I recently came across a forum thread about the differences between signature-based, behavior-based and adaptive measures. I thought it was all fairly obvious until I realized that it was obvious to me, only because I’d been doing this for so long. I forgot that I too, once had a puzzled look on my face when I came across terms from the “real world” inserted into the IT world without the context to help it make sense.
When you look at products such as FortiDB, FortiWeb or FortiDDoS, the documentation describes them as having adaptive and behavioral security measures to compliment the signature measures and CPRL found in the FortiGate firewall. These terms are often used as if it is assumed that everybody understands what they mean. Most of us do, but not necessarily in the context of IT. To understand why these measure dove-tail for a defense-in-depth set of counter measures, let’s look at each of them so that we can understand how they complement each other.
Signature – n. A distinctive mark, characteristic, or feature indicating identity.
The IT world has been dealing with malware for years. As new malware is discovered, it is analyzed for something unique that sets it apart from safe code. This is used to make up a signature of the malware. These signatures are recorded and shared. Signature-based measures operate by searching for known signatures in traffic or files. It’s a simple and straightforward approach, comparing strings of code with other strings of code. It’s one of those things that computers were build to do. They do it well and they do it fast. In addition to checking the code itself, some signatures can be make up of the hashes of files so the computer can hash the file and compare it to known hashes of malware files.
While signature-based IDS and antivirus are very efficient at sniffing out known attacks, it does depend on maintaining a good database of known signatures. The best way to do this is receive regular signature updates. This means your database will be keeping up with variations in existing attacks as well as newly discovered attacks. As far as it goes, the signature measure is highly efficient and very effective but its limitation is that it is only as good as its database of stored signatures.
Adaptive (root: adapt) – v. To make suitable to or fit for a specific use or situation.
Adaptive measure are ones that are flexible enough to take into account the nature of adaptive attacks. Hackers, being the intelligent though malicious people they are, are aware of the signature-based measures used to protect systems and networks and sometimes take measures to avoid detection by using techniques to make the malware change itself with each instance.
Example of an adaptive attack: a hacker takes a virus file, encrypts a portion of it and sets up another executable with it to decrypt portions of the virus slowly and download the last bits of payload. A signature will not catch this because the string in its database is not what will be seen as the traffic arrives. The working malware is not present until later.
The CPRL in the FortiGate mitigates this attack by using pattern recognition which takes into account specific fragments of a file as well as chunking and encryption techniques. The FortiWeb furthers this protection by checking patterns and thresholds found in attacks to a web server or database. It does not track multiple sessions that have different purposes. For example, an infected host will attempt outbound C&C connections before downloading new payloads and attempting to spread through attacks or scans made to other hosts (through other sessions).
Behavior-Based or Heuristic
Behavioral (root: behavior) – n. The actions or reactions of a person or animal in response to external or internal stimuli.
Behavior-based measures go beyond simple threshold and pattern matching and instead of just analyzing the content of the traffic or the file, analyzes their behaviour. This technology can track behaviors of specific hosts on an internal or external network. C&C behavior, attack behavior, multi-session scanning, and attack differentiation. It is not typically used as an in-line appliance (FortiDB). Typically, it runs log analysis and change analysis. It will also track session handling and permission changes. Typically this employs a machine-learning engine that tracks standard deviation and mean.
As impressive as it is, the weakness of this type of measure is that it is a resource hungry technology. It often uses virtual environments to run the file and/or traffic before allowing it access to the system or network. This takes memory and CPU cycles. In a high traffic environment this sort of analysis is normally done by powerful or dedicated appliances with resources designed for the task.
Even this type of protection doesn’t always take into account side-channel or Out-Of-Band (OOB) behaviors like IRC, Tor, posting boards, and encrypted messaging (other than HTTPS or SSL) through torrent or UDP.
Though not one of the 3 measures reference in the title, this shortcoming brings up a completely different type of measure that some refer to as “threat intelligence”. Threat intelligence combines machine learning and a technique called Deep Learning. Deep Learning is a branch of machine learning based on algorithms that attempt to model high-level abstractions (similar to human emotion or intent) in data by using multiple processing layers with complex structures or otherwise, composed of multiple non-linear transformations.
Imagine a case where the technology takes pieces of information from a number of sources such as attack staging honeypots, posting boards, IP reputation, and encrypted messaging traffic and correlates all of this information with real-time traffic measures such as the three main ones already mentioned. It’s sort of like a digital detective putting seemingly unrelated clues together.
Currently, threat intelligence is the “next great thing” to strive for; sort of the “Holy Grail” of malware threat countermeasures. Just like most fundamental leaps forward, the mechanics of how it all works is fairly difficult for most lay people to wrap their heads around. I freely admit that, other than in the abstract, it is beyond me. However, signature-based, adaptive and behavior-based measures currently make up the bulk of counter threat measures being used and understanding how they work in your network is not only doable, it is worth doing.