Performance Analysis of Suricata as an Intrusion Detection System (IDS) in Detecting Slowloris Attacks on Web Servers

Andika Agus Slameto; Eka Marlina Kemala Sari

doi:10.30871/jaic.v10i3.12724

Authors

Andika Agus Slameto Universitas Amikom Yogyakarta
Eka Marlina Kemala Sari Universitas Amikom Yogyakarta

DOI:

https://doi.org/10.30871/jaic.v10i3.12724

Keywords:

Intrusion detection system, network security, slowloris, suricata, web server

Abstract

Network security on web servers is a crucial element for ensuring service availability. Slowloris represents a low-rate variant of the Denial-of-Service (DoS) attack, leveraging HTTP connection handling mechanisms by submitting perpetually incomplete requests, which deplete server connection slots without necessitating high bandwidth. This study evaluated Suricata as an Intrusion Detection System (IDS) on an Apache web server through 50 controlled Slowloris attack simulations within a VirtualBox virtual environment running Ubuntu 24.04 LTS. Three performance parameters were analyzed: (1) Detection speed, quantified as the elapsed time from attack initiation to alert generation in fast.log; (2) Detection rate (True Positive Rate), determined via a confusion matrix; and (3) System resource consumption of the Suricata process (CPU, RAM, and bandwidth). Results indicated an average Detection time of 0.346 seconds (minimum 0.168 seconds, maximum 0.979 seconds), an average detection rate of 72.84% (minimum 50.00%, maximum 94.12%), a mean CPU increase of 5.22 percentage points (from 2.03% baseline to 7.25% under attack), a 6.39 MB (59.85 to 66.24 MB) increase in RAM, and a 256.72 kbps increase in bandwidth. No false positives were consistently observed across all 50 trials. Cross-parameter analysis uncovered a non-linear relationship between detection time and detection rate, with an empirically validated optimal detection-time range of 0.25 to 0.35 seconds associated with peak detection rates above 90%, and a positive correlation (r = 0.468) between attack bandwidth intensity and Detection accuracy. These findings confirmed Suricata’s effectiveness as a lightweight early-warning mechanism for Slowloris mitigation on standard-specification web servers.

Downloads

Download data is not yet available.

References

[1] M. Aziz, R. Firmansyah, and D. Stiawan, "Web Server Security Analysis Using Intrusion Detection System in High-Traffic Environments," JOIV: Int. J. Informatics Visualization, vol. 7, no. 2, pp. 512–519, 2023.

[2] Netcraft, "January 2023 Web Server Survey," Netcraft Blog. [Online]. Available: https://www.netcraft.com/blog/january-2023-web-server-survey/. [Accessed: 28-Oct-2024].

[3] K. Ruswandi, M. R. Z. Pohan, K. V. Halim, and S. N. Neyman, "Effective Prevention Strategies Against DDoS Slowloris Attacks Using Kali Linux and Linux Mint," J. Technol. Syst. Inf., vol. 1, no. 4, p. 11, 2024.

[4] D. E. Harefa, D. M. Bu’ulolo, N. C. Lase, J. A. P. Telaumbanua, F. Laoli, and O. Laia, "Analysis of DDoS Slowloris Attack Impact on Local Network Infrastructure," JURSISTEKNI, vol. 7, no. 2, pp. 742–752, Jun. 2025.

[5] É. Leblond and P. Manev, The Security Analyst’s Guide to Suricata. Indianapolis: Stamus Networks, 2022.

[6] A. D. Ralianto and S. Cahyono, "Comparison of Snort and Suricata Accuracy in Detecting Network Traffic Intrusion," Info Kripto, vol. 15, no. 2, pp. 69–75, 2021.

[7] G. K. Bada et al., "Comparative Analysis of the Performance of Network Intrusion Detection Systems: Snort, Suricata and Bro in Perspective," Int. J. Comput. Appl., vol. 176, no. 40, pp. 39–44, Jul. 2020.

[8] L. Lukman and M. Suci, "Comparative Analysis of Snort and Suricata IDS Performance in Detecting SYN Flood Attacks on Apache Web Servers," Respati, vol. 15, no. 2, p. 6, Jul. 2020.

[9] G. J. Simarmata, M. Data, and H. Nurwarsito, "Implementation of a Slow Read DoS Attack Detection System Using Random Forest Algorithm on Suricata," J. Pengemb. Teknol. Inf. dan Ilmu Komput., vol. 9, no. 11, 2025.

[10] E. Stephani, F. Nova, and E. Asri, "Implementation and Analysis of IDS Network Security Using Suricata on a Web Server," JITSI, vol. 1, no. 2, pp. 67–74, Jun. 2020.

[11] A. R. Zain et al., "Implementation of Suricata IDS and ELK Stack for Detecting Illegal Mining Activity," J. Poli-Teknologi, vol. 22, no. 1, pp. 23–29, Jan. 2023.

[12] D. E. Kurniawan, M. Iqbal, J. Friadi, F. Hidayat, and R. D. Permatasari, “Login security using one time password (OTP) application with encryption algorithm performance,” J. Phys., Conf., vol. 1783, no. 1, Feb. 2021, Art. no. 012041.

[13] D. E. Kurniawan, M. Iqbal and A. Adhitya, "Implementation and Analysis of The EtherChannel Technology Using PAgP and LACP Protocols on Cisco Switch Devices," 2021 4th International Conference of Computer and Informatics Engineering (IC2IE), Depok, Indonesia, 2021, pp. 255-259, doi: 10.1109/IC2IE53219.2021.9649157

[14] D. E. Kurniawan, H. Arif, N. Nelmiawati, A. H. Tohari, and M. Fani, "Implementation and analysis ipsec-vpn on cisco asa firewall using gns3 network simulator," in Journal of Physics: Conference Series, IOP Publishing, 2019, p. 012031.

[15] H. Satilmiş, S. Akleylek and Z. Y. Tok, "A Systematic Literature Review on Host-Based Intrusion Detection Systems," in IEEE Access, vol. 12, pp. 27237-27266, 2024, doi: 10.1109/ACCESS.2024.3367004.

Performance Analysis of Suricata as an Intrusion Detection System (IDS) in Detecting Slowloris Attacks on Web Servers

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Issue

Section

License

Similar Articles

submit

tools

issn