Implementation and performance evaluation of network intrusion detection systems

Abstract

Modern intrusion detection systems (IDS) are deployed in high-speed networks. Thus, they must be able to process a large amount of data in real time. This raises the issue of performance and required an evaluation of these IDS. We present in this paper an evaluation approach, based on a series of tests. The aim is to measure the performance of the components of an IDS and their effects on the entire system, as well as to study the effect of the characteristics of the deployment environment on the operation of the IDS. So, we have implemented the IDS SNORT on machines with different technical characteristics and we have designed a network to generate a set of experiments to measure the performances obtained in the case of a deployment in high-speed networks. These experiments consist in injecting various traffic loads, characterized by different transmission times, packet numbers, packet sizes and bandwidths, and then analyzing, for each situation, the processing performed on the packets. Our experiments have revealed the weaknesses of the IDS in a precise way. Mainly, the inability to process multiple packets and the propensity to deposit, without analysis, packets in high-speed networks with heavy traffic. Our work also determined the effect of a component on the entire system and the effect of hardware characteristics on the performance of an IDS.