When a network device receives a packet, the network device typically examines one or more portions of the packet (e.g., header, payload, etc.) to ensure that the packet does not pose a security threat. In examining the portions, the network device matches the portions against known patterns (e.g., a virus pattern, a software vulnerability pattern, etc.) based on a user configured policy. If the portions contain one of the patterns, the device extracts a flow signature (e.g., a tuple including a source address, a destination address, a source port number, a destination port number, a protocol name, etc.) from the packet. Henceforth, the device may drop packets that bear the same flow signature and/or sample the packets for further analysis.