Anomaly-based vs. Signature-based

redline5thredline5th Member Posts: 119
Can someone explain the differences in reference to detection. For whatever reason I am having one hell of a hard time getting these correct on practice tests.

Thanks,
- Chris
WGU - Bachelors in Information Technology

“The liberty of speaking and writing guards our other liberties.” -- Thomas Jefferson

Comments

  • [Deleted User][Deleted User] Posts: 0 ■■■■□□□□□□
    I always relate anomaly-based to a base-line and signature-based to well signatures. For example, anomaly-based would detect something that has deviated from the baseline whereas signature-based may detect something based on a previous attack pattern. Someone please correct me if I am wrong.
  • redline5thredline5th Member Posts: 119
    Yeah, that's about what I have in my head.

    It's just so hard to choose between the two in practice tests.
    WGU - Bachelors in Information Technology

    “The liberty of speaking and writing guards our other liberties.” -- Thomas Jefferson
  • kriscamaro68kriscamaro68 A+, Net+, Server+, Security+, Win7 MCP, Server 2012 Virtualization Specialist, MCSA 2012 Member Posts: 1,186 ■■■■■■■□□□
    Signature based detection will pull from a database or datafile for detection of well known attacks or malware. Anomaly based has you set up the equipment and run a baseline that could take some time. Once that baseline is set and the equipment (i.e. firewall/ids/ips) knows how the network or server acts on regular day to day basis it can then detect weather or not something doesn't smell right because there might be way to many half open tcp sessions or to much traffic hitting a single port or to many of the same processes running on the server. Once an anomaly based setup is ready to go it can be better for zero-day attacks as it goes off the baseline where as the sig based has to wait for updates from the vendor which takes time.

    Hope that helps.
  • chrisonechrisone Senior Member Member Posts: 2,251 ■■■■■■■■■□
    Signature based is what the titles states "Signature" there is a constant pattern and obvious recognition of the code over and over again.

    Anomaly based is like many have stated base lining in order to detect some form of abnormality. I see Anomaly as like an organism that constantly changes or evolves having no identical pattern other than it not being the norm (baseline).
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2022 Goals:
    Certs: EnCE (Phase 1 - Passed, Phase 2 - awaiting results), eCPTXv2 (in progress), SC-300 (in progress), AZ-500, SC-100
    Course: BC Security - Empire Operations 1 (completed), Zero Point Security - CRTO (course completed)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Know that anomaly based systems will probably let some bad traffic in and will take a long while to "train". Also if the network changes such as a new web server causing a large amount of new traffic, the ids will need to be retrained.

    I believe that anomaly based ids' are faster than signature based.
  • redline5thredline5th Member Posts: 119
    Thanks guys! You've been a huge help!!
    WGU - Bachelors in Information Technology

    “The liberty of speaking and writing guards our other liberties.” -- Thomas Jefferson
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    knwminus wrote: »
    Know that anomaly based systems will probably let some bad traffic in and will take a long while to "train". Also if the network changes such as a new web server causing a large amount of new traffic, the ids will need to be retrained.

    I believe that anomaly based ids' are faster than signature based.


    Ouch. I guess someone didn't like my thoughts on this. Sorry.
Sign In or Register to comment.