{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T22:08:37Z","timestamp":1775167717050,"version":"3.50.1"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2023,12,20]],"date-time":"2023-12-20T00:00:00Z","timestamp":1703030400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,12,20]],"date-time":"2023-12-20T00:00:00Z","timestamp":1703030400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/M019462\/1"],"award-info":[{"award-number":["EP\/M019462\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/M019462\/1"],"award-info":[{"award-number":["EP\/M019462\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/M019462\/1"],"award-info":[{"award-number":["EP\/M019462\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["700692"],"award-info":[{"award-number":["700692"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["700692"],"award-info":[{"award-number":["700692"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["700692"],"award-info":[{"award-number":["700692"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2024,4]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>The signature-based network intrusion detection systems (IDSs) entail relying on a pre-established signatures and IP addresses that are frequently updated to keep up with the rapidly evolving threat landscape. To effectively evaluate the efficacy of these updates, a comprehensive, long-term assessment of the IDSs\u2019 performance is required. This article presents a perspective\u2013retrospective analysis of the Snort and Suricata IDSs using rules that were collected over a 4-year period. The study examines how these IDSs perform when monitoring malicious traffic using rules from the past, as well as how they behave when monitoring the same traffic using updated rules in the future. To accomplish this, a set of Snort Subscribed and Suricata Emerging Threats rules were collected from 2017 to 2020, and a labeled PCAP data from 2017 to 2018 was analyzed using past and future rules relative to the PCAP date. In addition to exploring the evolution of Snort and Suricata IDSs, the study also analyses the functional diversity that exists between these IDSs. By examining the evolutionary behavior of signature-based IDSs and their diverse configurations, the research provides valuable insights into how their performance can be impacted. These insights can aid security architects in combining and layering IDSs in a defence-in-depth deployment.<\/jats:p>","DOI":"10.1007\/s10207-023-00794-9","type":"journal-article","created":{"date-parts":[[2023,12,20]],"date-time":"2023-12-20T05:02:43Z","timestamp":1703048563000},"page":"1331-1346","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":19,"title":["A perspective\u2013retrospective analysis of diversity in signature-based open-source network intrusion detection systems"],"prefix":"10.1007","volume":"23","author":[{"given":"H.","family":"Asad","sequence":"first","affiliation":[]},{"given":"S.","family":"Adhikari","sequence":"additional","affiliation":[]},{"given":"Ilir","family":"Gashi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,12,20]]},"reference":[{"key":"794_CR1","doi-asserted-by":"crossref","unstructured":"Asad, H., Gashi, I.: Diversity in open source intrusion detection systems. In: International Conference on Computer Safety, Reliability, and Security, pp. 267\u2013281. Springer (2018)","DOI":"10.1007\/978-3-319-99130-6_18"},{"issue":"1","key":"794_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-10046-w","volume":"27","author":"H Asad","year":"2022","unstructured":"Asad, H., Gashi, I.: Dynamical analysis of diversity in rule-based open source network intrusion detection systems. Empir. Softw. Eng. 27(1), 1\u201330 (2022)","journal-title":"Empir. Softw. Eng."},{"key":"794_CR3","unstructured":"Canadian Institute for Cybersecurity. CIC - University of New Brunswick. https:\/\/www.unb.ca\/cic\/about\/hub.html (2022). Accessed 03 Jan 2022"},{"key":"794_CR4","doi-asserted-by":"publisher","DOI":"10.1201\/b16390","volume-title":"The State of the Art in Intrusion Prevention and Detection","author":"A-SK Pathan","year":"2014","unstructured":"Pathan, A.-S.K.: The State of the Art in Intrusion Prevention and Detection. CRC Press, Boca Raton (2014)"},{"key":"794_CR5","unstructured":"Snort Rules: https:\/\/snort.org\/documents\/registered-vs-subscriber (2021). Visited on 18 Apr 2021"},{"key":"794_CR6","unstructured":"Emerging Threat Rules. https:\/\/rules.emergingthreats.net\/open\/suricata\/ (2021). Visited on 18 Apr 2021"},{"key":"794_CR7","unstructured":"Snort Blacklists. https:\/\/talosintelligence.com\/documents\/ip-blacklist (2021). visited on 18 Apr 2021"},{"key":"794_CR8","unstructured":"Cummings, J.J., Shirk, M.: Pulledpork. https:\/\/github.com\/shirkdog\/pulledpork"},{"key":"794_CR9","unstructured":"Suricata Update Tool: https:\/\/suricataupdate.readthedocs.io\/en\/latest\/ (2021). Visited on 18 Apr 2021"},{"key":"794_CR10","unstructured":"Snort logs: http:\/\/manual-snortorg.s3-website-us-east-1.amazonaws.com\/node21.html (2021). Visited on 18 Apr 2021"},{"key":"794_CR11","unstructured":"Suricata logs: https:\/\/suricata.readthedocs.io\/en\/suricata-6.0.2\/output\/eve\/eve-json-output.html (2021). Visited on 18 Apr 2021"},{"key":"794_CR12","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSp, vol. 1, pp. 108\u2013116 (2018)","DOI":"10.5220\/0006639801080116"},{"key":"794_CR13","unstructured":"Realistic Cyber Defense Dataset (CSE-CIC-IDS2018). https:\/\/registry.opendata.aws\/cse-cicids2018 (2018). Accessed 01 May 2022"},{"key":"794_CR14","unstructured":"Granberg, N.: Evaluating the effectiveness of free rule sets for Snort. MA thesis, Link\u00f6ping University-Department of Computer and Information Science. http:\/\/urn.kb.se\/resolve?urn=urn:nbn:se:liu:diva-183361 (2022)"},{"issue":"1","key":"794_CR15","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1145\/2808691","volume":"48","author":"A Milenkoski","year":"2015","unstructured":"Milenkoski, A., et al.: Evaluating computer intrusion detection systems: a survey of common practices. ACM Comput. Surv. (CSUR) 48(1), 12 (2015)","journal-title":"ACM Comput. Surv. (CSUR)"},{"issue":"4","key":"794_CR16","doi-asserted-by":"publisher","first-page":"3639","DOI":"10.1109\/COMST.2019.2922584","volume":"21","author":"LN Tidjon","year":"2019","unstructured":"Tidjon, L.N., Frappier, M., Mammar, A.: Intrusion detection systems: a cross-domain overview. IEEE Commun. Surv. Tutor. 21(4), 3639\u20133681 (2019)","journal-title":"IEEE Commun. Surv. Tutor."},{"issue":"6","key":"794_CR17","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/MSP.2013.51","volume":"11","author":"S Kaur","year":"2013","unstructured":"Kaur, S., Singh, M.: Automatic attack signature generation systems: a review. IEEE Secur. Priv. 11(6), 54\u201361 (2013)","journal-title":"IEEE Secur. Priv."},{"key":"794_CR18","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1016\/j.cose.2015.09.007","volume":"55","author":"Pedro Garcia-Teodoro","year":"2015","unstructured":"Garcia-Teodoro, Pedro, et al.: Automatic generation of HTTP intrusion signatures by selective identification of anomalies. Comput. Secur. 55, 159\u2013174 (2015)","journal-title":"Comput. Secur."},{"key":"794_CR19","doi-asserted-by":"publisher","first-page":"173","DOI":"10.1016\/j.procs.2011.07.024","volume":"5","author":"Adeeb Alhomoud","year":"2011","unstructured":"Alhomoud, Adeeb, et al.: Performance evaluation study of intrusion detection systems. Procedia CS 5, 173\u2013180 (2011). https:\/\/doi.org\/10.1016\/j.procs.2011.07.024","journal-title":"Procedia CS"},{"key":"794_CR20","volume":"51","author":"Q Hu","year":"2020","unstructured":"Hu, Q., Yu, S.-Y., Asghar, M.R.: Analysing performance issues of opensource intrusion detection systems in high-speed networks. J. Inf. Secur. Appl. 51, 102426 (2020)","journal-title":"J. Inf. Secur. Appl."},{"key":"794_CR21","doi-asserted-by":"publisher","unstructured":"Yang, J., et al.: A high-performance round- robin regular expression matching architecture based on FPGA. In: 2018 IEEE Symposium on Computers and Communications (ISCC), pp. 1\u20137 (2018). https:\/\/doi.org\/10.1109\/ISCC.2018.8538459. ISSN: 1530-1346","DOI":"10.1109\/ISCC.2018.8538459"},{"key":"794_CR22","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1016\/j.future.2017.10.016","volume":"80","author":"SAR Shah","year":"2018","unstructured":"Shah, S.A.R., Issac, B.: Performance comparison of intrusion detection systems and application of machine learning to Snort system. Future Gener. Comput. Syst. 80, 157\u2013170 (2018)","journal-title":"Future Gener. Comput. Syst."},{"key":"794_CR23","doi-asserted-by":"crossref","unstructured":"Alqahtani, S.M., John, R.: A comparative study of different fuzzy classifiers for cloud intrusion detection systems\u2019 alerts. In: IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1\u20139. IEEE (2016)","DOI":"10.1109\/SSCI.2016.7849911"},{"issue":"1","key":"794_CR24","doi-asserted-by":"publisher","first-page":"6","DOI":"10.1016\/j.jnca.2009.07.005","volume":"33","author":"K Salah","year":"2010","unstructured":"Salah, K., Kahtani, A.: Performance evaluation comparison of Snort NIDS under Linux and Windows Server. J. Netw. Comput. Appl. 33(1), 6\u201315 (2010). https:\/\/doi.org\/10.1016\/j.jnca.2009.07.005. (ISSN: 1084-8045)","journal-title":"J. Netw. Comput. Appl."},{"key":"794_CR25","doi-asserted-by":"crossref","unstructured":"Algaith, A.: Diversity with intrusion detection systems: an empirical study. In: IEEE 16th International Symposium on Network Computing and Applications (NCA), pp. 1\u20135. IEEE (2017)","DOI":"10.1109\/NCA.2017.8171327"},{"issue":"1","key":"794_CR26","doi-asserted-by":"publisher","DOI":"10.1088\/1742-6596\/1000\/1\/012049","volume":"1000","author":"S Jose","year":"2018","unstructured":"Jose, S., et al.: A survey on anomaly based host intrusion detection system. J. Phys. Conf. Ser. 1000(1), 012049 (2018). https:\/\/doi.org\/10.1088\/1742-6596\/1000\/1\/012049. (ISSN: 1742-6596)","journal-title":"J. Phys. Conf. Ser."},{"key":"794_CR27","doi-asserted-by":"publisher","first-page":"100462","DOI":"10.1016\/j.iot.2021.100462","volume":"16","author":"AS Dina","year":"2021","unstructured":"Dina, A.S., Manivannan, D.: Intrusion detection based on machine learning techniques in computer networks. Internet Things 16, 100462 (2021). https:\/\/doi.org\/10.1016\/j.iot.2021.100462. (ISSN: 2542-6605)","journal-title":"Internet Things"},{"key":"794_CR28","doi-asserted-by":"publisher","unstructured":"Verma, R.: Security analytics: adapting data science for security challenges. In: Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics. IWSPA\u201918, pp. 40\u201341. Association for Computing Machinery, New York, NY, USA. ISBN: 9781450356343. https:\/\/doi.org\/10.1145\/3180445.3180456 (2018)","DOI":"10.1145\/3180445.3180456"},{"issue":"1","key":"794_CR29","doi-asserted-by":"publisher","DOI":"10.1002\/ett.4150","volume":"32","author":"Z Ahmad","year":"2021","unstructured":"Ahmad, Z., et al.: Network intrusion detection system: a systematic study of machine learning and deep learning approaches. Trans. Emerg. Telecommun. Technol. 32(1), e4150 (2021)","journal-title":"Trans. Emerg. Telecommun. Technol."},{"key":"794_CR30","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2019.102479","volume":"150","author":"M Alauthman","year":"2020","unstructured":"Alauthman, M., et al.: An efficient reinforcement learning-based Botnet detection approach. J. Netw. Comput. Appl. 150, 102479 (2020)","journal-title":"J. Netw. Comput. Appl."},{"key":"794_CR31","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2019.112963","volume":"141","author":"M Lopez-Martin","year":"2020","unstructured":"Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A.: Application of deep reinforcement learning to intrusion detection for supervised problems. Expert Syst. Appl. 141, 112963 (2020)","journal-title":"Expert Syst. Appl."},{"key":"794_CR32","doi-asserted-by":"publisher","unstructured":"Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert prioritization in intrusion detection systems. In: NOMS 2008\u20142008 IEEE Network Operations and Management Symposium, pp. 33\u201340. https:\/\/doi.org\/10.1109\/NOMS.2008.4575114 (2008)","DOI":"10.1109\/NOMS.2008.4575114"},{"key":"794_CR33","doi-asserted-by":"publisher","unstructured":"Catillo, M., Pecchia, A., Villano, U.: Machine learning on public intrusion datasets: academic hype or concrete advances in NIDS? In: 2023 53rd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks\u2014Supplemental Volume (DSN-S), pp. 132\u2013136. IEEE Computer Society, Los Alamitos, CA, USA. https:\/\/doi.org\/10.1109\/DSN-S58398.2023.00038 (2023)","DOI":"10.1109\/DSN-S58398.2023.00038"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00794-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-023-00794-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00794-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,27]],"date-time":"2024-03-27T03:42:51Z","timestamp":1711510971000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-023-00794-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,20]]},"references-count":33,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2024,4]]}},"alternative-id":["794"],"URL":"https:\/\/doi.org\/10.1007\/s10207-023-00794-9","relation":{"has-preprint":[{"id-type":"doi","id":"10.21203\/rs.3.rs-3128870\/v1","asserted-by":"object"}]},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,12,20]]},"assertion":[{"value":"20 December 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}