It is signature based which means it relies on a massive collection of snippets of text and code that researchers have discovered over the years are associated with unwanted network traffic, be it worms, port scans, or intrusions.
FORBES: DHS Deploying Wrong Weapons In Cyberwar