Performance of Network Intrusion Detection and Prevention Systems in High-speed Environments

  • Waleed Bulajoul

Student thesis: Doctoral ThesisDoctor of Philosophy


Due to the numerous and increasingly malicious attacks on computer networks and systems, current security tools are often not enough to resolve the issues related to illegal users, reliability, and to provide robust network security. Recent research has indicated that although network security has developed, a major concern about an increase in illegal intrusions is still occurring. Addressing security on every occasion or in every place is a really important and sensitive matter for many users, businesses, governments and enterprises. A Network Intrusion Detection and Prevention System (NIDPS) is one of the most tested, reliable, and strongest forms of technology used to sniff out network packets, monitor incoming and outgoing network traffic, and identify the unauthorised usage and mishandling of computer system networks. It can provide a better understanding of the things that
are really happening on the network. In addition, an NIDPS has the potential to detect, prevent, and report any evidence of attacks and malicious traffic. It is critical to implement an NIDPS in a computer network that has high traffic and high-speed connectivity. This thesis presents an investigation, involving literature review and intensive experiments, which shows that current NIDPSs have several shortcomings such as they are incapable to detect or prevent the rising attacks and threats to high-speed environments, such as flood attacks (UDP, TCP, ICMP and HTTP) or Denial and Distributed Denial of Service attacks (DoS/DDoS), because the main purpose of these types of attacks is basically to send heavy traffic to systems at high-speed to stop or slow down performance. To investigate the status of NIDPS performance and test the capability of NIDPS analysis, detection, and prevention modes when exposed to malicious attacks that come through high-load and high-speed traffic, a prototype network has been designed. The prototype consisted of virtual and physical stations including six (6) PCs and three (3) switches (i.e two layer 2 switches and 1 layer 3 switch). Several tools were used to carry out the research experiments, implementation and evaluation. The research presents a study using Snort NIDPS open source software. It shows that NIDPS performance can be weak in the face of high-speed and high-load traffic in terms of packet drops, and outstanding packets without analysis and failing to detect/prevent unwanted traffic. The
research has designed a novel QoS architecture to increase the analytical, detection, and prevention performance of NIDPS when deployed in high-speed networks. It has proposed and evaluated a
solution using a novel QoS configuration in a multi-layer switch to organise and improve network traffic performance in order to reduce the packets dropped and then uses parallel techniques to
increase packet processing speed. The novel architecture was tested under different traffic speeds, types, and tasks. The experimental results show that the novel architecture improves network and NIDPS performance.
Date of Award2017
Original languageEnglish
Awarding Institution
  • Coventry University

Cite this