreplay.appneta.com/wiki/captures.html (accessed December, 2022).

P. Inc. "Proofpoint Emerging Threats Rules." https://rules.emergingthreats.net/ (accessed December, 2022).

K. Jakimoski and N. V. Singhai, "Improvement of hardware firewall’s data rates by optimizing suricata performances," in 2019 27th Telecommunications Forum (TELFOR), 2019: IEEE, pp. 1-4.