Hard-coded behavioral rules define a profile of legitimate activity. Activity not matching the profile is considered suspicious and triggers a response. For example, a behavioral rule might state that only a web server process should access HTML files. If any other process attempts to access html files, action is taken. These rules provide protection against zero-day and buffer overflow attacks.