Signature-Based Detection

Also known as: Pattern matching detection

A detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.

Signature-based detection identifies threats by matching observed artefacts — byte sequences in packets, file hashes, regex on URLs, YARA rules, Snort/Suricata rules — against a curated database of known indicators. It is highly accurate for known threats and produces few false positives, making it the workhorse of antivirus, IDS/IPS, WAFs, and email gateways. Its main weakness is that it cannot detect previously unknown malware, polymorphic variants, or novel TTPs until a signature is written and distributed, which leaves a window of exposure. Modern stacks combine signature engines with anomaly detection, machine-learning models, and threat-intel feeds to reduce this gap.

Examples

ClamAV identifying a file by SHA-256 against its malware database.
Suricata triggering on the regex inside an HTTP body that matches a known web-shell signature.

Signature-Based Detection

Examples

Related terms

Anomaly-Based Detection

Intrusion Detection System (IDS)

Intrusion Prevention System (IPS)

Deep Packet Inspection (DPI)

Malware Analysis

EPP (Endpoint Protection Platform)

Definition

Examples

Related terms

Anomaly-Based Detection

Intrusion Detection System (IDS)

Intrusion Prevention System (IPS)

Deep Packet Inspection (DPI)

Malware Analysis

EPP (Endpoint Protection Platform)