As threats from malware (e.g., computer viruses, Trojan horses, worms) continue to grow, network security continues to be a challenge to network administrators. Current detection techniques are generally reactive and are designed to react to known malware that has been spread. That is, when new malware is discovered, identifying characteristics are used to identify future instances of the malware. Applying this detection technique to a network may allow spread of malware under some conditions.
Current network access control architectures are typically limited to static role designations that usually correspond to a particular class of device (e.g. access requestor, Policy Enforcement Point, access server, Policy Decision Point). Furthermore, the definition of the network boundary is implicitly defined by the topology of devices acting as Policy Enforcement Points.