ANALYZING SURICATA ALERT DETECTION PERFORMANCE ISSUES BASED ON ACTIVE INDICATOR OF COMPROMISE RULES

Many studies have been related to the Intrusion Detection System (IDS) performance analysis. Still, most focus on inspection performance on high-capacity networks with packet drop percentage as a performance parameter. Few studies are related to performance analysis in the form of detection accuracy based on the number of rules activated. This research will analyze the performance of IDS Suricata based on the number of active rules in the form of Indicator of Compromise (IoC), including IPRep, HTTP, DNS, MD5, and JA3. The analysis method focuses on the detection accuracy of varying the number of active rules up to 1 million, expressed in 5 scenarios. In scenarios 1 to 4, where IoC rules are tested separately, the reduction in detection accuracy performance starts to occur when the number of active rules is at 100,000 and continues to decrease when the number reaches 1 million. However, in scenario 5, where the IoC rules are tested together, the percentage of rules detection accuracy decreases when the number of active rules from each IoC is less than 10,000. The percentage decrease in detection accuracy performance in scenario five can occur with an average reduction of 19.64%. Even further in scenario 5, when the total number of rules reaches 1,000,000 or 200,000 from each IoC, IDS Suricata fails to detect all rules (detection percentage is 0%). This research show that the higher number of rules activated, the decrease in the Suricata IDS performance in terms of detection accuracy

Anomaly Detection Analysis with Graph-Based Cyber Threat Hunting Scheme

As advanced persistence threats become more prevalent and cyber-attacks become more severe, cyber defense analysts will be required to exert greater effort to protect their systems. A continuous defense mechanism is needed to ensure no incidents occur in the system, one of which is cyber threat hunting. To prove that cyber threat hunting is important, this research simulated a cyber-attack that has successfully entered the system but was not detected by the IDS device even though it already has relatively updated rules. Based on the simulation result, this research designed a data correlation model implemented in a graph visualization with enrichment on-demand features to help analysts conduct cyber threat hunting with graph visualization to detect cyber-attacks. The data correlation model developed in this research can overcome this gap and increase the percentage of detection that was originally undetected / 0% by IDS, to be detected by more than 45% and can even be assessed to be 100% detected based on the anomaly pattern that was successfully found