Share and earn Cybytes
Facebook Twitter LinkedIn Email

Signature-based detection techniques have been used since the earliest days of security monitoring. Virus scanners used signatures to identify infected files, and the earliest intrusion detection systems(IDS) relied heavily upon signatures definitions.

In previous years, these provide adequate protection until adversaries became more advanced. Bad actors discovered methods of evading signatures, leaving the first-generation of signature-based detection systems ill-equipped to protect organizations from threats.

In an effort to determine a longer-term solution for these threats, new techniques were created to look for the effects of attacks rather than identify unique characteristics of the attackers. This provides the benefit of potentially discovering unknown threats, but this technique does not come without challenges of its own.

Limitations of Signature-Based Detection

Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. In the case of a virus scanner, it may be a unique pattern of code that attaches to a file, or it may be as simple as the hash of a known bad file. If that specific pattern, or signature, is discovered again, the file can be flagged as being infected.

As malware became more sophisticated, malware authors began using new techniques, like polymorphism, to change the pattern each time the object spread from one system to the next. As such, a simple pattern match wouldn’t be useful beyond a small handful of discovered devices.

In network detection systems like IDS, signatures are defined to look for characteristics within network traffic. One of the more common definition methods are “Snort rules”. A Snort rule defines characteristics in one or a series of network packets to identify malicious behavior.

For example, a Snort rule can be written to identify command-and-control (C2) traffic between an infected device and the adversary, regardless of where the adversary’s servers are kept. While it is more difficult for adversaries to obfuscate network packets to evade the signature, it is relatively easy to encrypt the traffic, complicating the detection process.

One of the biggest limiting factors behind signatures is that these are always reactive in nature: You always have to start with an instance of a virus or an understanding of a network attack in order to write a signature to detect them. This means signatures can’t identify unknown and emerging threats. Signatures only identify threats that are already known.

To read the entire blog, please click here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?