Over the last decade, malicious software has become a pervasive problem for Internet users as most networked resources include software vulnerabilities that are subject to attack. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto network devices, such as vulnerabilities within operating systems for example. While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network resources continue to be the targeted by exploits.
In general, an exploit is information that attempts to take advantage of a vulnerability by adversely influencing or attacking normal operations of a targeted computer. As an illustrative example, a Portable Execution Format (PDF) file may be infected with an exploit that is activated upon execution (opening) of the PDF file and takes advantage of a vulnerability associated with particular version or versions of Acrobat® Reader or another PDF reader application. This type of malicious attack may be designed to subsequently control operations of the targeted computer, which may include secretive transmission of stored sensitive information.
Currently, known security appliances are deployed with the capability of conducting a static analysis of a single flow for anomalous behavior that may represent a malicious attack. However, such analysis has been prone to false negatives because conventional security appliances fail to analyze the characteristics associated with multiple related flows.