Biblio

For the network intrusion detection system (NIDS), improving the performance of the analysis process has always been one of the primary goals that NIDS needs to solve. An important method to improve performance is to use parallel processing technology to maximize the usage of multi-core CPU resources. In this paper, by splitting Pcap data packets, the NIDS software Snort3 can process Pcap packets in parallel mode. On this basis, this paper compares the performance between Snort2, Suricata, and Snort3 with different CPU cores in processing different sizes of Pcap data packets. At the same time, a parallel unpacking algorithm is proposed to further improve the parallel processing performance of Snort3.

The rapid development of technology makes it possible for a physical machine to be converted into a virtual machine, which can operate multiple operating systems that are running simultaneously and connected to the internet. DoS/DDoS attacks are cyber-attacks that can threaten the telecommunications sector because these attacks cause services to be disrupted and be difficult to access. There are several software tools for monitoring abnormal activities on the network, such as IDS Snort and IDS Suricata. From previous studies, IDS Suricata is superior to IDS Snort version 2 because IDS Suricata already supports multi-threading, while IDS Snort version 2 still only supports single-threading. This paper aims to conduct tests on IDS Snort version 3.0 which already supports multi-threading and IDS Suricata. This research was carried out on a virtual machine with 1 core, 2 core, and 4 core processor settings for CPU, memory, and capture packet attacks on IDS Snort version 3.0 and IDS Suricata. The attack scenario is divided into 2 parts: DoS attack scenario using 1 physical computer, and DDoS attack scenario using 5 physical computers. Based on overall testing, the results are: In general, IDS Snort version 3.0 is better than IDS Suricata. This is based on the results when using a maximum of 4 core processor, in which IDS Snort version 3.0 CPU usage is stable at 55% - 58%, a maximum memory of 3,000 MB, can detect DoS attacks with 27,034,751 packets, and DDoS attacks with 36,919,395 packets. Meanwhile, different results were obtained by IDS Suricata, in which CPU usage is better compared to IDS Snort version 3.0 with only 10% - 40% usage, and a maximum memory of 1,800 MB. However, the capabilities of detecting DoS attacks are smaller with 3,671,305 packets, and DDoS attacks with a total of 7,619,317 packets on a TCP Flood attack test.

Distributed Denial of Service (DDoS) attack has been bringing serious security concerns on banks, finance incorporation, public institutions, and data centers. Also, the emerging wave of Internet of Things (IoT) raises new concerns on the smart devices. Software Defined Networking (SDN) and Network Functions Virtualization (NFV) have provided a new paradigm for network security. In this paper, we propose a new method to efficiently prevent DDoS attacks, based on a SDN/NFV framework. To resolve the problem that normal packets are blocked due to the inspection on suspicious packets, we developed a threshold-based method that provides a client with an efficient, fast DDoS attack mitigation. In addition, we use open source code to develop the security functions in order to implement our solution for SDN-based network security functions. The source code is based on NETCONF protocol [1] and YANG Data Model [2].