Detection experts understand that the optimal detection design and architecture is generally a combination of both signature and anomaly detection engines. In event processing, signature detection involves the real-time pattern matching analysis of events. A core advantage of signature detection is that basic pattern matching models are easy to understand and develop when you know exactly what pattern you are looking for. Designers then use a pattern, often called a signature, that searches for exact strings within an event object to detect, track, or observe an object of interest. Pattern matching can be executed very quickly, efficiently and inexpensively on most all computing platforms today.
Howver, signature detection engines have weaknesses. Generally speaking, signature detection engines can only detect known patterns based on a posteriori models. An a posteriori signature must be created for every pattern under observation. Therefore, unknown or modified patterns and situations will generally go undetected; hence, in practice, signature detection engines can suffer from both false positives and false negatives.
Pattern matching works well when detecting signatures in a known, deterministic model. However, pattern matching does not work well against changing, self-modifying or adaptive behavior. In addition, signature detection is made more difficult by advanced techniques that attempt to conceal the "real" pattern by generating easy to detect "decoy" patterns. An example of this deception is chaff, small metal objects used to deceive signature-based radar detection. The same type of deception is easily created in cyberspace. Furthermore, the overall capability of a signature-based engine to scale upwards against adaptive and deceptive behavior is constrained by the fact that a new signature must be created for each variation, and as the rule set grows, the detection engine performance decreases.
In threat detection, signature-based detection often reduces, in practice, to a race condition between the malicious user (the threat) and the signature developers where the advantage goes to the threat because malicious users can develop new threats faster than new detection signatures can be written, tested and deployed to the detection engine.
On the other side of the detection coin, anomaly detection focuses on the concept of baselining normal behavior and detecting variations from the baseline. The baseline is learned and/or specified by system designers. Detected situations in an anomaly detection engine are created by any situation that falls outside the predefined boundary of the anomaly detection model.
A key component of baselining in anomaly detection is the capability of the detection engine to detect deviations from situational models at many different layers. This means that anomaly detection engines are initially computationally expensive. However, one trade-off is that anomaly detection engines tend to scale better than signature detection engines as the event data-set grows. As a result, designers often see fewer false positives in anomaly detection.
A known disadvantage of anomaly-detection engines, similar to signature detection, is the difficulty of predefining rules. Even more challenging, the detailed knowledge of normal baseline situations must be constructed and transferred into the engine memory for accurate detection. However, once a robust baseline has been established and normal behavior or situational pattern defined, anomaly detection engines tend to scale more quickly and easily than signature-based engines because a new signature does not have to be designed, tested and uploaded for every new variant that comes along.
Detection experts know that the optimal detection design is generally a combination of both signature and anomaly detection engines. Because anomaly detection engines tend to be adaptive, learning systems, the current trend is for anomaly detection engines based on statistical learning algorithms such as artificial neural networks or dynamic Bayesian networks.
In other words, it is well established in detection systems design that the optimal approach for most non-trivial detection-oriented problems is a combination of both signature and anomaly detection engines. If you are buying a detection engine and the engine is only capable of signature or pattern detection, you will be using a suboptimal detection architecture. This is a well established systems engineering principal in detection-oriented systems design.
Note: This post is adapted from my original post, Quintessential Event Processing: Signature Versus Anomaly Detection
