What Is Signature-based Intrusion Detection?

Every application—including malware—has a distinct pattern from its actions, file size, file hashes, and compiled code. This pattern is called a signature. Signature-based intrusion detection examines traffic across a network to detect malicious software signatures. Although it’s an older form of malware detection, signature-based detection is accurate and still viable in cybersecurity and data protection.

What Is Signature-based Intrusion Detection?

Signature-based intrusion detection identifies threats by comparing system activity to a database of known attack patterns or signatures to detect malicious behavior.

Malware, like any program, is compiled into binary computer language. Its compiled code can be hashed to create a unique signature, but other characteristics can also create a signature. The actions malware performs along with its in-memory code can determine its unique signature. Some malware displays author phrases stored in memory, while others will store specific files in specific locations, which also feeds into its specific pattern.

Modern malware often communicates with a command-and-control (C2) location. The malware has hardcoded IP addresses or domain names to communicate with the author. Communication lets the attacker know that a targeted machine is now running the malware and their attack was successful. Firewalls and intrusion detection systems can detect requests to communicate on these IP addresses and domains to alert administrators of suspicious activity.

How Signature-based Intrusion Detection Works

To work with signature-based intrusion detection, you first need to store malware signatures. Signatures are stored in a database, usually provided by the intrusion detection provider. The signature chosen to be an indicator is decided by security researchers who often share their findings in open source locations. For example, the popular YARA tool can be used to classify and create malware signatures.

Intrusion detection systems continually monitor network traffic for malware signatures. They compare network traffic with the signatures stored in the intrusion detection system database. When a signature is detected in traffic, intrusion detection takes action such as alerting administrators.

Advantages of Signature-based Intrusion Detection

Because signatures are built from malware, it’s a much more accurate system than other anomaly-based detection. Signatures are static, provided that the malware author does not make changes and introduce a variant, so intrusion detection with an updated database has very few false positives. False positives happen when the intrusion detection flags an application incorrectly.

Another advantage of signature-based detection is it’s quick and doesn’t require any benchmark data. Signatures can be quickly identified without first collecting data to determine if activity does not match benchmarks. For example, anomaly-based detection needs a benchmark of activity on files before it can determine if too many access requests could be malware or common network activity.

Limitations of Signature-based Intrusion Detection

To have malware signatures, the threat must be known. Zero-day threats are those unseen in the wild, so they have no signature to detect. A lack of signatures in zero-day threats means that intrusion detection reliant on signatures cannot detect them. Without full coverage, this type of intrusion detection can give administrators a false sense of security.

Signature-based intrusion detection also needs more resources than other forms of intrusion detection. Traffic is constantly compared to a list of signatures in a database, and your signature database could have millions of stored items. To have intrusion detection using signatures, you must also ensure that the database is consistently updated. Cloud providers usually provide updates, but local storage might require manual actions from network administrators.

Use Cases and Applications

Any industry with local and cloud data can leverage signature-based intrusion detection, but it’s often used as a single component in data protection. Signature-based intrusion detection is great for identifying known threats immediately with few false positives. For example, a healthcare provider can use this type of intrusion detection to protect against known ransomware. Ransomware commonly targets healthcare agencies, hospitals, and insurance companies because they often have legacy outdated software. Signature-based protection can stop these threats instantly, especially when paired with intrusion prevention systems.

Customer service organizations are another common target because they receive attachments from customers to review. If an attachment contains malware, the malware’s signature could be detected. Intrusion detection is valuable in network segments where third-party email attachments are downloaded and stored.

Conclusion

Business-level cybersecurity requires several layers of protection. Signature-based intrusion detection is one layer, but you’ll need several others to fully protect your environment. With signature-based security, you can protect your environment from known threats, which are a big factor in data breaches.

Storing signatures and other security analytics requires robust storage systems. Everpure has the speed and capacity for large environments with complex intrusion detection. Everpure has partnered with Elasticsearch for faster searches and resilient architecture for scaling.