The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.
Typically, software and Internet-based companies own many servers, databases, and file-systems that can hold an enterprise's data and/or software, which could ruin the enterprise if the security of the data and/or software was breached. Cloud-based companies that hold data for a large numbers of customers are especially sensitive to security. Even a single security breach in which just one customer's data and/or software is stolen could severely damage the reputation of a cloud-based company.
Even though many software applications have been created to monitor servers, databases, and file systems for suspicious activity, intrusion detection has remained a fundamentally difficult problem. Complex computer systems may track a long-trail of unusual activity by users, but only a small percentage of such activity may be malicious. Sufficiently large amounts of data are not available to identify which activities were confirmed to be malicious and which activities were not malicious. Consequently, many intrusion detection systems resort to unsupervised methods, which tend to take some form of an “unusualness” detector, but such detections typically have high false positive rates. Furthermore, a persistent and/or sophisticated intruder attempts to circumvent any installed detection system by hiding their activity, making this activity difficult to be detected as “unusual.” Additionally, if such an intruder has knowledge of methods used by common intrusion detection systems in general, or the specific intrusion detection system used by a particular company, the intruder can use this knowledge to avoid detection.