Effectiveness Evaluation of Different IDSs Using Integrated Fuzzy MCDM Model

: Cyber-attacks are becoming progressively complicated; hence, the functional issues of intrusion-detection systems (IDSs) present ever-growing challenges. Failing to detect intrusions may jeopardize the trustworthiness of security services, such as privacy preservation, authenticity, and accessibility. To ﬁght these risks, different organizations nowadays use a variety of approaches, techniques, and technologies to safeguard the systems’ credibility. Establishing policies and procedures, raising user awareness, implementing ﬁrewall and veriﬁcation systems, controlling system access, and building computer-issue management groups are all examples of safeguarding methods. There is a lack of sufﬁcient emphasis on the effectiveness of intrusion-detection systems. In enterprises, IDS is used to analyze the potentially dangerous activities taking place within the technological settings. The selection of efﬁcient IDS is a challenging task for organizations. This research evaluates the impact of ﬁve popular IDSs for their efﬁciency and effectiveness in information security. The authors used the fuzzy analytical hierarchy process (AHP) and fuzzy technique for order performance by similarity to ideal solution (TOPSIS)-based integrated multi-criteria decision-making (MCDM) methodology to evaluate the efﬁcacy of the popular IDSs. The ﬁndings of this research suggest that most of the IDSs appear to be highly potential tools. Even though Snort is extensively deployed, Suricata has a substantial advantage over Snort. Suricata uses multi-threading functionality in comparison to Snort to boost the processing performance.


Introduction
Communication networks are an integral part of our lives in the digital age. They are a privilege to the digital world. They introduce the rest of the world relatively close to all of us. The challenge of intrusion became much more prevalent with the network. Hackers are always present in the virtual environment. Business organizations could be vulnerable to cyber-attacks. It is necessary to take significant action to analyze network attacks and return them to normal. As a result, intrusion-detection systems (IDS) are important in a network security solution. IDS is a solution that detects network attacks. IDS assists anyone in detecting network traffic. IDS can further initiate an immediate alert. This will assist the IT workforce in dealing with such challenges. However, it would not stop a threat from impacting system applications. It analyzes daily network activities by using guidelines. The security management system receives an alert through IDS in case any malicious activity is detected over the network. As a result, it is easier for the security expert to identify such suspected activities. The traffic information is moved in bulk and then analyzed for any unusual behavior in the data. The team explores threats by using known attack signatures, as well as trends [1][2][3][4][5][6].
IDS is a mechanism that detects discrepancies in capturing attackers before they cause serious damage to the network system. On the user's computer, a host-based IDS is installed. The network is monitored by a network-based IDS. During the normal assignment, IDSs search for signatures from attack patterns. These abnormalities are reported to the knowledge base and, after that, analyzed at the guidelines and application layers based on the policy and procedures. IDS could be used as software or as a network security device. Since the IDSs only need to identify the risks, these systems are positioned outside of band on the communications infrastructure, indicating that the transmitter and the recipient of data do not communicate in real-time. IDS systems commonly use a Test Access Point (TAP) or Switch Port Analyzer (SPAN) port for the analysis of a copy of the Inline Traffic Stream, so that IDS does not affect the performance of the Inline Network. This has been established initially by IDS, since the required intrusion analysis at the time cannot be conducted at a pace that is consistent with the elements on the network infrastructure's direct communication line [7][8][9][10]. Figure 1 shows the general architecture of IDS. An efficient IDS and mitigation systems are important for an organization's normal system functioning. Traditional defense technology has become increasingly inefficient as a result of attacker tactics, such as obfuscation techniques, metamorphism, and polymorphism, which increase malware's resistance. Discrepancies are detected by the IDSs to capture attackers that can cause significant harm to the organization. They could be a network or even a host. Due to new attacks developing almost daily, IDSs are crucial in identifying and responding to potential system intrusions. IDSs should change and continually adjust to all of these new threats and assault techniques. The challenge on which scholars have been researching for decades is how to construct effective, efficient, and responsive IDSs [11][12][13][14][15].
The evaluation of IDSs is a popular and challenging task in research at present. Choosing an efficient IDS to secure a business network must not be undertaken lightly, rapidly, or without a thorough grasp of the technology, solutions, and potential consequences. The decision-making process can be broken down into several stages, which include determining the requirement, gaining a broad awareness of IDSs, more in-depth knowledge of the network, and also determining policy and processes by evaluating various IDS solutions [16]. This paper evaluates the effectiveness of different IDSs, using the An efficient IDS and mitigation systems are important for an organization's normal system functioning. Traditional defense technology has become increasingly inefficient as a result of attacker tactics, such as obfuscation techniques, metamorphism, and polymorphism, which increase malware's resistance. Discrepancies are detected by the IDSs to capture attackers that can cause significant harm to the organization. They could be a network or even a host. Due to new attacks developing almost daily, IDSs are crucial in identifying and responding to potential system intrusions. IDSs should change and continually adjust to all of these new threats and assault techniques. The challenge on which scholars have been researching for decades is how to construct effective, efficient, and responsive IDSs [11][12][13][14][15].
The evaluation of IDSs is a popular and challenging task in research at present. Choosing an efficient IDS to secure a business network must not be undertaken lightly, rapidly, or without a thorough grasp of the technology, solutions, and potential consequences. The decision-making process can be broken down into several stages, which include determining the requirement, gaining a broad awareness of IDSs, more in-depth knowledge of the network, and also determining policy and processes by evaluating various IDS solutions [16]. This paper evaluates the effectiveness of different IDSs, using the integrated fuzzy analytical hierarchy process (AHP) technique for order performance by similarity to the ideal solution (TOPSIS) model. The remainder of this paper is structured as follows: The study outlines relevant research efforts in this domain in Section 2. Section 3 discusses the overview of several types of popular IDSs. Section 4 discusses the integrated fuzzy AHP-TOPSIS technique. Section 5 of this work contains the findings, comparisons of the findings, and a sensitivity analysis. Section 6 closes with the summary and conclusions.

Related Research Studies
Upendran and Gopinath [16] proposed an improved entropy-based TOPSIS approach to recommend one or more options from a large set of alternatives. To decrease the number of the network traffic sample, they applied five feature selection strategies. To measure the calculation time, as well as intrusion-detection time, classification techniques, such as Artificial Neural Network (ANN), Naive Bayes, and Support Vector Machine (SVM) are employed. Their suggested TOPSIS approach is used to monitor the effectiveness of feature selection in order to improve intrusion detection.
Hu et al. [17] evaluated two well-known open-source intrusion-detection systems, Snort and Suricata, as well as their comprehensive comparative standards, to develop a better understanding of drop rates, as well as identification efficiency on 100 Gb/s networks. Furthermore, they investigated critical parameters (such as system resource utilization, packet processing power, packet drop frequency, and identification accuracy) which constrain IDSs' application to high-speed networks. Moreover, they also discussed a complete investigation to demonstrate the effectiveness of IDSs utilizing various setups, traffic levels, and flows. They outlined the difficulties of utilizing open-source IDSs in strong networks, offered solutions to assist network managers in addressing identified concerns, and also presented some suggestions for establishing novel IDSs that may be employed in high-speed networking.
Imoize et al. [18] suggested an expansive and cost-based intrusion-detection system. Based on this approach, an objective metric driven by information theory is introduced, and a package for determining the intrusion-detection capabilities of an intrusion-detection system (IDS), given specified input parameters, is constructed in Java. For each operational IDS, the decision-making methodology is applied to evaluate the projected costs and the capacity to detect false-positive rates.
Saber et al. [19] developed a testing method to monitor the effectiveness of the IDS elements and their impacts on the whole system. The assessment is based on several tests. In addition, the effect of the implementation parameters of IDS was studied. They also developed the IDS SNORT on systems with various technical features, and they have constructed a network to produce a series of experiments to evaluate the performance of a higher bandwidth network deployment.
Shiaeles et al. [20] introduced a DDoS detection technique based on developing a fuzzy estimator for the mean packet inter-arrival rate. They separated the task into two concerns: the first was detecting the DDoS incident in progress, and the second was identifying the offender's IP addresses. They set strong real-time limits on the first assignment and more flexible restrictions on address recognition. They also demonstrated through practical assessment that the identification can be accomplished within better real-time restrictions and by utilizing fuzzy estimators rather than crisp statistical classifiers.
Schrötter et al. [21] developed a standard set for assessing intrusion-detection systems in IPv6 settings. This standard is used to compare the popular intrusion-detection systems, such as Snort, Zeek, and Suricata. Furthermore, an IPv6 Plugin Suite was also provided and assessed, which improved Snort by detecting stateful attacks. Their evaluation results indicated the current ability to identify IPv6 connection attacks.
As intrusion-detection systems are particularly built to function on specific systems and situations, they are challenging to implement. Therefore, there is a significant need to evaluate the effectiveness of different IDSs based on their approaches and rules that are present in the most recent version of the IDSs. This fundamental challenge is more succinctly expressed as the intrusion-detection-assessment challenge, and its solution is typically dependent on a number of parameters in a hierarchical structure. Prior studies, however, suggested that no single model was ideal for all issues. Using a highly integrated fuzzy-based strategy may yield greater results than other approaches. To the extent of our knowledge, our work is the first study that examines several IDSs systematically employing an integrated fuzzy multi-criteria decision-making (MCDM)-based technique. The effectiveness of five major intrusion-detection systems, including Zeek, Suricata, Security Onion, OSSEC, and Snort, is examined in this research. The effectiveness is evaluated by using a hierarchical structure based on the MCDM solution.

Zeek
Zeek [22,23] is a network intrusion-detection system that runs on Unix (IDS). Zeek analyzes network traffic and recognizes intrusion attempts, depending on the type and substance of the traffic. Zeek IDS was previously known as Bro. Zeek identifies intrusions by matching network traffic to rules that describe undesirable events. These rules may define activities (for example, certain hosts interacting to specific services), what actions warrant alerting (for example, attempts to a particular number of distinct hosts constitute a "scan"), or signatures characterizing known attacks or exposure to security issues. If Zeek discovers anything of interest, the direction could be to either write a log entry or run an operating system function. Zeek is designed for high-speed (Gbps) and increased intrusion detection. Zeek IDS can perform competently while operating on commercially accessible PC hardware by intelligently exploiting packet filtering methods, and so can provide an economically efficient way of monitoring a site's Internet communication.

Suricata
Suricata was designed in 2010 by the OISF (Open Information Security Foundation), with funding from the US Department of Homeland Security [24]. Suricata's design is quite close to snort's, except that, instead of using a single thread to process packets, Suricata uses many threads [25]. This enables Suricata's distinctive feature, which is to maximize the capacity to obtain packets. Snort was single-threaded; therefore, when packets exceeded the capacity to obtain bandwidth, Snort disregarded them. Thus, multi-threading is a useful capability of Suricata. Suricata has many detection algorithm threads.

Security Onion
Security Onion [26] is a Linux-based intrusion-detection approach that includes several IDS that are both host-oriented (HIDS) and network-oriented (NIDS). Security Onion can collect and analyze an extensive range of data. This comprises information on the host, connection, session, resource, alerting, and standards. Security Onion can be deployed as a solo implementation with a server and detector, or with a master server and many detectors that allow the platform to be expanded as needed. Numerous gateways and tools are present for system management and information analysis, including Sguil, Snorby, Squert, and Enterprise Log Search and Archive (ELSA). It offers host-based identification in the form of OSSEC HIDS, as well as network-based detection via Snort, Suricata, and Zeek NIDS. Security Onion is particularly customizable because it may be set as a master server with numerous sensors or as an independent or hybrid installation. The information gathered by Security Onion is saved in log files and also in a Sguil database, which includes a new interface for recording and analysis.

OSSEC
OSSEC is an open-source intrusion-detection system built by Daniel B. Cid, who sold the product to Trend Micro in 2008 [27]; however, the project remained a free and open source. The most recent stable release is 2.9.3. It is made up of numerous services and modules, each of which has its own distinct set of intrusion-detection capabilities. HIDS has numerous elements, and OSSEC combines them all to provide certain fundamental advantages. OSSEC ensures that security compliance standards are met. Many consumers, primarily corporate clients, demand that the companies with whom they do business have particular security compliances, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and so on. Analyzing logs and evaluating them for suspicious activity is a one-way OSSEC that helps firms comply with various security standards [28].

Snort
Snort fills an essential "ecological niche" in network security by serving as a crossplatform lightweight network intrusion-detection program that can be used to monitor tiny TCP/IP networks, as well as discover a wide range of abnormal network traffic and also explicit cyberattacks. It can offer controllers adequate information to make informed judgments on how to proceed in the event of suspicious behavior. Snort could also be quickly implemented to cover any gaps in a network's protection measures, such as when a big threat occurs and corporate security companies take their time releasing new attack identification signatures. Snort is beneficial when it is not cost-effective to install commercial NIDS sensors. Current commercialized intrusion-detection systems cost thousands or tens of thousands, or perhaps even hundreds of thousands of dollars in extreme situations [29,30]. Snort was created to encounter the requirements of a typical compact network intrusion-detection system. It has progressed into a compact, versatile, and high-performing technology that is used on both large and small networks around the globe. It has met its initial design aims and is a perfectly capable solution to corporate intrusion-detection systems in locations where installing standard production systems would be prohibitively expensive. Table 1 shows the comparison of the five popular intrusion-detection methods.

Identification of Evaluation Criteria and Alternatives
MCDM is a discipline of combinatorial optimization in which the alternatives are evaluated to identify the best alternative that meets a set of various and frequently contradictory parameters. MCDM is a critical component of the decision-making principle and operational investigation. It is frequently regarded as trustworthy. It is a set of strategies and techniques for integrating various and contradictory parameters into a decision-making process. Furthermore, MCDM might be regarded as a systematic approach for evaluating and selecting between possibilities. It seeks to divide an issue into smaller components, analyze and evaluate each part, and then aggregate those components to determine the appropriate reasonable alternative from a range of options based on a stated set of parameters. In uncertain, unclear, fuzzy, or risky contexts, MCDM tries to help decision-makers to tackle contradictory real-world statistical and/or qualitative subjective multi-criteria challenges, and to select best-fit options from a group of options. Figure 2 shows the hierarchy for the assessment of some popular intrusion-detection systems (IDS) in this research study. Based on an analysis of the relevant literature, as well as insight from seventy-seven security experts, the four considerable factors at level one, as well associated sub-factors at level two, in the current method that make a significant contribution to the assessment of multiple IDSs were evidently identified and designed. The four main criteria to evaluate the different popular IDSs are Types, Audit source location, Targets, and Protected system denoted as M1, M2, M3, and M4 respectively. The significant criterion Types contain the different types of IDSs. The IDSs may be open-source, closed-source, or freeware, denoted by M11, M12, and M13, respectively. Different IDSs are classified by the type of input data they evaluate at the audit source location. Audit procedures on a host log file, network packets, application log files, or sensor alerts denoted by M21, M22, M23, and M24, respectively, produced by other IDSs can all be used as input data. The targets' criterion shows the IDS capability to detect potential attacks against specific targets. These targets may be application, network, or host, as denoted by M31, M32, and M33, respectively. The protected system criteria show the approach of intrusion detection. It can be HIDS, NIDS, or hybrid types denoted by M41, M42, and M43, respectively. The five alternatives, namely Zeek, Suricata, Security Onion, OSSEC, and Snort, are represented by S1, S2, S3, S4, and S5, respectively.
Electronics 2022, 11, x FOR PEER REVIEW 6 of 20 of parameters. In uncertain, unclear, fuzzy, or risky contexts, MCDM tries to help decision-makers to tackle contradictory real-world statistical and/or qualitative subjective multi-criteria challenges, and to select best-fit options from a group of options. Figure 2 shows the hierarchy for the assessment of some popular intrusion-detection systems (IDS) in this research study. Based on an analysis of the relevant literature, as well as insight from seventy-seven security experts, the four considerable factors at level one, as well associated sub-factors at level two, in the current method that make a significant contribution to the assessment of multiple IDSs were evidently identified and designed. The four main criteria to evaluate the different popular IDSs are Types, Audit source location, Targets, and Protected system denoted as M1, M2, M3, and M4 respectively. The significant criterion Types contain the different types of IDSs. The IDSs may be open-source, closed-source, or freeware, denoted by M11, M12, and M13, respectively. Different IDSs are classified by the type of input data they evaluate at the audit source location. Audit procedures on a host log file, network packets, application log files, or sensor alerts denoted by M21, M22, M23, and M24, respectively, produced by other IDSs can all be used as input data. The targets' criterion shows the IDS capability to detect potential attacks against specific targets. These targets may be application, network, or host, as denoted by M31, M32, and M33, respectively. The protected system criteria show the approach of intrusion detection. It can be HIDS, NIDS, or hybrid types denoted by M41, M42, and M43, respectively. The five alternatives, namely Zeek, Suricata, Security Onion, OSSEC, and Snort, are represented by S1, S2, S3, S4, and S5, respectively.

Fuzzy AHP-TOPSIS Methodology
Problems with decision-making are likely a consequence of putting too much emphasis on analogical reasoning that has worked previously. When attempting to make a judgment or decision, researchers use a predictive model, which is a heuristic algorithm or guiding principle. These strategies can help in making better decisions by reducing our cognitive strain, and they can also lead to mistakes. However, AHP is unable to resolve the fundamental uncertainty and inaccuracies in a decision-maker's response to genuine statistical information. Because the real world is so indistinct, researchers noted that experts have combined the fuzzy theory with AHP to investigate obscure real-world problems [31][32][33]. Furthermore, while the AHP method is typically based on a highly volatile scale of decisions, the fuzzy AHP does have deficiencies [23,24]. As a result, a combined AHP and TOPSIS fuzzy method is a special process that could aid in the efficacious evaluation of options. Moreover, the fuzzy AHP-TOPSIS technique is as follows: Fuzzy AHP: Fuzzy AHP is a popular methodology for resolving difficult selection challenges. Every complicated topic can be investigated by using remarkable categorized ranges of objectives, i.e., hierarchy. With the help of fuzzy AHP, the problem is differentiated into a tree form to describe it. Figure 2 shows how to make a tree shape. This tree shape was created with the help of experts' opinions [34]. The triangular fuzzy number (TFN) is then constructed from the hierarchical structure. A pair-wise comparison of each group of categorized goals is critical because of the impact of one criterion on other criteria.
Transforming linguistic numbers into crisp numbers, as well as TFN, is the next step. The TFN is used in this research, and it ranges from 0 to 1 [35]. The quantitative simplification of TFN membership functions, as well as their capabilities to handle with fuzzy data, is driving this implementation [23]. In addition, linguistic values are categorized as equally important or weakly important, and crisp values are categorized as 1, 2, . . . , 9. Furthermore, if the membership functions of a fuzzy number M on F are recognized, it is referred to as TFN: In the triangular membership function, l, mi, and u represent the lower, middle, and upper limits, respectively. A TFN is shown in Figure 3.

Fuzzy AHP-TOPSIS Methodology
Problems with decision-making are likely a consequence of putting too much emphasis on analogical reasoning that has worked previously. When attempting to make a judgment or decision, researchers use a predictive model, which is a heuristic algorithm or guiding principle. These strategies can help in making better decisions by reducing our cognitive strain, and they can also lead to mistakes. However, AHP is unable to resolve the fundamental uncertainty and inaccuracies in a decision-maker's response to genuine statistical information. Because the real world is so indistinct, researchers noted that experts have combined the fuzzy theory with AHP to investigate obscure real-world problems [31][32][33]. Furthermore, while the AHP method is typically based on a highly volatile scale of decisions, the fuzzy AHP does have deficiencies [23,24]. As a result, a combined AHP and TOPSIS fuzzy method is a special process that could aid in the efficacious evaluation of options. Moreover, the fuzzy AHP-TOPSIS technique is as follows: Fuzzy AHP: Fuzzy AHP is a popular methodology for resolving difficult selection challenges. Every complicated topic can be investigated by using remarkable categorized ranges of objectives, i.e., hierarchy. With the help of fuzzy AHP, the problem is differentiated into a tree form to describe it. Figure 2 shows how to make a tree shape. This tree shape was created with the help of experts' opinions [34]. The triangular fuzzy number (TFN) is then constructed from the hierarchical structure. A pair-wise comparison of each group of categorized goals is critical because of the impact of one criterion on other criteria.
Transforming linguistic numbers into crisp numbers, as well as TFN, is the next step. The TFN is used in this research, and it ranges from 0 to 1 [35]. The quantitative simplification of TFN membership functions, as well as their capabilities to handle with fuzzy data, is driving this implementation [23]. In addition, linguistic values are categorized as equally important or weakly important, and crisp values are categorized as 1, 2, ... 9. Furthermore, if the membership functions of a fuzzy number M on F are recognized, it is referred to as TFN: In the triangular membership function, l, mi, and u represent the lower, middle, and upper limits, respectively. A TFN is shown in Figure 3. A TFN can be written as (l, mi, u). Specialists assigned numerical scores to the elements that influence the values using a measure that is highlighted in Table 2. A TFN can be written as (l, mi, u). Specialists assigned numerical scores to the elements that influence the values using a measure that is highlighted in Table 2. Absolutely important (9, 9, 9) 2 Intermittent values between two adjacent scales (1, 2, 3) 4 (3, 4, 5) 6 (5, 6, 7) 8 (7,8,9) The numerical methods (3-6) are used to convert numeric values into TFNs that are identified as (l ij , mi ij , and u ij ), where l ij is lower significance, mi ij is middle significance, and u ij is uppermost significance events. Moreover, TFN ( EER REVIEW 8 of 20 Absolutely important (9, 9, 9) 2 Intermittent values between two adjacent scales (1, 2, 3) 4 (3, 4, 5) 6 (5, 6, 7) 8 (7,8,9) The numerical methods (3-6) are used to convert numeric values into TFNs that are identified as (lij, miij, and uij), where lij is lower significance, miij is middle significance, and uij is uppermost significance events. Moreover, TFN (ɳij) is represented as follows: ɳ where ≤ ≤ In Equations (3)- (6), Jijd specifies the proportional position of the values among two elements that is quantified by specialist d, where i and j indicate a pair of elements being decided by specialists. Φij is calculated according to the geometric mean of a specialist's observations for a particular assessment. The geometric mean is capable of appropriately joining and demonstrating the consent of specialists and designates the lowest and highest marks, respectively, for the relative consequence among the two elements. Additionally, Equations (7)-(9) provide the joint TFN values. Take into account the two TFNs, M1 = (l1, mi1, u1) and M2 = (l2, mi2, u2). The procedures of actions on them are as follows: With the support of the equation, a fuzzified pair-wise comparative matrix in the state of n × n matrix is formed after acquiring the TFN variables for every pair of comparisons (10).
where symbolizes the dth decision-makers' priority of the ith standards over the jth criteria. If more than one responsible party is prevalent, the equation is used to calculate the average of every judgment-maker's priorities (11).
The next step is to use the equation to modify the pair-wise comparative matrixes for all elements in the hierarchical order based on the averaged priorities (12).
ij) is represented as follows: and u ij = max J ijd In Equations (3)-(6), J ijd specifies the proportional position of the values among two elements that is quantified by specialist d, where i and j indicate a pair of elements being decided by specialists. Φ ij is calculated according to the geometric mean of a specialist's observations for a particular assessment. The geometric mean is capable of appropriately joining and demonstrating the consent of specialists and designates the lowest and highest marks, respectively, for the relative consequence among the two elements. Additionally, Equations (7)-(9) provide the joint TFN values. Take into account the two TFNs, M1 = (l 1 , mi 1 , u 1 ) and M2 = (l 2 , mi 2 , u 2 ). The procedures of actions on them are as follows: (l 1 , mi 1 , u 1 ) + (l 2 , mi 2 , u 2 ) = (l 1 + l 2 , mi 1 + mi 2 , u 2 + u 2 ) (l 1 , mi 1 , u 1 ) × (l 2 , mi 2 , With the support of the equation, a fuzzified pair-wise comparative matrix in the state of n × n matrix is formed after acquiring the TFN variables for every pair of comparisons (10).
where k k ij symbolizes the dth decision-makers' priority of the ith standards over the jth criteria. If more than one responsible party is prevalent, the equation is used to calculate the average of every judgment-maker's priorities (11). The next step is to use the equation to modify the pair-wise comparative matrixes for all elements in the hierarchical order based on the averaged priorities (12).
The fuzzy geometrical mean and fuzzy weights of each element are then described by using the geometrical mean method, as demonstrated in Equation (13).
The next step is to use the equation to calculate the identified element's fuzzy weight (14).
Equations are also used to determine the average and normalized weight criteria (15)(16).
Additionally, the Centre of Area (COA) method is used to estimate the BNP (best non-fuzzy performance) number of the fuzzy weights of each quantity with the support of Equation (17).
Fuzzy TOPSIS: TOPSIS sees multi-standard decision-making problems, with m options as a geometrical configuration with m points inside the n-dimensional problem area. The strategy used in this article for TOPSIS is principally founded on the notion that a designated possibility is the relatively short and farthest range from the positive-ideal solution, as well as the negative-ideal solution, correspondingly, for best possible and lowest ideal solutions [36]. Specialists have a difficult time assigning a particular performance rating to an alternative based on criteria. TOPSIS uses fuzzy numbers rather than precise numerals to demonstrate the relative importance of criteria in order to be consistent with the actual fuzzy situation. Furthermore, the fuzzy AHP-TOPSIS method is most suitable for handling group decision-making issues in fuzzy settings. The following is the fuzzy AHP-TOPSIS methodology: The first step is to determine the weights of the evaluation criteria. With the support of equations, this research utilized fuzzy AHP to arrive at fuzzy choice weights (1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16). Moreover, with support of Equation (18), as well as Table 3, the researcher designed the fuzzy decision matrix and selected the best linguistic aspects as criteria possibilities.
, and x d ij is the assessment of the alternative A i in terms of factor C j effectiveness estimated by the dth specialist, as well as x d ij = (l d ij , mi d ij , u d ij ). Table 3. Linguistic scales for the rating.
After that, using equations, one may complete the normalizing procedure by using Equation (20).
Otherwise, we can establish the highest anticipated level, u + j , and j = 1, 2, . . . , n is equivalent to 1; or else, the worst is 0. Furthermore, the normalized p ij remains to be TFNs. For TFNs, the normalization procedure can be achieved in an analogous way. The subjective fuzzy normalized assessment matrix ( Q) is measured with the support of Equation (21).
where q ij = p ij ⊗ w ij also, at that point, describes the Fuzzy Positive-Ideal Solution (FPIS), as well as Fuzzy Negative-Ideal Solution (FNIS). The subjective normalized fuzzy assessment matrix specifies that the components q ij are normalized positive TFN and their choices fit in to the closed interval [0, 1]. Afterward, we can designate the FPIS A + (aspiration levels) and FNIS A − (the worst levels), as presented in Equations (22) and (23).
where q * 1 = (1, 1, 1) ⊗ w ij = Lw j , Mw j , Hw j and q − ij = (0, 0, 0), j = 1, 2, 3 . . . , n. For computing the space of every alternative solution from FPIS, as well as FNIS, the spaces ( d + i and d − i ) of every alternative solution from A + and A − can be assessed with the area compensation procedure, as presented in Equations (24) and (25).
.d q ij , q * ij i = 1, 2, . . . , m; j = 1, 2, 3 . . . , n .d q ij , q * ij i = 1, 2, . . . , m; j = 1, 2, 3 . . . , n The next stage is to identify the closeness coefficients (absolute gaps' degree) and construct the alternative solutions for achieving the aspiration degrees in each element. Ying-Chyi Chou et al. recommended that C C i is cleared to estimate the point of the fuzzy gap based on the fuzzy closeness coefficients to increase the alternatives solution [37]. Once the d + i and d − i of every alternative solution is assessed, the comparisons to the ideal clarification are computed. This procedure resolves the equation's similarity to the best choice (26). where is demarcated as the fuzzy satisfaction amount in the ith alternative solution, is the fuzzy-gap amount in the ith alternative solution. Based on the ranks of alternatives, the solution is accomplished. The subsequent step is to evaluate the various IDSs by using their contributing qualities.

Statistical Findings
It should be necessary to evaluate the effectiveness of different intrusion-detection systems [33,34]. A condition that is hard to ascertain is unsuitable for the job. Prohibitively expensive evaluations still would not yield the anticipated outcomes. The gap of costbenefit analysis is advantageous toward a better assessment, as long as it includes the necessary standards for reliability and bias. A common method for estimating effectiveness is to evaluate the IDS numerous times and then determine a "significance level of measurement". An independent evaluation is better than one that is biased. Measuring bias, on the other hand, is challenging. In this research, we used an integrated fuzzy AHP-TOPSIS based methodology to evaluate the different popular IDSs. First, seventy-seven researchers and cybersecurity specialists with different IDS experiences were consulted for each parameter set and relevant technologies. These 77 decision-makers are composed of 30 cybersecurity specialists with more than 12 years of experience and 47 researchers from various security organizations with 10 years of IDS research experience. The specialists were required to submit and assess their viewpoints in a collaborative online setting, and they were given information on the degree of the variables in relation to the various groups, as well as linguistic standards. To begin, the decision-maker creates a pair-wise comparison matrix containing the parameters. The decisions are considered valid, since the consistency ratio (CR) is less than 0.1 or near to it. Table 4 demonstrates the combined fuzzify pair-wise assessment matrix at the initial first level. The fuzzy-aggregated pair-wise comparison matrix at the second level for Types, Audit Source Location, Targets, and Protected System is presented in Tables 5-8. For every second-level phase, the global weights were calculated. The statistical findings were tabularized in Tables 9-13. Table 14 shows the overall weights and ranking of different factors. Table 15 shows the evaluators' subjective intelligence findings in linguistic terminology, and Table 16 shows the fuzzy-decision matrix with normalized decisions. Furthermore, Table 17 demonstrates the fuzzy-decision matrix with weighted normalization. In addition, with the support of the hierarchical structure, Table 18 and Figure 4 illustrate the comprehensive and the ultimate relative closeness of the different alternatives.     Depending upon the value of satisfaction degree shown in Figure 4, it is concluded that the initial ranking of the efficient IDS using the integrated fuzzy AHP-TOPSIS approach is S2 > S5 > S3 > S4 > S1 (\>"means\higher to"). Therefore, S2, which is Suricata, is considered the preferable and effective IDS.

Comparative Analysis
The use of multiple techniques on almost the same data delivers contradictory conclusions. The investigators use a variety of complementary ways to test the correctness of the research outcome. In this investigation, the researcher applied a hybrid fuzzy AHP-TOPSIS-based approach to evaluate the effectiveness of different alternatives. The dataacquisition and -assessment process for that sample in fuzzy AHP-TOPSIS is similar to the traditional AHP-TOPSIS approach. As a result, fuzzification and defuzzification are required for the fuzzy-AHP-TOPSIS. Furthermore, the data for fuzzy AHP-TOPSIS are captured in their initial statistical values and afterward transformed into fuzzy value sets. The outcomes obtained through the traditional method were well correlated with those obtained by using the fuzzy procedure. The comparison analysis' results were not highly different and varied from each other, but the accuracy of the outcomes was varied. The traditional approaches for the effectiveness evaluation of different IDSs are insufficient for working with the inaccurate or ambiguous quality of linguistic evaluations. Therefore, integrated fuzzy multi-criteria decision-making strategies are developed to tackle this challenge. Moreover, the fuzzy approach confirms the findings of the classic strategy, thus enhancing the validity of the ranking among the five methods. Table 19 and Figure 5 show the comparison of outcomes with the fuzzy and traditional AHP-TOPSIS approach.  Depending upon the value of satisfaction degree shown in Figure 4, it is concluded that the initial ranking of the efficient IDS using the integrated fuzzy AHP-TOPSIS approach is S2 > S5 > S3 > S4 > S1 (\>"means\higher to"). Therefore, S2, which is Suricata, is considered the preferable and effective IDS.

Comparative Analysis
The use of multiple techniques on almost the same data delivers contradictory conclusions. The investigators use a variety of complementary ways to test the correctness of the research outcome. In this investigation, the researcher applied a hybrid fuzzy AHP-TOPSISbased approach to evaluate the effectiveness of different alternatives. The data-acquisition and -assessment process for that sample in fuzzy AHP-TOPSIS is similar to the traditional AHP-TOPSIS approach. As a result, fuzzification and defuzzification are required for the fuzzy-AHP-TOPSIS. Furthermore, the data for fuzzy AHP-TOPSIS are captured in their initial statistical values and afterward transformed into fuzzy value sets. The outcomes obtained through the traditional method were well correlated with those obtained by using the fuzzy procedure. The comparison analysis' results were not highly different and varied from each other, but the accuracy of the outcomes was varied. The traditional approaches for the effectiveness evaluation of different IDSs are insufficient for working with the inaccurate or ambiguous quality of linguistic evaluations. Therefore, integrated fuzzy multi-criteria decision-making strategies are developed to tackle this challenge. Moreover, the fuzzy approach confirms the findings of the classic strategy, thus enhancing the validity of the ranking among the five methods. Table 19 and Figure 5 show the comparison of outcomes with the fuzzy and traditional AHP-TOPSIS approach.

Sensitivity Analysis
The responsiveness was evaluated by altering the parameters to test the validity of the gathered data. During the same statistical analysis, the sensitivity of the obtained weights (factors involved) was evaluated. Throughout the investigation, at the final (second) step, 13 variables were picked so that sensitivities can be investigated by using 12 experiments. In each trial, the degree of satisfaction (CC-i) was found by adjusting the weights of every parameter, while the weight of the other element remained stable, using the Fuzzy-AHP-TOPSIS approach. Reported consequences are shown in Table 20

Sensitivity Analysis
The responsiveness was evaluated by altering the parameters to test the validity of the gathered data. During the same statistical analysis, the sensitivity of the obtained weights (factors involved) was evaluated. Throughout the investigation, at the final (second) step, 13 variables were picked so that sensitivities can be investigated by using 12 experiments. In each trial, the degree of satisfaction (CC-i) was found by adjusting the weights of every parameter, while the weight of the other element remained stable, using the Fuzzy-AHP-TOPSIS approach. Reported consequences are shown in Table 20 and Figure 6.  Table 18 represents the real weights of this research investigation in the first row. Taking the performances into account, we see that the alternative (S2) has a high level of satisfaction (CC-i). Twelve experiments were carried out. The results reveal that, after twelve tests, Alternative-2 (S2) consistently retains a high level of satisfaction (CC-i). The performance results demonstrate that the rankings of the alternatives are weight-dependent.  Table 18 represents the real weights of this research investigation in the first row. Taking the performances into account, we see that the alternative (S2) has a high level of satisfaction (CC-i). Twelve experiments were carried out. The results reveal that, after twelve tests, Alternative-2 (S2) consistently retains a high level of satisfaction (CC-i). The performance results demonstrate that the rankings of the alternatives are weight-dependent.

Conclusions
In today's modern environment, network security is significant for small, as well as large, organizations. Modern security challenges that are increasingly complex and advanced are always being developed. Online security issues are becoming more prevalent, and an IDS can assist in defending your organization from malicious activities. An IDS simply analyzes network traffic and notifies the system administrator if any suspicious activity is detected. This paper discusses the five most widely used intrusion-detection systems. Thereafter, the functionality of these five popularly used intrusion-detection systems, including Zeek, Suricata, Security Onion, OSSEC, and Snort, are effectively compared with the help of a hybrid fuzzy-logic-based approach and discussed in this study. All of the IDSs appear to be highly potential tools. Even though Snort is extensively deployed, it is important to note that Suricata is the new-generation multi-threaded application with a broader range of features. Suricata also has a significant benefit over Snort in that it does not need many processes to handle an upsurge in network traffic. The type of connection or attack to be monitored will determine the implementation of a multispectral IDS. The recommendation to network administrators is based on a generic network design and frequent network obstructions; however, this may vary depending on the network infrastructure of the business entity. The target for future research work is to deploy similar research with other MCDM models. The real-world dataset would be reviewed, and final assessments would be easily measured without the assistance of any other third entity.

Conclusions
In today's modern environment, network security is significant for small, as well as large, organizations. Modern security challenges that are increasingly complex and advanced are always being developed. Online security issues are becoming more prevalent, and an IDS can assist in defending your organization from malicious activities. An IDS simply analyzes network traffic and notifies the system administrator if any suspicious activity is detected. This paper discusses the five most widely used intrusion-detection systems. Thereafter, the functionality of these five popularly used intrusion-detection systems, including Zeek, Suricata, Security Onion, OSSEC, and Snort, are effectively compared with the help of a hybrid fuzzy-logic-based approach and discussed in this study. All of the IDSs appear to be highly potential tools. Even though Snort is extensively deployed, it is important to note that Suricata is the new-generation multi-threaded application with a broader range of features. Suricata also has a significant benefit over Snort in that it does not need many processes to handle an upsurge in network traffic. The type of connection or attack to be monitored will determine the implementation of a multispectral IDS. The recommendation to network administrators is based on a generic network design and frequent network obstructions; however, this may vary depending on the network infrastructure of the business entity. The target for future research work is to deploy similar research with other MCDM models. The real-world dataset would be reviewed, and final assessments would be easily measured without the assistance of any other third entity.