Why are salami attacks difficult to detect?

Salami attacks are difficult to detect because they rely on being small, gradual, and “normal-looking.” Each individual action is usually too minor to trigger alarms, but together they cause significant damage.

Here are the key reasons explained clearly:

1. Very Small Changes (Micro-Actions)

Each step in a salami attack:

• Involves tiny amounts (e.g., fractions of money, minimal data access, small permission changes)

• Looks harmless on its own

Security systems are often designed to catch large or sudden anomalies, not tiny ones.

2. Actions Appear Legitimate

• The attacker often uses valid credentials

• Operations look like normal user behavior

• No obvious rule or policy is violated in a single action

 This makes it hard to distinguish attacks from everyday activity.

3. Happens Over a Long Time

• Salami attacks are slow and gradual

• Damage accumulates over weeks or months

 Long timelines reduce suspicion and make patterns harder to notice.

4. Stays Below Detection Thresholds

Many monitoring systems use thresholds, such as:

• Minimum transaction amount

• Maximum number of allowed actions per hour

Salami attacks deliberately stay just below these limits, avoiding alerts.

5. Distributed and Fragmented Evidence

• Effects are spread across many users, files, or transactions

• No single log entry shows clear malicious intent

Investigators must correlate many small events to see the full picture.

6. Weak Logging and Auditing

• Minor actions may not be logged in detail

• Logs may be reviewed infrequently

Without fine-grained auditing, the attack blends into background noise.

7. Human Oversight Limitations

• People tend to ignore tiny discrepancies

• Small losses are often rounded off or dismissed

Attackers exploit this psychological tendency.