Data Security

In the Fight Against Ransomware, is Signature-Based or Behavior-Based Detection Best?

Written by: Anne Gotay 5 min read

You can’t solve a problem if you can’t see it exists. This is particularly vital in data security. While anomalous behavior appears periodically in even the most efficient of complex organizational cloud computing environments, it can indicate an attempted cyber attack or malware activity. Knowing the difference between a one-off behavior change due to extenuating business needs versus a potential attack is crucial to a robust cybersecurity posture.


A Tale of Two Strategies

Organizations must adopt advanced anomaly detection strategies and technologies to detect anomalous behaviors within the network traffic flowing through their networks. A comprehensive approach to managing the complexities of this new environment requires using a technology solution that provides visibility into the entire cloud infrastructure to identify anomalies before they affect mission-critical applications.

The Tried and True Method

A relic of the pre-pandemic era, many legacy solutions employ some version of signature-based detection — identifying suspicious behavior based on specific characteristics. These signatures can include common malware signatures such as a file hash, code snippets, or indicators pointing back to known threat actors.

Signature-based detection performs work well for finding patterns and sequences matching a known attacker IP addresses, file hash, or malicious domain. Looking for files in storage or traffic that contain known signatures can drive alerting and disinfection, allowing swift mitigation of known threats. Unfortunately, it has limits when it comes to uncovering emerging threats such as zero-day attacks or advanced persistent threats (APTs).

A New Era Demands New Methods

Anomaly Detection is often overlooked as a tool for cloud infrastructure monitoring. Yet, it remains a critical component for any organization’s cloud security strategy in a world dominated by remote and hybrid work. In addition to monitoring the cloud ecosystem for malicious activity, anomaly detection solutions report the unusual activity they identify to the appropriate personnel, so a deeper investigation can be made to determine whether the flagged activity is an actual security risk or simply a one-off event necessitated by business needs.

However, behavior-based detection provides an opportunity to understand what type of threat might lurk within your cloud environment. Thorough behavioral analysis can help identify whether a user performs certain dangerous behaviors, such as accessing sensitive files or restricted applications or if their credentials begin uploading new content. Additionally, behavioral analytics provide insight into how users interact with the cloud resources and create a baseline that can be used to indicate levels of risk.

For example, if a user is suddenly parsing through all files they have access to or accessing them at odd hours, it is likely that the user credentials have been compromised. This could be from someone stealing their credentials or malware operating as the user.


Signature-Based Detection vs. Behavior-Based Detection

Both approaches can be used to detect and mitigate malicious activity. Below we’ll discuss the pros and cons of signature-based and behavior-based detection, including how they work, what advantages and disadvantages each may offer, and how they compare to one another.

Signature-Based Detection

Initially used by antivirus developers, the “attack signature” allowed software to scan system files for evidence of malicious activity. A signature-based malware detection solution typically monitors endpoints and traffic from your cloud environment for anything matching a particular attack signature. These may be found within packet headers, in application code, or within data stores. When a computer encounters something that fits one of these signatures, it alerts the user or takes specific actions against the code.

What is an Attack Signature?

A program’s “signature” is determined by an algorithm that identifies specific characteristics of a piece of code. To spot attacks against a given service, the original signature must be compared with the observed behavior. Attack signatures can be developed based on previous attacks and then applied to detect similar attacks. For instance, if an attacker sends out a batch file containing a virus, the filename might contain clues about the type of file that should be scanned. When the executable is launched, the operating system might check the application’s name or file header before opening the file and compare it with the expected value. The file is opened if the actual name matches the expected value.

How Signature-Based Detection Works

Signature-based malware detection solutions build signatures for various types of attacks, such as ransomware, data exfiltration, root-kits, and others. They can also build signatures for specific IP addresses associated with known attackers. Signature-based detection uses a known list of indicators that may include specific network attack behaviors, utilization behaviors, and malicious domains. By monitoring these signatures, signature-based detection solutions can quickly identify and block threats. Signature-based approaches are very effective because they provide accurate results and are easy to implement.

Limitation of Signature-Based Detection

One of the most significant limitations of signature-based detection solutions is their inability to detect unknown attacks. Malicious actors can avoid being caught by simply modifying their attack sequences within the malware and other types of attacks. Traffic may also be encrypted to bypass signature-based detection tools altogether. Also, advanced persistent threats (APTs) usually evolve, changing their signature over 60% of the time, thus reducing the effectiveness of signature-based detection solutions.

Signature-based solutions can effectively find existing threats and identify previously discovered attack vectors. But they only detect known signature patterns – not overall behavior. Signature-based detection cannot tell if an application is being infected; it only determines whether a vector for infection is present. To combat this limitation, we must shift our focus toward behavioral analysis, where we examine how software behaves during an attack rather than what it does during an attack.

Behavior-Based Detection

Behavior-based security solutions go beyond detecting specific attacks to identify abnormal activity. Machine learning can be applied to large amounts of data and network activity to find anomalous behaviors.

Behavior-based security solutions utilize machine learning (ML) techniques to identify anomalies in utilization. These include abnormal access times, unusual file access, changes in volume, and such. In addition to detecting potential threats, these solutions can provide detailed information about how they were detected and what action was taken. They eliminate the need to create restrictive policies but instead detect them based on evolving usage patterns.

How Behavior-Based Detection Works

A behavior-based system holistically identifies attacks based on how an application or user account behaves in context to their normal or baseline expected behavior rather than merely identifying sequences and patterns matching a particular attack signature. The approach combines behavioral analysis with statistics and artificial intelligence to identify suspicious activity and determine whether something is wrong with the application.

Building a Baseline for Behavior-Based Detection

Behavior-based solutions are used to identify malware or malicious behavior patterns that may indicate an attempted breach or attack. These types of solutions can be implemented via software agents that monitor application or user activities and interactions. A baseline profile is built by collecting day-to-day information about the applications used, quantity and type of data accessed, as well as times at which specific activities occur. Using this contextual data, they can then continuously monitor activities and access. If they find any anomalies, alerts can be launched or automated actions taken to stop potentially inappropriate data activity proactively.

Continuous Learning and Monitoring

Instead of searching for strings associated with known malware or exploits, behavioral analysis can also identify unknown threats based on observed behavior. Behavior-based detection systems increase the likelihood of detecting and stopping an attack before it reaches the intended target. While these techniques do not prevent attacks from occurring, they provide greater protection against advanced attacks.

Behavior-based anomaly detection uses access utilization analysis to analyze user data access utilization behavior intelligently. This includes analyzing behavior patterns for all identities with access to the cloud resource. It looks for variations in access patterns, such as changes in time, type, and volume of data accessed. All new activity for each identity is compared to the baseline to detect anomalous behavior and deviations from the historical norm.

Intelligent Analysis Reduces Risk

By intelligently analyzing data using machine learning, behavior-based detection solutions offer the best line of defense against infection. They provide holistic views of today’s complex cloud environments, detecting malicious and anomalous behavior across the entire cloud attack surface.

Behavior-based anomaly detection solutions are critical for cloud systems as they experience a large amount of traffic. This is vital for controlling the cloud resources with significant volumes of data or individuals accessing it at any given time.


The Right Detection for Ransomware Protection

When selecting the proper anti-malware solution, there are many built for on-premises but virtually none for the cloud. Sotero is purpose-built in the cloud for the cloud. It creates a barrier, defending your cloud resources, including those mapped back to internal resources from malware. This eliminates the threat of malware propagating back to the organization through these channels.

Sotero offers a comprehensive ransomware solution that uses behavior-based anomaly detection rather than a legacy signature-based approach. Our advanced machine learning creates usage and access baselines across your cloud infrastructure, monitors activity, and flags suspicious activity. Sotero ransomware protection detects malware at the earliest stages of an attack, cutting off access, logging access, and generating alerts before the malware can take hold.

An early prevention path is essential for eliminating the threat to sensitive data, especially data that is controlled by regulatory or legal compliance mandates. Sotero ensures this data is not altered or exfiltrated, helping organizations avoid costly compliance failures.


data protection,

data regulations,

data security

Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo