The signature-based IDS monitors the network traffic or observes the system and sends alarms if a known malicious event is happening. It does this by comparing the data flow against a database of known attack conditions. These signatures explicitly define what traffic or activity should be considered malicious. Various types of signature-based IDSs exist, including the following:
■ Simple and stateful pattern matching
■ Protocol decode-based analysis
■ Heuristic-based analysis
■ Anomaly detection
The pattern-matching systems look for a fixed sequence of bytes in a single packet, which has three advantages:
■ It generates reliable alerts.
■ It is applicable to all protocols.
The weakness of a pattern-matching system is that any slightly modified attack leads to false negatives. Multiple signatures may be required to deal with a single vulnerability in stateful pattern-matching systems, as matches are made in context within the state of the stream.
Was this article helpful?