In the 101 series I wrote last year, I attempted to describe the differences between signature based detection and anomaly based detection (see Network Security School of Ft. Knox, pt 2.) In that entry, I laid out the material difference between signature based detection and network behavior anomaly detection (NBAD.)

Recap and Overview

Signatures perform pattern matching looking for known bad communications. Anomaly based detection focuses on deviation from normal. While I described the "how" of each approach, I didn't look at the subject of each method.

Different Subjects

Signature based detection is applying it's logic against a flow. Each communication enters the inspection stack and either matches against a signature and is flagged as bad or it does not match and is passed as good. With NBAD, logic is applied against a host. Metrics (baselines) have to be inventoried and stored for every host and/or relationship on the network. As flows are sent past a NBAD engine, indices are updated and the overall behavior of the host is re-evaluated.


In comparing the sophistication of signature detection and NBAD we can use a little pseudo-code to illustrate the differences.

Signature Pseudo

Let's start by defining a few data objects:

  • $flows = communications to be evaluated
  • $signatures = array of all patterns to match against
  • $alarms = array of all alarms created by the engine

In processing communications the basic code for signature detection looks like this:

foreach ($flows as $flow){

  foreach ($signatures as $signature){

     if ($flow contains $signature) $alarms[]=$signature.$flow



As each flow is passed into the engine, it is checked for a match against the database of signatures and an alarm is created noting the match.


Detecting anomalies requires more robust processing. In addition to elements contained in signature detection, host objects must be maintained for intelligent processing:

Here are our NBAD objects:

  • $hosts = an object array of every host on the network. Object will contain dozens or hundreds of attributes (i.e. $host.open_ports or $host.connections_per_second)
  • $checks = an array of all algorithms or signatures to be run against a flow
  • $flows = communications to be evaluated
  • $alarms = array of all alarms created by the engine

Pseudo code for NBAD processing may look like this:

foreach($flows as $flow){

   $client = getHostObject($flow.dst, $hosts);

   $server = getHostObject($flow.src, $hosts);

   foreach($checks as $check){

        $client = applyCheck($check,$client, $flow, client); //apply check to client and increment values on host object

        $server = applyCheck($check,$server, $flow, server); //apply check to client and increment values on host object

        $newServerAlarm = checkAlarmThreshold($server); //check to see if changes to the host object causes and alarm value

        if ($newServerAlarm) $alarms[]=$newServerAlarm;

        $newClientAlarm = checkAlarmThreshold($client); //check to see if changes to the host object causes and alarm value

        if ($newClientAlarm) $alarms[]=$newClientAlarm;



The code above is just for processing it doesn't include the necessity to build and maintain baselines. You'll also note that NBAD requires several high level functions that are unnecessary in signature based detection.

Disclaimer and Wrap Up

I know that having more lines of code doesn't make a program better than one with less code (in fact there are cases where the opposite is true.) In this tongue-in-cheek entry I simply wanted to point out that the detection provided in signature based monitoring has a much narrower view (less situational awareness) and is handling far fewer data points than NBAD. Signature based methods can be combined in NBAD strategies but the inverse is not true. Does this prove that NBAD is "genetically" superior to signature based detection? I'll leave that to you to decide (and undoubtedly debate.)