CCNA security preparation Signature based IPS

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks or SAMSAM ransomware variant.
You get just general understanding and particullary this might get you puzzled.

AMP is cloud based reputation. It performs real time in suspicious events.
Signature engine uses string in regular expression-based patterns to detect intrusions.

See how Talos designed string patters to threat analysis.