olemus
ründe liigile omane äratuntav tegevusmuster
süsteemis, sageli ilmneb logides

ISO/IEC 27039:
ründe sooritamise arvutitoimingute või -muutuste jada:
- võimaldab avastada ründe toimumist
- sageli tuvastatakse võrguliikluse või logide uurimisega
=
sequence of computing activities or alterations that are used to execute an attack and which are also used by an IDPS to discover that an attack has occurred and often is determined by the examination of network traffic or host logs
Note. This can also be referred to as an attack pattern.

ülevaateid
https://accedian.com/blog/what-is-the-difference-between-signature-based-and-behavior-based-ids/

https://wtit.com/f5-resources/f5-big-ip-asm-attack-signatures/

https://www.first.org/resources/papers/conference2006/kijewski-piotr-slides.pdf

https://romisatriawahono.net/lecture/rm/survey/network%20security/Kaur%20-%20Automatic%20Attack%20Signature%20Generation%20-%202013.pdf

https://www.broadcom.com/support/security-center/attacksignatures