Signature-Based Detection
What is Signature-Based Detection?
Signature-Based DetectionA detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.
Signature-based detection identifies threats by matching observed artefacts — byte sequences in packets, file hashes, regex on URLs, YARA rules, Snort/Suricata rules — against a curated database of known indicators. It is highly accurate for known threats and produces few false positives, making it the workhorse of antivirus, IDS/IPS, WAFs, and email gateways. Its main weakness is that it cannot detect previously unknown malware, polymorphic variants, or novel TTPs until a signature is written and distributed, which leaves a window of exposure. Modern stacks combine signature engines with anomaly detection, machine-learning models, and threat-intel feeds to reduce this gap.
● Examples
- 01
ClamAV identifying a file by SHA-256 against its malware database.
- 02
Suricata triggering on the regex inside an HTTP body that matches a known web-shell signature.
● Frequently asked questions
What is Signature-Based Detection?
A detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity. It belongs to the Network Security category of cybersecurity.
What does Signature-Based Detection mean?
A detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.
How do you defend against Signature-Based Detection?
Defences for Signature-Based Detection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Signature-Based Detection?
Common alternative names include: Pattern matching detection.