Signatures have been an effective but not exhaustive method for threat prevention for a long time. In the early days there were issues with false postives, then there were shortcomings in dealing with polymorphic threats but these were due to "bad signatures" and sometimes performance tradeoffs. That is no longer true [I wrote about various IDS algorithms before]
However, as I said it is not an exhaustive method so it is often complemented by protocol anomaly detection and behavioral anomaly detection. Protocol anomaly detection(PAD) is a very reliable technique but a mere presence of an anomaly does not always indicate an intrusion. Behavioral anomaly detection(NBAD) is worse because it relies on unproven statistical models of network traffic and user behaviour. [Related reading ]. However, both of these methods are useful in locating "suspicious activity", protocol anomaly detection more so than behavioral. The challenge is to deal with the false positives they inevitably result in. A good solution to this problem is now available in atleast two commercial products: FireEye and CheckPoint's MCP which use "sandbox execution" of code extracted from anomalous traffic. The approach is in its infancy but is very promising because it is to intrusion detection what "blood tests"are to disease diagnosis. It has very low false positives and works against zero day threats. It is "expensive" because it requires a lot of computation if PAD and NBAD are used to narrow the search space of traffic, it can scale well.
I believe most commercial IDS/IPS and even anti-virus/spyware vendors will add this weapon to their arsenal this year. Thoughts?
Add to Technorati Favorites