Computer systems, networks and data centers are constantly exposed to an ever evolving variety of attacks that attempt to identify and expose vulnerabilities of such systems in order to compromise their security and operation. As an example, various forms of malicious software program attacks including but not limited to viruses, worms, Trojans and the like are obtained within data communications received over a network such as the Internet. Once resident within a computer, a malicious program that executes can disrupt operation of the computer to a point of inoperability and/or might spread itself to other computers within a network or data center by exploiting vulnerabilities of the computer's operating system or resident application programs. Additionally, once resident within a computer, a malicious program can spread itself to other computers within a network or data center through legitimate network communication means.
Other malicious programs might be received by and operate within a computer to secretly extract and transmit information within the computer to remote computer systems for various purposes. As an example, spyware is a form of software that can execute in the background (e.g., unbeknownst to users) of a computer system and can track, record and transmit user input to the computer system to remote computer systems. Spyware can silently obtain information such as usernames and passwords required to access protected data, lists and contents of files or remote web sites accessed by the user, and so forth. Using such information, spyware can access and transmit confidential information from a business or other entity to a recipient for use in malicious purposes.
Computer system developers, software developers and security experts have created many types of conventional preventive measures that operate within conventional computer systems and networks to prevent operation of malicious programs from stealing information or from compromising proper operation of the computer systems and/or networks. As an example, conventional virus detection software operates to monitor incoming data received by a computer system, such as electronic mail messages containing attachments, to identify viruses that might be present within the data accessed by the computer. Conventional data communications devices such as firewalls can be equipped to automatically obtain up-to-date virus and spyware definitions and are able to scan incoming and outgoing data packets in an attempt to identify data transmissions that contain known viruses or spyware. Upon detection of inbound data containing a virus, spyware or another malicious program, the virus detection software operating in the firewall device can quarantine the inbound data so that computer systems in a network protected by the firewall did not become contaminated.
Other examples of conventional malicious attacks, intrusions, or undesirable processing that can cause problems within computer systems or even entire computer networks include but is not limited to reception of unwanted electronic mail (i.e. spam or junk mail), worm attacks, Trojan horse attacks, denial-of-service attacks, execution of malicious mobile code, and rogue employees who steal corporate data using networks as a transport mechanism. These data security threats constantly evolve and new threats appear on an almost daily basis. Virus attacks, worm attacks, and Trojan horse attacks are variants of each other that generally involve the execution of a program in a computer, for which a user often is unaware of its existence, that performs undesired processing operations to compromise the computer's proper operation. A denial-of-service attack operates to provide an intentional simultaneous barrage of packets (e.g., many connection attempts) emanating from many different computer systems to one or more target computer systems, such as a web site, in order to intentionally cause an overload in processing capabilities of the target computer resulting in disruption of service or a business function provided by the target computer. Buffer overflow attacks occur when programs, typically obtained by a user over a network such as the Internet, do not provide appropriate checks of data stored in internal data structures within the software that result in overwriting surrounding areas of memory. Attacks based on buffer overflows might allow an attacker to execute arbitrary code on the target system to invoke privileged access, destroy data, or perform other undesirable functions.
Many of the conventional malicious programs and mechanisms for attack of computer systems, such as viruses and worms, include the ability to redistribute themselves to other computer systems or devices within a computer network, such that several computers become infected and experience the malicious processing activities discussed above. Some conventional attempts to prevent redistribution of malicious programs include implementing malicious program detection mechanisms such as virus detection software within data communications devices such as firewalls or gateways installed in an organization's network between different portions of networked computer systems (e.g. as an entry point to that organizations network on the Internet) in order to halt propagation of malicious programs to the organization's local area network (LAN) or other sub-networks.
Another security threat to modern computer systems is inside user-based attacks. These are often the most difficult to prevent and involve a malicious user such as an employee within an organization who intentionally does damage to the organization by transmitting information from that organization to a competitor. A user can use a common tool such as electronic mail to transmit vital information from a company that can adversely affect the business of that company.