Attacks on a network system may vary from attempts to interfere with or terminate the operability of the network system to unauthorized use or access to network assets or data stored or processed within or by the network system. Regardless of the nature of the attack, the attacker often probes a network system in order to learn as much as possible about the network system and its assets in order to determine potential methods or ways of attacking the network system. Probing the network system as a way of gathering information about the network system is generally referred to as a “network reconnaissance.”
Because network reconnaissance is usually a precursor to a network attack, “intrusion detection systems” and other network security devices have been developed to try to detect a network reconnaissance. Some conventional detection systems and security devices rely on probe signatures to identify probes associated with a network reconnaissance. However, a capable attacker can defeat most conventional detection systems and security devices in a number of ways, including disguising the probes so the probes no longer match a probe signature or using “low and slow” techniques to take advantage of the limited temporal view of most conventional detection systems.