sdecoret -


Which is better: anomaly-based IDS or signature-based IDS?

Even as vendors improve IDS by incorporating both anomaly-based IDS and signature-based IDS, understanding the difference will aid intrusion protection decisions.

Intrusion detection systems have long been used to defend against attackers, but the technologies behind them keep changing to adapt to attackers' ever-evolving strategies.

Developed around the same time as antivirus systems, a typical early signature-based IDS was used for monitoring network traffic to detect attack signatures -- patterns of activity or malicious code that correspond to known attacks. A signature-based IDS works well against attackers using the same attack signatures, and such defenses are helpful for screening out low-skill attackers.

As attackers have continued to develop new threats with new attack signatures, signature-based IDSes have been hard-pressed to keep up with identifying and codifying attacks before they can be used widely. IDS developers have supplemented their systems by enabling them to monitor for anomalies, or patterns of network behavior that are strongly linked with malicious activity.

There was a time when security professionals had to do detailed comparisons to understand the difference between an anomaly-based IDS and a signature-based IDS, but defenders increasingly need only be aware of the existence of the different techniques, since vendors are often using both approaches in modern IDS offerings.

While it may no longer be necessary to decide between anomaly-based IDS or signature-based IDS, security professionals need to understand the difference between the two approaches, as well as the ways in which the two techniques can complement each other.

What is signature-based intrusion detection?

A signature-based IDS conducts ongoing monitoring of network traffic and seeks out sequences or patterns of inbound network traffic that matches an attack signature. An attack signature can be identified based on network packet headers, destination or source network addresses; sequences of data that correspond to known malware or other patterns, sequences of data or series of packets that are known to be associated with a particular attack.

The concept of attack signature was originally developed by antivirus developers whose systems scanned files for evidence that they originated from a malicious actor. A signature-based IDS can be very effective at monitoring inbound network traffic, and it can usually process a high volume of network traffic very efficiently.

Unfortunately, a signature-based IDS will only be able to detect known attacks. As a result, attackers quickly learned to use a variety of techniques to modify their attacks to avoid detection. One tactic is to modify malware so that it has a unique and novel attack signature; another is to encrypt network traffic to bypass signature-based malware detection tools entirely.

What is anomaly-based intrusion detection?

As attackers have become more sophisticated -- and as machine learning and artificial intelligence have been applied to malware detection -- new approaches to intrusion prevention have resulted in anomaly-based IDSes that are able to go beyond the attack signature model and detect malicious patterns of behavior rather than specific patterns of data.

An anomaly-based IDS focuses on monitoring behaviors that may be linked to attacks, so it will be far more likely than a signature-based IDS to identify and provide alerts about an attack that has never been seen before.

Anomaly testing techniques that flag malicious behaviors have been bolstered by improvements in machine learning and artificial intelligence. While anomaly-based IDSes require greater processing resources than signature-based IDSes, they are far more effective at detecting novel or previously undetected attacks.

Signature-based vs. anomaly-based IDS

While there may still be instances where an organization needs to choose between an anomaly-based IDS and a signature-based IDS, there is a broad range of intrusion detection and prevention products that combine both approaches.

Even so, anomaly-based IDSes from different vendors may use different technologies and strategies to detect and identify behavioral anomalies linked to attacks. Likewise, signature-based IDSes can vary widely in terms of their effectiveness based on how often their signature databases are updated, the types of signatures they screen and the sources they use for threat intelligence.


The primary similarity shared by signature-based and anomaly-based IDSes is that they are all intrusion detection systems designed to identify and alert security staff when potentially malicious network traffic is detected.

Any IDS -- anomaly-based or signature-based -- will have mechanisms for tuning the system to make it more or less sensitive to flag network traffic as malicious or questionable, as well as enabling administrators to review alerts, configure actions on specific alerts and provide an administrative interface to manage the system.


The primary difference between an anomaly-based IDS and a signature-based IDS is that the signature-based IDS will be most effective protecting against attacks and malware that have already been detected, identified and categorized. Any IDS that depends entirely on signatures will have this limitation.

Likewise, a purely anomaly-based IDS will be far more likely to identify new types of attack than a signature-based IDS -- but it may miss some types of attack that appear to behave "normally" but that have signatures associated with them.

As IDS vendors increasingly deploy both strategies for intrusion detection in their products, the difference between using behavior cues and signatures for detecting intrusions will undoubtedly evaporate and customers will be able to evaluate IDSes based on how well they are able to detect actual intrusions.

Use cases

Any type of IDS should be considered an integral component of defense in depth strategy for protecting organizational computing, networking and data resources. That often means using different types of security systems together in order to optimally secure all valuable or proprietary resources.

A signature-based IDS may be appropriate as part of the defenses against attacks on systems that handle huge volumes of traffic on a limited set of internet protocols, and where one of the goals is to screen out high volumes of potentially malicious traffic that use attacks for which there are signatures. For example, it may be appropriate to use a signature-based IDS to protect systems accepting protocol requests for services such as DNS, the Internet Control Message Protocol or the Simple Mail Transfer Protocol.

By the same token, an anomaly-based IDS may be appropriate for protecting networks where there is a greater variety of network traffic and where performance of the IDS is sufficient for the volume of network traffic to be monitored.

For most large organizations, an assortment of IDSes with capabilities for both behavior-based and signature-based detections will be appropriate. Likewise, an IDS that supports both approaches will be optimal for many organizations.

In any case, the type of IDS should not matter as much as whether the IDS is being deployed as part of an overall security strategy that enables defenders to detect intrusions in a timely manner and independent of whether one or more components is disabled or bypassed.

As vendors increasingly incorporate both technologies in their products, the importance of comparing signature-based IDSes with anomaly-based IDSes will become less important than comparing IDSes from different vendors that combine both technologies.

Even more important will be comparing the effectiveness of the two strategies for a particular deployment. Evaluators should focus on determining which is better for the use case: to use an IDS that supports both approaches or to use multiple IDSes that support one approach or the other.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing