Complex software systems are commonplace in modern organizations and are considered critical to daily operations. These systems are expected to run on a diverse set of platforms while interoperating with a wide variety of other applications and servers. As complex as these systems are, they are still susceptible to software faults. Faults in such heavily depended upon, complex systems, can be costly. Software faults still regularly cause system downtime. Downtime of critical applications can create additional work, cause delays, and lead to financial loss. Faults are difficult to detect before an executing system reaches a point of failure, as the first symptom of a fault is often system failure itself. While it is unrealistic to expect software to be fault-free, actions such as resetting the software, quarantining specific software features, or logging the software's state prior to the failure for later analysis can be taken.
Malicious software (malware) also is a concern to users and/or administrators of complex software systems. Distributed software systems are particularly vulnerable to worms, which are a special type of malware. Worms use a network to propagate and self-replicate, like viruses, but do not need human intervention to initiate the replication process. As a result, worms can spread uncontrollably and rapidly too many computer systems on the same network. For example, a worm can spread by exploiting a security vulnerability, such as a buffer overflow, in a service. Worms can immediately perform harm to a computer system by, for example, erasing contents from the system's hard drive, and may also alter the state of the computer system so that it becomes vulnerable to a future attack. One way to alter the state of a system is via the creation of a back door. Back doors create a secret access channel that is used to interact with (e.g., connect, control, spy) a victim's system. Another way to alter the state of the system is to convert it into a zombie computer known as a bot. The operator of a network of bots (botnet) can send out a worm to infect users with a malicious bot. The bot on the infected computer can log onto a server, such as an Internet Relay Chat (IRC) server for example, which acts as the malicious command and control center for the botnet. Anti-virus programs (e.g., SYMANTEC and MCAFEE) search for worms by scanning for signatures in the binary code of each program's executable file on a computer system. A signature is a unique sequence of code that is found in a malware's executable file. The anti-virus program maintains a frequently updated database of known virus signatures. Unfortunately, scanning executable files for malware signatures is an imperfect solution because of polymorphic and metamorphic malware, which encrypt and mutate the code of a worm every time they are replicated, thus making it impossible for signature-based anti-virus programs to identify them.