Signature-based detection is a style of detection that provides a mechanism for how the detector scans the data to find attacks. In this style of detection, unique identifiers are generated about a known attack so that any attack of that kind is rapidly dealt with.
In signature-based detection, the detector flags any activity that matches the structure of a known attack. It is like blacklisting the attacks. It keeps a list of patterns that are not allowed and alerts if it sees something that matches the attacks in the list.
An example of signature-based detection can be buffer overflows. Since buffer overflows usually contain
The following shows how SNORT works:
However, signature-based detection does not come without tradeoffs. The following table shows the benefits and drawbacks of signature-based detection:
Benefits | Drawbacks |
It is conceptually simple. | It would not catch new attacks without a known signature. |
It is good at detecting known attacks. | It might not catch variants of known attacks if the variant does not match the signature. |
It is easy to share signatures and build up shared libraries of attacks. | The attacker can modify their attack to avoid matching the signatures and can still attack. |
Free Resources