Signature-based detection, at a very basic level, can be compared
to virus checking programs. IDS vendors produce and build signatures that the
IDS system uses to compare against activity on the network or host. When a
match is found, the IDS takes action. The actions taken could include logging
the event or sending an alarm to a management console
. Although many
vendors allow users to configure existing signatures and create new ones,
customers are primarily dependent on the vendors to provide the latest
signatures to keep the IDS up to date.
Signature-based detection can also
produce false positives, as certain normal network activity can appear to be
malicious. For example, some network applications or operating systems may send
out numerous ICMP messages, which a signature-based detection system may
interpret as an attempt by an attacker to map out a network segment.