Which type of detection is the process of comparing signatures against observed events to identify possible incidents?

Signature-based detection works by comparing observed events to a library of known signatures representing malicious activity. When a match is found, the system flags or blocks the potential incident. This approach is effective for known threats because signatures come from past incidents and malware fingerprints, providing high confidence when the database is up to date. It tends to have fewer false positives for those known patterns. The limitation is that it cannot reliably detect new, unknown threats that lack a signature, and it relies on frequent signature updates to stay current. In contrast, heuristic, anomaly-based, or behavior-based methods focus on patterns, deviations from normal baselines, or suspicious actions rather than fixed signatures.