1. Field
The present disclosure relates generally to the field of digital security, and more specifically to detecting activities of interest in network traffic, including the detection of malicious network activities.
2. Description of Related Art
The proliferation of computing technologies has presented challenges in the field of digital security. As is well known, a networked computer (i.e., a network node) may spread malicious computer data to other network nodes, thereby inflicting system disruption and possibly economic loss. One of ordinary skill in the art would appreciate that attacks based on malicious computer data include computer viruses, malware, worms, Trojan horses, bots, intrusions (e.g., unauthorized access), exploits (e.g., escalation of privileges, violation of confidentiality), time-based attacks (e.g., Denial of Service), or the like. The term “threat” is used to describe one or more of these types of attacks.
Digital security technologies may be used to detect and/or remove malicious computer data from network traffic. One of ordinary skill in the art would appreciate that digital security technologies can reside at various network nodes, can be packaged in hardware and/or software, and can include “anti-virus software”, “malware detection”, “intrusion prevention”, “anti-attack”, firewall, or the like, though the terms are not identical in meaning. The term “Unified Threat Management” (“UTM”) has been used to describe one or more of these implementations of digital security technologies.
Conventional digital security technologies typically detect threats using signatures that correspond to specific threats. Existing designs under this paradigm are deficient in at least two ways. First, the detection of a threat relies on the a priori knowledge of the specific threat and the availability of a signature for the specific threat. For example, conventional digital security technologies may rely on a known signature to detect the presence of a known computer virus. Thus, conventional digital security technologies may not be able to detect threats for which a signature is not yet available. For example, conventional digital security technologies may not be able to detect an unknown variation of a known computer virus.
Second, due to the ever-increasing number of known threats, conventional digital security technologies maintain a growing number of signatures. As incoming network traffic is obtained, the maintained signatures are scanned against incoming data for possible threats. The scanning process uses substantial computing resources. By one estimate, in the context of enterprise level data centers, up to 85% of a data center's computing power may be spent on digital security operations, leaving only a fraction of its true capability to business operations. In the context of consumer computers, it should not surprise even the casual computer user that the operation of anti-virus software can cause a computer to become sluggish.
Despite improvements in the field, conventional digital security technologies continue to be limited by these deficiencies, which are consequences of their design.