Anomaly-based vs. Signature-based

Can someone explain the differences in reference to detection. For whatever reason I am having one hell of a hard time getting these correct on practice tests.

Thanks,
- Chris

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

[Deleted User]

I always relate anomaly-based to a base-line and signature-based to well signatures. For example, anomaly-based would detect something that has deviated from the baseline whereas signature-based may detect something based on a previous attack pattern. Someone please correct me if I am wrong.

redline5th

Yeah, that's about what I have in my head.

It's just so hard to choose between the two in practice tests.

kriscamaro68

Signature based detection will pull from a database or datafile for detection of well known attacks or malware. Anomaly based has you set up the equipment and run a baseline that could take some time. Once that baseline is set and the equipment (i.e. firewall/ids/ips) knows how the network or server acts on regular day to day basis it can then detect weather or not something doesn't smell right because there might be way to many half open tcp sessions or to much traffic hitting a single port or to many of the same processes running on the server. Once an anomaly based setup is ready to go it can be better for zero-day attacks as it goes off the baseline where as the sig based has to wait for updates from the vendor which takes time.

Hope that helps.

chrisone

Signature based is what the titles states "Signature" there is a constant pattern and obvious recognition of the code over and over again.

Anomaly based is like many have stated base lining in order to detect some form of abnormality. I see Anomaly as like an organism that constantly changes or evolves having no identical pattern other than it not being the norm (baseline).

Bl8ckr0uter

Know that anomaly based systems will probably let some bad traffic in and will take a long while to "train". Also if the network changes such as a new web server causing a large amount of new traffic, the ids will need to be retrained.

I believe that anomaly based ids' are faster than signature based.

redline5th

Thanks guys! You've been a huge help!!

Bl8ckr0uter

knwminus wrote: »

Know that anomaly based systems will probably let some bad traffic in and will take a long while to "train". Also if the network changes such as a new web server causing a large amount of new traffic, the ids will need to be retrained.

I believe that anomaly based ids' are faster than signature based.

Ouch. I guess someone didn't like my thoughts on this. Sorry.