Signature Based IDS

The signature-based IDS monitors the network traffic or observes the system and sends alarms if a known malicious event is happening. It does this by comparing the data flow against a database of known attack conditions. These signatures explicitly define what traffic or activity should be considered malicious. Various types of signature-based IDSs exist, including the following:

■ Simple and stateful pattern matching

■ Protocol decode-based analysis

■ Heuristic-based analysis

■ Anomaly detection

The pattern-matching systems look for a fixed sequence of bytes in a single packet, which has three advantages:

■ It generates reliable alerts.

■ It is applicable to all protocols.

The weakness of a pattern-matching system is that any slightly modified attack leads to false negatives. Multiple signatures may be required to deal with a single vulnerability in stateful pattern-matching systems, as matches are made in context within the state of the stream.

0 0

Post a comment