2.1.2. Signature-Based IDS

In signature-based IDS, known threats previously discovered and identified from the system help to identify threats in the future. This technique is used to compare the incoming network pattern. An intrusion is detected when the incoming network pattern matches the signature. The advantage of this type of detection method is that it is easy to develop and understand by knowing the network behavior signatures. This technique has very high accuracy and a minimum number of false positives in detecting known attacks. Also, it can add new signatures into the database without changing or modifying existing ones.

The main drawback issue of this IDS technique is that these types of intrusion detecting systems are not able to detect new types of attacks or unknown attacks; a slight change in the pattern or slight variation can fool it. Figure 2 presents the general architecture of signature-based IDS. A few examples of related work that applied signature-based IDS are listed here.

**Figure 2.** Signature-based IDS architecture [13].

Saraniya [21] developed a network intrusion detection system (NIDS) to secure the network using a signature-based IDS algorithm. It succeeded in capturing packets sent across the entire network using mixed mode and comparing traffic to designer attack signatures. It secured the network and reduced the memory space in the environment. Signature-based IDS are not able to detect emerging and unknown attacks because the signature database must be manually reviewed for every new type of intrusion discovered.

Gao and Morris [22] presented a study on cyberattacks and signature-based IDS for MODBUS based industrial control systems. The rules described were designed to detect the attacks described earlier. The rules were divided into two types: independent and statebased rules. Independent rules were those that analyzed one MODBUS packet, looking for a specific signature match. Standalone rules were those that were enforced with the Snort intrusion detection tool.

Uddin et al. [23] proposed a signature-based distributed IDS using a mobile agent, to transfer the signature database from a large complementary database to a small signature database, then update the databases regularly as new signatures are discovered. The results of the proposed model indicated that IDS worked better than regular systems that used only one database of chain signatures.

Kumar and Gobil [24] implemented a signature-based IDS. They used three tools to develop this IDS system: SNORT, BASE, and TCP REPLAY. This system could detect and analyze intrusions in the network traffic in real time.

The main characteristics and limitations of anomaly-based, signature-based, and hybrid IDS are listed in Table 1.

**Table 1.** Summary of intrusion detection techniques [17].

