The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
A majority of businesses and other organizations today rely on computer systems and networks for an increasingly wide variety of business operations. As reliance on computing technologies has grown, so too has the importance of securing computer systems and networks against internal and external security threats. However, the breadth and complexity of security threats targeting such computer systems and networks is far and wide and ever growing. To monitor and address these security threats, organizations increasingly rely on sophisticated computer security applications and hardware such as firewalls, anti-virus tools, data loss prevention (DLP) software, etc.
Existing security applications determine if network traffic or activity directed from an external network poses a security threat to an internal network or to networked resources of the internal network. Existing security applications typically use rules to determine whether to allow or block network traffic from entering the internal network. However, existing security applications may not recognize some network activity as attack activity when it first reaches an externally accessible resource of a network. In these cases, existing security applications may permit this network activity to enter the internal network and pass to other resources in the internal network unchecked. Allowing the attack activity to spread to other resources of the internal networks can lead to many resources being placed in a compromised state.
A deficiency of existing security analysis methods can be attributed to the focus on “inside” vs. “outside” or secure vs. insecure. Devices typically seek to create a secure internal network by applying scanning and policies to traffic traversing the device boundary from an external environment. Even in the case of additional environments, such as demilitarized zones which straddle the secure and insecure networks, security devices act as border guards rather than surveillance networks. For this reason, existing security infrastructures are often fooled by new attacks and have difficulty analyzing behavior in real-time. Even systems that can detect some new attacks in a sandbox or isolated environments do so at the boundary and cannot extend that capability within the internal network.