Signature-based IDS

Read section 2 of this article to learn about signature-based intrusion detection systems (IDS). You should be able to explain what signature-based IDS detects on a system, as well as some advantages and disadvantages of the system. What is a popular signature-based network intrusion detection system?


A signature-based NIDS examines ongoing traffic, activity, transactions, or behaviour for matches with known patterns of events specific to known attacks. As with antivirus software, a signature- based NIDS requires access to a current database of attack signatures and some way to actively compare and match current behaviour against a large collection of signatures.

Signature-based detection system (also called misuse based), this type of detection is very effective against known attacks [5]. It implies that misuse detection requires specific knowledge of given intrusive behaviour. An example of Signature-based Intrusion Detection System is SNORT.

  • Signature definitions are modeled on known intrusive activity. So, the user can examine the signature database, and quickly determine which intrusive activity the misuse detection system is programmed to alert on.

  • Misuse detection system begins protecting your network immediately upon installation.

  • There are low false positives as long as attacks are clearly defined in advance.

  • When an alarm fires, the user can relate this directly to a specific type of activity occurring on the network.

  • One of the biggest problems for Signature-based NIDS is how to keep up with a large volume of incoming traffic when each packet needs to be compared with every signature in the database. So, processing the whole traffic is so time-consuming and will slow down the throughput of the system.

  • Misuse detection system must have a signature defined for all of the possible attacks that an attacker may launch against your network. This leads to the necessity for frequent signature updates to keep the signature database of your misuse detection system up-to-date.

  • Misuse detection has a well-known problem of raising alerts regardless of the outcome. For example, a window worm trying to attack a Linux system, the misuse IDS will send so many alerts for unsuccessful attacks which may be hard to manage.

  • Someone may set up the misuse detection system in their lab and intentionally try to find ways to launch attacks that bypass detection by the misuse detection system.

  • The knowledge about attacks is very dependent on the operating system, version, and application, hence, tied to specific environments.

Source: Sagar N. Shah and Ms. Purnima Singh,
Creative Commons License This work is licensed under a Creative Commons Attribution 4.0 License.

Last modified: Sunday, November 22, 2020, 12:32 AM