Performance Evaluation of Intrusion Detection System Performance for Traffic Anomaly Detection Based on Active IP Reputation Rules

Abstract

As a signature-based Intrusion Detection System (IDS), Suricata conducts data inspections based on rules to provide warnings from data traffic that meets the criteria of the rules. It means that the more complex the rules, the more comprehensive Suricata should be in detecting anomalies in data traffic. This study aims to analyze the influence of the number of rules on IDS performance in detecting anomalies in data traffic, focusing on Internet Protocol (IP) reputation rules in Suricata. The author will generate a multi-IP communication simulation using network simulator NS3. The NS3 results in packet capture (pcap) file will be used as the Suricata test dataset to calculate the percentage of packet drops and the percentage of rules detected. That pcap is replayed using the TcpReplay application while Suricata performs packet data inspections. This paper shows that the number of activated rules has a linear effect on Suricata’s performance in the detecting process. The performance of Suricata, measured in terms of the percentage of rules detected, dropped by approximately 14% when detecting 10,000 IP reputation rules in scenario 1, and it continued to drop significantly, reaching only 16.24% when the number of IP Reputation Rules reached 1 million IP lists in scenario 2.