在绝大多数情况下,signature好像都翻译为签名,但很多文章都把Signature-based detection译为特征检测,那么在这个概念中,signature表示特征?特征和签名是否可以划等号?两种译法是否有严格的区别?
看到一篇英文的文章,在讲 IPDS 检测方法时举了三个例子:Signature-based detection,Anomaly-based detection,Specification-based detection。
原文对Signature-based detection的具体解释是:is a method of comparing signatures against observed events to identify possible incidents. A signature is a pattern related to a known threat. For example, imagine you receive an email with the subject line "Free pictures!" that has an attachment named "freepics.exe." Let's say the IDPS understands these to be characteristics of known malware. Using signature-based detection, an IDPS will compare the observed signatures (i.e., Free pictures, freepics.exe) to known malware characteristics and detect the email as a possible incident. However, if an attacker modified the malware to use the filename "freepics2.exe," an IDPS looking for a signature of "freepics.exe" wouldn't match it.
然后又解释了Anomaly-based detection。
再然后,话锋一转,开始讲Stateful Protocol Analysis了。前面明明提到了三个检测方法,第三个就不见了。
或者,Stateful Protocol Analysis就是一种Specification-based detection?
请看原文描述:Often, malicious activity will be carried out using standard protocols associated with normal network operations. Stateful protocol analysis can look for deviations in how protocols are being used in network traffic. Unexpected sequences of commands can be identified through stateful protocol analysis. This can include issuing the same command over and over or issuing a command without a dependent command. Stateful protocol analysis methods use protocol models to locate any problems within the network. They're typically rooted in standards provided by software vendors and standards bodies. However, many vendors will add proprietary features or violate standards completely by replacing elements from the standards. Stateful protocol analysis is helpful in this regard because it helps identify these violations while taking into account individual variances in each protocol's implementation.
网上查了一下,Signature-based detection 和 Specification-based detection 都有人译为特征检测。如果两者同时出现,是不是要乖乖译为“基于签名的检测”“基于规范的检测”?