Detection Methods

Signature, Anomaly, and Behavioral Detection Compared

Section 1 of 4 0% Complete

Three Pillars of Threat Detection

Security tools use different approaches to identify malicious activity. Each method has strengths and weaknesses. Understanding when to use each is a core SOC analyst skill.

Known Threats

Signature-Based

Matches traffic/files against known patterns of malicious activity.

Statistical

Anomaly-Based

Detects deviations from established baseline behavior.

Context-Aware

Behavioral

Analyzes sequences of actions to identify attack patterns.

Select a detection method above

Click on any card to explore how each detection method works, with examples and use cases.

Quick Comparison

Aspect Signature Anomaly Behavioral
Zero-Day Detection Poor Good Good
False Positive Rate Low High Medium
Setup Complexity Simple Moderate Complex
Processing Speed Fast Moderate Slower
Requires Updates Constantly Periodically Periodically

Signature-Based Detection

The oldest and most common detection method. Compares network traffic, files, or system activity against a database of known attack patterns (signatures).

How It Works

  • Security vendor researches new threats and creates signatures
  • Signatures are distributed via updates to IDS/IPS, antivirus, firewalls
  • Each packet/file is compared against the signature database
  • Match = Alert or Block

Example: Snort Rule

# Detect SQL injection attempt in HTTP request
alert tcp any any -> any 80 (
  msg:"SQL Injection Attempt";
  content:"UNION SELECT"; nocase;
  sid:1000001; rev:1;
)

This rule fires when "UNION SELECT" (a SQL injection technique) appears in HTTP traffic on port 80.

Anomaly-Based Detection

Establishes a "normal" baseline, then alerts on deviations. Effective for unknown threats but requires careful tuning to avoid false positives.

How It Works

  • System observes network/user behavior during learning period
  • Statistical model built from normal activity patterns
  • Real-time activity compared against baseline
  • Significant deviation = Alert

Example: Baseline Deviation

Normal Baseline

  • User logs in 8-9 AM
  • Accesses 5-10 files/day
  • Downloads < 50MB/day
  • Works from office IP

Anomalous Activity

  • Login at 3 AM
  • Accessed 500 files
  • Downloaded 2GB
  • VPN from foreign IP

Behavioral Detection

Analyzes sequences of actions over time to identify attack patterns, regardless of the specific tools or techniques used. The most sophisticated approach.

How It Works

  • Define attack patterns as sequences of behaviors (e.g., MITRE ATT&CK)
  • Correlate multiple events across time and systems
  • Machine learning identifies subtle patterns humans miss
  • Behavior chain match = Alert with context

Example: Attack Chain Detection

ALERT: Potential Ransomware Behavior Detected

Sequence Observed:
1. Phishing email opened (T1566)
2. PowerShell executed from Outlook (T1059.001)
3. Scheduled task created (T1053)
4. LSASS memory accessed (T1003.001)
5. Mass file encryption started (T1486)

Confidence: 94%
MITRE Tactics: Initial Access → Execution → Persistence → Credential Access → Impact

Detection Scenario Comparison

See how each detection method performs against real attack scenarios. Not all methods catch all threats!

Attack Scenarios

When to Use Each Method

Scenario Best Detection Method Why
Known malware (WannaCry hash) Signature Exact match against known indicator
Data exfiltration by insider Anomaly Deviation from normal user behavior
Novel APT attack chain Behavioral Sequence of tactics matches known patterns
Known C2 domain Signature Domain/IP on threat intel blocklist
Unusual login time Anomaly Statistical deviation from baseline
Fileless malware Behavioral No file to hash; must analyze actions

Knowledge Check

Test your understanding of detection methods.