Evaluation studies of three intrusion detection systems under various attacks and rule sets

Abstract

This paper investigates the performance and the detection accuracy of three popular open-source intrusion detection systems: Snort, Suricata and Bro. We evaluate all systems using various attack types including DoS attack, DNS attack, FTP attack, Scan port attack, and SNMP attack. The experiments were run under different traffic rates and different sets of active rules. The performance metrics used are the CPU utilization, the number of packets lost, and the number of alerts. The results illustrated that each attack type had significant effects on the IDS performance. But, Bro showed better performance than other IDS systems when evaluated under different attack types and using a specific set of rules. The results also indicated the drop of the accuracy when the three IDS tools activate the full rule set.