Skip to main content

MACHINE LEARNING VS. SIGNATURE-BASED CYBERSECURITY TOOLS: A COMPARATIVE ASSESSMENT OF DARKTRACE AND

Page 1

International Research Journal of Engineering and Technology (IRJET)

e-ISSN: 2395-0056

Volume: 12 Issue: 06 | Jun 2025

p-ISSN: 2395-0072

www.irjet.net

MACHINE LEARNING VS. SIGNATURE-BASED CYBERSECURITY TOOLS: A COMPARATIVE ASSESSMENT OF DARKTRACE AND SNORT FOR NETWORK INTRUSION DETECTION Tarannum Bano1, Deepshikha2 1Master of Technology, Computer Science and Engineering, Lucknow Institute of Technology, Lucknow, India 2Assistant Professor, Department of Computer Science and Engineering, Lucknow Institute of Technology,

Lucknow, India ---------------------------------------------------------------------***---------------------------------------------------------------------

Abstract - Network Intrusion Detection Systems (NIDS)

but also in the sophistication of these threats, which is becoming more fueled by organized crime gangs, country states and hacktivists. These threats have since stopped being limited to a basic malware or phishing threat but they also involve more advanced machinations of the kind of Advanced Persistent Threats (APTs), zero-day exploits, ransomware, and polymorphic malware. Examples of such APIs include APTs that are meant to silently penetrate and go unnoticed in the networks over a long time and may be in pursuit of some sensitive information or essential facilities. In the same way, polymorphic malware code signature changes differently in each occurrence and outwit traditional methods of detecting malware. The attack surface has also been widened by the proliferation of the IoT device, cloud-based services, and the high-speed networks, which means that organizations are at greater risk. Since the threat scenario is changing, the means and approaches that should be used to identify and counter these threats also change.

are a significant part of an ever-changing cybersecurity system that discovers and eradicates threats. In the current research work, two of the most well-known NIDS tools, Snort (standard signature-based open-source tool), and Darktrace (commercial technology based on machine learning (ML)) will be evaluated comparatively. Although signature-based solutions such as Snort have the highest capability of detecting threats accurately since it implements threat detection with the indication of attacks and protection against known risks, zero-day attacks and advanced persistent threats (APTs) cannot be handled using the signature-based systems. Conversely, the different MLbased tools like Darktrace will deliver adaptive anomaly detection, which can be prone to various downsides, such as heavy resources requirements, lack of transparency, and false positive identification. The analysis is done on both systems across structured sets (CIC-IDS2017, UNSW-NB15) and simulated types of traffic, encrypted C2 channel, polymorphic malware, and fileless attacks. The findings point at the fact that Snort has a higher accuracy rate (DR > 90%) when identifying known threats and low latency, which is 80 ms, than Darktrace that uses more false positives and more significant computational costs to display a higher detection rate (DR > 80%) on identifying novel attacks. The best performance is presented when the hybrid deployment, including signature filtering of Snort and anomaly detection of Darktrace, is used, and the false positives can be decreased by 40%. The results provide useful information on how to choose and/or use NIDS tools depending on a network setting, security requirements, and resources.

1.2 Importance of Network Intrusion Detection Systems (NIDS) Network Intrusion Detection Systems (NIDS) are important in protecting information technology facilities of organizations through monitoring and analyzing activities run on networks. Whereas firewalls are mostly used to act like the gate keepers in blocking the access of any unwarranted traffic, NIDS offers deep insights about the traffic patterns by observing the content of the packet and that of the flow behavior in case of any form of intrusion or compromise. In this way, NIDS drastically decreases dwell time of the attackers inside a network will allow faster response to an incident and limit the effect. Users need to deploy viable NIDS as an absolute technical need as well as to be on the good side of the law because of stringent data protection policies that include the GDPR, HIPAA, and PCI-DSS. Such systems are critical, especially in the field of finance, healthcare, and defense where data leakage can cost an organization in terms of operational, reputation and financial losses.

Key Words: Intrusion Detection System, Snort, Darktrace, Machine Learning, Signature-Based Detection, Network Security, Zero-Day Attack, Anomaly Detection.

1. INTRODUCTION 1.1 Background on Cybersecurity Threats and the Evolving Nature of Network Intrusions In the new global era of digital modernity, cybersecurity threats are not only increasing in the number of instances

© 2025, IRJET

|

Impact Factor value: 8.315

|

ISO 9001:2008 Certified Journal

|

Page 637


Turn static files into dynamic content formats.

Create a flipbook
MACHINE LEARNING VS. SIGNATURE-BASED CYBERSECURITY TOOLS: A COMPARATIVE ASSESSMENT OF DARKTRACE AND by IRJET Journal - Issuu