Inspection Engine
Signature-based detection

Signature-based detection, at a very basic level, can be compared to virus checking programs. IDS vendors produce and build signatures that the IDS system uses to compare against activity on the network or host. When a match is found, the IDS takes action. The actions taken could include logging the event or sending an alarm to a management console . Although many vendors allow users to configure existing signatures and create new ones, customers are primarily dependent on the vendors to provide the latest signatures to keep the IDS up to date.

Signature-based detection can also produce false positives, as certain normal network activity can appear to be malicious. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system may interpret as an attempt by an attacker to map out a network segment.