Signature Detection
Signature-based threat detection scans traffic for a set of pre-defined attack patterns. It is commonly referred to as a negative security model because it seeks to define all "known bad" behaviors and assumes that everything else is good. These patterns consist of text strings or protocol anomalies that correspond to known vulnerabilities in commercial infrastructure software such as IIS, Apache, Oracle, etc. For example an HTTP request containing the string "cmd.exe" indicates that the attacker is trying to execute operating system commands on the Web server. Likewise, a SQL query containing the string "xp_regdeletekey" indicates that the attacker is trying to execute a stored procedure that deletes registry keys. Signatures can exist anywhere in a packet or may even traverse multiple packets.
Signatures alone have two main limitations. First, they are prone to false positives without extensive tuning. Second, they are not effective at detecting many unknown attacks on custom or internally developed code. This is why SecureSphere uses signature detection as a single element of a comprehensive threat detection strategy
- Administrative Interface Access
- Access of Internal Components
- Anomaly Detection
- Brute Force
- Buffer Overflow
- Cookie Poisoning
- Cross-Site Request Forgery
- Cross-Site Scripting
- Denial of Service (DoS)
- Directory Traversal
- Distributed Denial of Service (DDoS)
- File/Parameter Enumeration
- Forceful Browsing
- Google Hacking
- HTTP Verb Tampering
- Known Attacks
- LAND Attacks
- Malicious Encodings
- Parameter Tampering
- Pharming
- Server Takeover
- Session Hijacking
- Signature Detection
- Site Scanning/Probing
- Source Code Disclosure
- SQL Injection
- Stealth Commanding
- Unknown Attacks