The signatures distill network information and compare it against a rule set indicating typical intrusion activity. If a signature detects misuse or unauthorized activity, it generates an event, which, if it indicates a severe violation, causes an alarm to appear.