Existing techniques for detecting malicious network activity generally rely on rules-based systems and processes in which network administrators implement rules to detect known threats. For example, currently available tools such as BRO use hard-coded rules to compare suspected malicious network activity with previous known incidents.
These techniques are inherently reactive and only mitigate or otherwise address threats that have already been discovered. At this point, the malicious activity may have already caused considerable harm to the affected network.
A need exists, therefore, for methods and systems that are more proactive in identifying malicious network activity.