The first approach involves a behavior library that encodes negative patterns, shown as red minus signs in the following diagram, and recognizes that observed behavior corresponds to identifying a match in the library. If a new pattern can be matched against negative patterns, then it is considered suspicious:

For example, when you visit a doctor, he/she inspects various health symptoms (body temperature, pain levels, affected areas, and so on) and matches the symptoms to a known disease. In machine learning terms, the doctor collects attributes and performs classifications.

An advantage of this approach is that we immediately know what is wrong; for example, assuming that we know the disease, we can select an appropriate treatment procedure.

A major disadvantage of this approach is that it can only detect suspicious patterns that are known in advance. If a pattern is not inserted into a negative pattern library, then we will not be able to recognize it. This approach is, therefore, appropriate for modeling known knowns.