Security is an important issue in modern computer networks. Some intrusion detection programs can be trained to detect suspicious activities and prevent attacks aimed at host computers. The training typically involves observing the operations of processes running on the system or on the network under protection, and modeling normal process behaviors based on the observations. Behaviors that deviate from the models are generally deemed suspicious and may be prevented.
While it is useful to provide security protection using the behavior modeling methods described above, several problems remain. Since the typical intrusion detection program relies on training, until a run-time instance of a process becomes available, typically no behavioral information can be derived and the program usually cannot provide protection to the process. Furthermore, for processes that are running, there is often a long learning cycle during which the intrusion detection programs do not provide protection, thus leaving the system vulnerable to attack. Also, existing programs are typically implemented using large configuration lists to track system behavior and tend to be resource intensive. Furthermore, these existing programs usually do not offer sufficient insight into the risks to which the system is vulnerable. It would be desirable to have a way to offer intrusion detection and protection without requiring extensive learning periods. It would also be useful if such a technique could be efficiently implemented and would provide better risk information.