recognizes known attacks
often built into endpoint protection software
looks for behavioral characteristics to block access on the system