Abstract
We present an analysis of the diversity that exists in the rules and blacklisted IP addresses of the Snort and Suricata Intrusion Detection Systems (IDSs). We analysed the evolution of the rulesets and blacklisted IP addresses of these two IDSs over a 5-month period between May and October 2017. We used three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. Analysing the differences in these systems allows us to get insights on where the diversity in the behaviour of these systems comes from and how does it evolve over time. This gives insight to Security architects on how they can combine and layer these systems in a defence-in-depth deployment. To the best of our knowledge a similar experiment has not been performed before. We will also show results on the observed diversity in behaviour of these systems, when they analysed the network data of the DMZ network of City, University of London.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Elia, I.A., Fonseca, J., Vieira, M.: Comparing SQL injection detection tools using attack injection: an experimental study. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (2010)
Littlewood, B., Strigini, L.: Redundancy and diversity in security. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 423–438. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30108-0_26
Garcia, M., et al.: Analysis of operating system diversity for intrusion tolerance. Softw.: Pract. Exp. 44(6), 735–770 (2014)
Hiltunen, M.A., et al.: Survivability through customization and adaptability: the Cactus approach. In: Proceedings of DARPA Information Survivability Conference and Exposition, DISCEX 2000 (2000)
Reynolds, J., et al.: The design and implementation of an intrusion tolerant system. In: International Conference on Dependable Systems and Networks, DSN 2002, Washington, D.C., USA (2002)
Sanders, W.H., et al.: Probabilistic validation of intrusion tolerance. In: International Conference on Dependable Systems and Networks, Fast Abstracts Supplement, DSN 2002, Bethesda, Maryland (2002)
Gupta, V., Lam, V., Ramasamy, H.V., Sanders, W.H., Singh, S.: Dependability and performance evaluation of intrusion-tolerant server architectures. In: de Lemos, R., Weber, T.S., Camargo, J.B. (eds.) LADC 2003. LNCS, vol. 2847, pp. 81–101. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45214-0_9
Bishop, et al.: Diversity for security: a study with off-the-shelf antivirus engines. In: 22nd IEEE International Symposium on Software Reliability Engineering (ISSRE 2011) (2011)
Milenkoski, A., et al.: Evaluating computer intrusion detection systems: a survey of common practices. ACM Comput. Surv. 48(1), 12:1–12:41 (2015)
Acknowledgment
This work was supported by the UK EPSRC project D3S and in part by the EU H2020 framework DiSIEM project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Asad, H., Gashi, I. (2018). Diversity in Open Source Intrusion Detection Systems. In: Gallina, B., Skavhaug, A., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2018. Lecture Notes in Computer Science(), vol 11093. Springer, Cham. https://doi.org/10.1007/978-3-319-99130-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-99130-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99129-0
Online ISBN: 978-3-319-99130-6
eBook Packages: Computer ScienceComputer Science (R0)