Looking for known attack sequences as indicated by state or
audit information. Examples include virus scanning and pattern matching in
audit trails against known attack signatures, and virus monitors that check
each program for known viruses at load-time.
Complexity: This class of
detection methods is almost always used to identify a finite subset of an
infinite class of attacks, and as such is only effective against commonly
used copies of known attacks.