While providing easy access to information, network systems, such as the Internet or intranets, can be vulnerable to attacks seeking to disrupt network operations or gain unauthorized access to sites on the network. Current attack detection techniques can rely on detecting malicious actions on the target network or system, or detecting network traffic associated with potential attacks (e.g., port scans) using various types of intrusion detection systems. Detecting malicious actions can require detecting possible attack behaviors and distinguishing them from “normal” behaviors on the host computer. Accurately categorizing the large numbers of both malicious and normal behaviors that can be used can be a daunting task. Thus, such detection techniques can have high false alarm rate, i.e., detecting normal behavior as malicious, and/or high false negative rate, i.e., missing malicious behavior or misidentifying it as normal.
Network-based intrusion detectors can detect rapid port scans that can be associated with an attack on a network. Such attacks can attempt to quickly scan a directory or naming service to obtain lists of network addresses (referred to hereinafter merely as “addresses” or “an address”) to be targeted for attacks. The intrusion detecting systems can recognize the rapid scanning for addresses as a prelude to future attacks and can seek to prevent the attacks by refusing access to the addresses and/or identifying the source of the address queries for further disciplinary actions, such as shutting down or quarantining the source. However, such intrusion detection systems can tend to miss slow scans accomplished over a period of days or weeks.