First Bi-Weekly Update

Introduction

The goal for this first bi-weekly update is to examine the existing literature that explores the differences between signature based and anomaly based intrusion detection systems (IDS). I will also further detail the methodology I plan to use to perform a comparative analysis of the two approaches. 

Reading Summary [1]

The paper chosen for analysis sets out to design an IDS which combines the two approaches in order to create a hybrid model to incorporate the benefits of both methods. While this project sets out to individually examine the effectiveness of each system, this work proves to be extremely valuable in identifying the strengths and weaknesses of both approaches, which will provide a solid starting point for the comparison. The authors emphasize the importance of scrutinizing incoming network traffic and clarify the distinction between the two detection methodologies, explaining that a “signature-based approach […] identif[ies] known attacks by learning patterns, while [an] anomaly-based approach focuses on learning normal system activities and classify[ing] packets as either normal or abnormal.”. For the anomaly based approach, they note that it has the benefit of avoiding zero day attacks, as unlike the signature based approach, they do not rely on a database of previous attacks. Additionally, they explore how various tree based models can be used to achieve a high level of detection accuracy while using low computation. In contrast, signature based approaches do a much better job of classifying known attacks than anomaly based approaches, which allows for a quicker and more effective threat response. The drawback of this is that unknown attack vectors, such as zero days, are hard for this approach to identify. 

Methodology

This study will evaluate the comparative effectiveness of signature-based (Snort) and anomaly-based (Suricata) Intrusion Detection Systems through a controlled virtual environment. The testing framework will utilize three isolated virtual machines: a traffic generator running custom Python scripts for synthetic network pattern generation, an IDS system VM alternating between Snort and Suricata configurations, and a target system. Both IDS platforms will be configured with default rule sets and equivalent sensitivity levels, operating under identical hardware allocations. Performance analysis will focus on detection rates, false positive rates, resource utilization, and processing latency, with all tests conducted under standardized traffic conditions to ensure reliable comparative results.

References

[1]Agrawal, V.K., Rudra, B. (2023). Performance Evaluation of Signature Based and Anomaly Based Techniques for Intrusion Detection. In: Abraham, A., Pllana, S., Casalino, G., Ma, K., Bajaj, A. (eds) Intelligent Systems Design and Applications. ISDA 2022. Lecture Notes in Networks and Systems, vol 717. Springer, Cham. https://doi.org/10.1007/978-3-031-35510-3_47