Which approach to intrusion detection relies on a database of known attack signatures?

Intrusion detection that relies on a database of known attack signatures works by matching incoming data against predefined patterns of malicious activity. Each signature encodes a specific attack scenario, such as a particular sequence of bytes in a packet or a distinct sequence of system calls. When the system detects a match to a signature, it triggers an alert, enabling fast, precise identification of threats that have already been observed and cataloged. This approach is especially effective for known exploits and is easy to keep current by updating the signature database as new attacks are discovered. The trade-off is that it may miss brand-new or heavily obfuscated attacks that don’t have a corresponding signature, which is why defenders often pair this method with ways to detect anomalies or unusual behavior.