What is Signature-Based Detection?
Signature-based detection is one of the foundational detection methods of intrusion detection systems (IDS). It allows IDSs to quickly identify malicious behavior transiting the network by searching for a list of known indicators.
- What is signature-based detection?
- What is a signature?
- How signature-based detection benefits from open-source tools and community
- The limitations of signature-based detection
- Signature-based detection vs. anomaly detection
- Detection accelerated: fuse alerts to network log data
- Stay ahead of evolving threats with Corelight
What is signature-based detection?
Intrusion detection systems (IDS) use several different techniques to detect malicious network activity. One method, signature-based detection, is designed to quickly identify patterns in network traffic that indicate malicious activity or unauthorized access. Malicious activity, often called malware, is an umbrella term that describes any malicious program or code that is harmful to computer systems (e.g., trojans, viruses, worms).
Signature-based detection is one of the most direct and well-established methods to identify malicious activity. Signature-based detection examines network traffic, compares it to known signatures, and generates an alert when a match is made. One example of an IDS that implements signature-based detections is Suricata. A Suricata signature consists of:
- Action - what happens when the signature matches
- Header - defining the network information (e.g., protocol, IP addresses, ports, and direction)
- Options - defining the specifics of the rule
Signature-based detections for networks is effectively the technology that is common to antivirus and endpoint tools where a unique pattern or identifier is matched.
Signature-based detection is a foundational method to identify malicious activity with an IDS, but it is not the only method. Signature-based detection has limitations; it is unable to detect patterns or indicators of new threats that are not already known. As a result, security professionals often use signature-based detections in conjunction with tools that provide context into network behavior.
What is a signature?
A signature is a unique pattern or identifier: It may be a byte sequence in network traffic or inside a file or a series of instructions. It is often compared to a fingerprint or DNA sample in that it belongs solely to that particular pattern. Others may have similar characteristics, but each malware type’s signature is its own.
A signature also may be identified as a threat signature or an IDS rule. These signatures are typically created by researchers or network defenders who identify and analyze malicious activity and extract indicators of compromise (IOCs).
How signature-based detection benefits from open-source tools and community
Cyber adversaries are persistent, creative, and always developing new methods of breaching the network by exploiting vulnerabilities. Open-source tooling offers flexibility for developers and is often used in ways not initially envisioned by open-source tooling creators. This flexibility offers network defenders the opportunity to match the adversarie's creativity. For example, many security organizations share home-grown signature-based detections. This allows the security community at large to help individual security operations centers (SOCs), and analysts keep current and effectively leverage the overall effectiveness of signature-based detection tools. Here are two examples of open-source tools and one of a community organization:
- FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in incident prevention, stimulate rapid reaction to incidents, and promote information sharing among members and the community at large.
- Zeek® is an open-source software platform that provides compact, high-fidelity transaction logs, file content, and fully customized output to analysts, from the smallest home office to the largest, fastest research and commercial networks.
- The Open Information Security Foundation is a 501(c)3 nonprofit organization created to build community and to support open-source security technologies like Suricata.
Corelight’s Open Network Detection and Response (NDR) Platform correlates Suricata IDS detections with Zeek® network security logs to provide security operations teams with the comprehensive network security evidence required to detect modern-day threats and disrupt sophisticated attacks.
The limitations of signature-based detection
Adversaries will continue to find new means of exploiting vulnerabilities or producing variants of known threats that can elude signature-based detection methods. As a result, any solution that relies exclusively on this method will have significant blindspots. Additionally, it can be challenging for network administrators to keep their signatures current. Automation tools have streamlined the process, but network administrators may need to manually update their databases.
For this reason, the most mature and comprehensive security postures combine signature-based detection, anomaly detection, and network evidence to fuse alerts.
Signature-based detection vs. anomaly detection
Anomaly-based or behavior-based detection takes a more comprehensive view of network activity and creates a baseline of patterns and behaviors that define “normal” activity. It is against this “normal” backdrop that anomaly-based detections operate, searching for a behavior that does not conform to the “normal” baseline that may indicate malicious activity. An anomaly or behavior-based detection system may leverage machine learning to establish the baseline or identify patterns that may be evidence of an attack.
The fundamental difference between signature-based and anomaly-based systems is crystallized by the ability, or lack thereof, to spot unknown or novel attack methods. Signature-based detections only generate alerts when they identify an exact match of a known indicator, any variation from the known indicator, and signature-based detection cannot identify the malicious activity. An anomaly-based system can generate alerts when activity is outside an accepted range. The activity may take the form of traffic that is not “normal” to the network or evidence of unusual attempts to connect to the network (e.g., with an unauthorized device). Anomaly-based detection may also deploy heuristic analysis, which focuses on identifying unknown threats through pattern creation, sandbox testing, and other methods to identify malicious activity or code that does not trigger alerts in a signature-based detection system.
Anomaly-based detection is not free of shortcomings, and one often discussed is the possibility of false positives generated by unusual, but not malicious, behavior.
|Signature-based detection||Anomaly-based detection|
Depends on known attack signatures.
Requires heuristic analysis.
Compares network activity with the database; generates alerts in the event of a match.
Generates alarm upon detecting behavior anomalous to normal traffic patterns.
Limited network context accompanies alerts.
Pre-defined rules for “normal” behavior can be challenging to establish.
Varying false positive rate, but may be tuned by an administrator.
Potentially high false positive rate; legitimate but anomalous behavior may generate an alarm.
Requires regular updates to the signature database.
Requires traffic to define “normal” network behavior.
Detection accelerated: fuse alerts to network log data
Advanced security strategies depend on evidence and context. Many signature-based detection tools will provide some alert context, but typically it is restricted to a narrow alert frame, without providing much detail about what happened before the alert fired, or what other activity occurred simultaneously.
Increasingly, network detection and response platforms are fusing the signature-based and anomaly-based approaches to create systems that provide a richer context for alerts while helping security teams ignore the false alarms. Tools such as Zeek® can work in conjunction with a signature-based detection engine, such as Suricata, by providing network telemetry that delivers a more detailed picture of activity before, during, and after an alert. Packaged together, the signal and context enable security personnel to find relevant data via SIEM inquiries, or by deploying an analytics platform, such as Corelight Investigator.
Stay ahead evolving threats with Corelight
Signature-based detection has long been and remains an important tool in network security monitoring and analysis. It is a well-known detection option that simplifies rapid signature development and is very effective at detecting known indicators.
Corelight, the leader in Network Detection and Response (NDR), recognizes the benefit of signature-based detection, employing it along with anomaly or behavioral-based detections and machine learning to create robust detection capabilities.
These capabilities differentiate Corelight’s solution because the quality of network evidence often determines the effectiveness of threat detection and analysis. Through this evidence-based approach to security and network security monitoring (NSM), Corelight delivers a comprehensive suite of network security analytics that help organizations identify TTPs across the MITRE ATT&CK® spectrum.
Corelight’s community-driven Zeek detections with network transaction logs and extended data retention times provide security teams with the tools they need to take the most effective approach to each detection problem, saving time from identification to remediation. Learn more about Corelight’s intrusion detection capabilities.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.