Behavioral rules define a profile of legitimate activity. Activity that does not match the profile triggers an event. For example, you can set a rule stating that only a web server process should access web files. If another process attempts to access a web file, this behavioral rule triggers an event.
Host Intrusion Prevention combines the use of signature rules and hard-wired behavioral rules. This hybrid method of identifying attacks detects most known attacks as well as previously unknown or zero-day attacks.