Comparative Analysis of Signature-Based and Anomaly-Based IDS
DOI:
https://doi.org/10.63345/v1.i3.70Keywords:
Intrusion Detection System, Signature‐Based IDS, Anomaly‐Based IDS, Comparative Analysis, Network SecurityAbstract
Intrusion Detection Systems (IDS) are critical components in modern network security architectures, providing continuous, real-time monitoring and alerting of malicious activities within enterprise and cloud environments. Two predominant paradigms exist: signature‐based IDS, which relies on precompiled patterns of known threats, and anomaly‐based IDS, which models baseline normal behavior to flag deviations that may indicate novel or zero‐day attacks. While signature‐based systems offer high reliability for recognized threats—with mature rule sets maintained by security communities—they struggle to detect previously unseen exploits. Conversely, anomaly‐based systems excel at uncovering novel attack vectors but often incur higher false alarm rates and processing overhead due to the complexity of behavioral modeling.
In this manuscript, we present a comprehensive comparative analysis of these approaches, leveraging a controlled Mininet simulation populated with mixed legitimate traffic (HTTP, DNS, SSH) and a variety of attack vectors (DoS floods, port scans, buffer overflow exploits). We deployed Snort 2.9.15 as the signature‐based IDS and a Gaussian Mixture Model (GMM) implemented in Python’s scikit‐learn library as the anomaly‐based IDS. Over 30 independent experimental runs, we measured detection rate, false positive rate, and processing latency, and we applied two‐sample t‐tests—with checks for normality and effect‐size calculations—to evaluate statistical significance. Results reveal that signature‐based IDS achieved a detection rate of 98.5 ± 0.7 % and a low false positive rate of 1.2 ± 0.3 %, with mean latency of 15.4 ± 2.1 ms. The anomaly‐based IDS attained a 95.2 ± 1.3 % detection rate, 4.8 ± 0.9 % false positive rate, and 25.8 ± 3.4 ms latency, demonstrating superior adaptability to zero‐day threats at the cost of increased computational burden. Statistical tests confirm that differences in false positive rate and latency are highly significant (p < 0.001), with large effect sizes (Cohen’s d > 1.2). We discuss practical deployment considerations, including hybrid architectures, integration with SIEM platforms, and automated rule‐generation enhancements, to guide security practitioners toward optimal IDS strategies.
Downloads
Downloads
Additional Files
Published
Issue
Section
License
Copyright (c) 2025 The journal retains copyright of all published articles, ensuring that authors have control over their work while allowing wide dissenmination.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Articles are published under the Creative Commons Attribution NonCommercial 4.0 License (CC BY NC 4.0), allowing others to distribute, remix, adapt, and build upon the work for non-commercial purposes while crediting the original author.
