eli5 pattern matching in cybersecurity


I literally can’t get my brain to understand pattern matching.
Like I have tried with examples my brother have tried explaining multiple times and I just can’t understand it. Please explain to me in the most dumbest way ever. With an example. Please & thank you!

In: 0

Pattern matching in itself is pretty simple. It’s like searching for a word in a text document, just with more options that mainly revolve around having placeholders in your search term (the pattern) that can match multiple different things, instead of matching one and only one thing. So instead of searching the text for “We attack at midnight!”, you might search for “We X at Y!”, where X could be some kind of token you define that can match any of several synonyms for “attack”, and Y is a token that match all text between the word ‘at’ and an exclamation mark.

This kind of pattern matching is useful for a lot of things in IT in general, but in cybersecurity specifically it comes up a lot in relation to Network Intrusion Detection Systems (NIDS). Say you have a computer somewhere that is connected to a network (whether private or the internet at large). It has a network interface that handles all the data going to and from the network through either outgoing connections that you computer establishes to other computers, or incoming connections that your computer accepts from other computers.

Being a security conscious person, you’ve either configured your computer to only connect to, or accept connections from, other computers that you trust, or you’ve set it up so that the software on your computer talking over those connections rejects all incoming data that it doesn’t recognise as relevant to what it is supposed to be doing.

You accept that you might have missed something however, so you also set up security software that looks at all the data coming in at your network interface. This stream of data can be likened to a never-ending text document, and your security software is loaded with a list of patterns that you know would only be present in the data if someone is trying to hack your computer (It could perhaps be an instruction for your computer to do something that other computers are not supposed to be able to make it carry out, but due to faulty programming it will anyway). If a pattern match is found, then the security software can then step in to preserve the safety of your computer, for example by immediately closing the connection the match was found in and refusing all further connections from the computer that it came from until a human being has had a chance to review what happened.