With Internet use forming an ever greater part of day to day life, security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments and businesses devote significant resources to preventing intrusions and thefts related to these security exploits. Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. These exploits are delivered in or through a number of mechanisms, such as spearfish emails, clickable links, documents, executables, or archives. Some of the threats posed by security exploits are of such significance that they are described as cyber terrorism or industrial espionage.
To meet the threats posed by these security exploits, a number of tools capable of retrospective analysis of system performance and state have been developed. For example, the BackTracker tool described in “Backtracking Intrusions” by Samuel T. King and Peter M. Chen (ACM SIGOPS Operating Systems Review—SOSP '03, Volume 37, Issue 5, December 2003, pgs. 223-236) automatically identifies potential sequences of steps that occurred in an intrusion by analyzing a comprehensive log of system activities and data. While such tools can detect security exploits and their manners of operation, they can only operate retrospectively and thus place those attacked at a disadvantage, always one step behind the attacker. Further, these techniques typically operate only on records of a single device, and thus lack the context of activities occurring on other devices, which may be important in determining whether novel or unusual behavior is suspect.