To protect against malicious content, intrusion prevention systems (and similarly intrusion detection systems) use an engine that includes logic for evaluating incoming (and outgoing) network traffic against signatures to detect patterns of known malicious content. Traditionally, signatures in intrusion prevention systems are described by a set of complex data structures describing how to distinguish legitimate valid data from data corresponding to an attempted attack.
One problem with this approach is based on the signature schema. More particularly, because of the schema, the signature language may not be able to express the state identifying the vulnerability, or can only do so via very complex coding.
Further, to include the logic for various protocols and signature processing, the engine may be a complex, relatively heavyweight mechanism. The engine needs to be maintained, and updated from time to time as new logic to detect new signatures is developed.