Can anyone give me a definition or difference between security appliances that handle Behavioral, Adaptive measures, or Sigature-based measures?
This is a leading question for a number of reasons. The first, is that we haven't made a big deal of that here at Fortinet. Mostly because we don't tell much of a story from our engineering side. However, when you see Fortinet produce an application specific firewall like a FortiDB, FortiWeb, or FortiDDoS you will see that it contains Adaptive and Behavioral security measures to compliment the signature and adaptive (CPRL) measures found within the firewall. The two devices dove-tail for a defense-in-depth set of counter measures.
So, what does each mean?
Def: Signature - n. A distinctive mark, characteristic, or feature indicating identity
This type of measure operates by searching for a known identity - or signature - for each specific intrusion event or file (in the case of antivirus). While signature-based IDS and antivirus are very efficient at sniffing out known attacks, it does depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based measures are only as good as its database of stored signatures.
Def: Adaptive (root: adapt) - v. To make suitable to or fit for a specific use or situation.
Essentially this security measure is flexible enough to change behavior with the attempted intrusion. Example: a "hacker" will take a virus file, encrypt a portion of it and set another executable on it to unencrypt portions of the virus slowly and download the last bits of payload. The is an adaptive attack. CPRL in the Fortigate mitigates this attack by using pattern recognition which takes into account specific fragments of a file as well as chunking and encryption techniques. The FortiWeb furthers this protection by checking patterns and thresholds found in attacks to a web server or database. It does not track multiple sessions that have different purposes. For example, an infected host will attempt outbound C&C connections before downloading new payloads and attempting to spread through attacks or scans made to other hosts (through other sessions).
Def: Behavioral (root: behavior) - n. The actions or reactions of a person or animal in response to external or internal stimuli.
This picks up where the simple threshold and pattern matching protections leave off. This technology can track behaviors of specific hosts on an internal or external network. C&C behavior, attack behavior, multi-session scanning, and attack differentiation. This is not a speed technology. It is not typically used as an in-line appliance (FortiDB). Typically it runs log analysis and change analysis. It will also track session handling and permissions changes. Typically this employs a machine-learning engine that tracks standard deviation and mean. Where this type of protection leaves off is that it doesn't always take into account side-channel or Out-Of-Band (OOB) behaviors like IRC, Tor, posting boards,encrypted messaging (not HTTPS or SSL), through torrent or UDP.
This brings up a completely different type of measure that some refer to as "threat intelligence". It combines the Machine Learning and a technique called Deep Learning. Deep learning is a branch of machine learning based on a set of algorithms that attempt to model high-level abstractions (such as human emotion or intent) in data by using multiple processing layers with complex structures or otherwise, composed of multiple non-linear transformations. Basically the attack information comes from multiple OOB sources like attack staging honeypots, posting boards, ip reputation, and encrypted messaging traffic and then attempts to coorelate that with real-time traffic measures like signature systems and adaptive appliances.
This essentially is the holy grail and something that Fortiguard has been doing for a long time.
