In this lesson, I'll talk about detection methods. Detection methods are important for us to understand for a variety of different software from antivirus, anti-malware to intrusion, detection and prevention. And a lot of other tools that we need to do our jobs, or our security jobs effectively. So by the end of the lesson, I want to, or for you to discuss rather, the methods of detection and differentiate between the different kinds of detection and mitigation methods used in all these different software. Detection methods. There are two different primary ways detection can be done to look at threats and attacks on your network. The first one is signature based and the second one is heuristic based. There are others out there and we'll briefly talk about those as well. But first of all, let's talk about signature based. Signatures are developed for all different kinds of detection. They are, there are signatures for intrusion detection and prevention, for anti-virus and anti-malware, they're used for traffic patterns and applications as well. Signatures are developed to detect the characteristics of certain kinds of content. So this could be byte patterns or file types or ports, protocols and also file hashes. So let's talk briefly about each one of these. Byte patterns look for specific characteristics in the file themselves. So if there's a buffer, for example, in the first part of a file, or the first part of a networks packet, it's going to recognize it. File types as well. So like in EXC, for example, is going to get flagged much quicker or can be flagged much quicker than a TXT file, which historically, TXT files don't have executable content in them, whereas executables do. Ports, like port 80, is probably monitored more than port 53, for example. Protocols as well. So each TDP again, over port 80 is probably one of those that you're going to develop signatures more than any other signature because that is network based. File hashes are representations of the actual files. No matter what the file is, whether it's a jpeg, whether it's a HTML file, a TXT file, whatever it is, they're all going to have hashes. And that is computed by whatever software you're using for detection to figure out what that piece of software or file is. Signature based detection generally updates really regularly. So sometimes, even multiple updates per day. This happens with most of the major antivirus companies. Their.DAT, DAT, definition files. And then there's also going to be other rules like for intrusion detection that get downloaded as well, for antivirus and anti-malware, intrusion prevention. There's all kinds of signatures that are updated constantly. So if we update one of our pieces of software in the morning and one of our pieces software in the afternoon, the content's probably can be a little bit different. These signatures can also point to a family of malicious content. For example, trojans or viruses are usually in certain families of viruses and, or, or pieces of malware. They're written by different criminals to bypass antivirus. So very small tweaks mean many, many signatures to try to identify that very small tweak. There are not many false positives with signature based detection either, because of the matching that takes place. Now, if you have something broad like, for example, when somebody which will remain nameless, visited campus. And we were concerned if, that there was threats against them. We actually flagged in our intrusion prevention system any content or malicious content that had this certain person's name in it and specific threats, so we could pass that on to people that might be concerned about it. But that's going to hit on a lot of different things. So when you write signatures or when you have other people write signatures, some of them might actually, might be false positives because you're writing them so broadly. The more narrow you get down in your signature, the better the signature is. Some disadvantages to signature based detection are that it's very easy for malware actually or any intrusion prevention to be evaded because the malware writer changes just a small component of the actual file bypassing that signature. So, for example, bytes. If I'm looking at the byte patterns on a intrusion detection or prevention signature and I just move it one character over or have padding one character over, it may not trip. Zero day threats may not have signatures either. This contributes to a lot of false negatives when zero days are just released. The development of, and deployment of updates may be slow as well, depending on your IT department. And the more you check for signatures, the more data that has to match. So if you have, for example, intrusion prevention signatures or intrusion detection signatures, it's going to have to look through all those signatures before it'll let the file pass. So the more horsepower you're going to have to have in your software or hardware that is detecting those signature matches. Heuristics based looks at what the content is doing. So they're looking at file changes, network traffic, what the software is actually doing. It can look at the same characteristics as the signature based, but it's looking at the behavior instead of the actual files or the actual signature or the pattern of the files. Some advantages to heuristic based detection is it's usually faster. It looks at behavior, so it may catch something that signature based is not going to catch, like zero day threats, specifically. Evasion can become more difficult since malware follows patterns, like the signatures. And you may not be able to scan the file to evade it. So, for example, when we scan phishing e-mail or and there's a virus inside of that file, if it's encrypted, I can't decrypt the file because it has a password on it. So I'm going to trust that my antivirus or anti-malware looks at the heuristics to decide what to do with that piece of malware. Some disadvantages to heuristics based are that it usually produces generic information and not detailed information on the actual file or the malicious content. Evasion can still be performed as well on malware or even other threats. And false positives may go up because you're looking at a whole bunch of different signatures that might use this kind of behavior one way or the other. False negatives might also go up as well because of this. There are other detection methods as well, like anomaly based detection and machine learning as well. Those have come up in the last few years where we're looking at historical patterns or statistical patterns. But in general, detection methods for everything from anti-virus, anti-malware to intrusion detection and prevention are going to use the same type of detection methods.
