The approaches described in this section could be pursued but are not necessarily approaches that have previously been conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Traditional client-server architecture of data networks tends to deliver security services in a non-distributed fashion. Firewalls, intrusion prevention systems, intrusion detection systems, and other security systems are typically located between a trusted network (e.g., an enterprise network), and a public network (e.g., the Internet), where the public network is normally assumed to be insecure. Thus, traditional security systems are positioned in such a way that network traffic needs to pass through the security systems before the trusted network can be reached.
A distributed network may include enterprise infrastructure resources spread over a number of networks, processors, and intermediary devices. Similarly, network traffic associated with a distributed network (e.g., an incoming traffic or data to be processed), can be spread over a plurality of virtual and/or physical machines (e.g., servers and hosts) within the distributed network. Thus, a distributed network lacks a single point of entry where traditional security systems can be positioned.
Currently, service providers and enterprises tend to use data centers established within distributed network environments. Because data centers are often occupied by multiple parties, data center providers cannot guarantee that each party occupying the data centers can be trusted. Thus, if an attacker gains access to one host within a data center, other hosts can become compromised as malware from the effected host can spread across the data center to assets of other parties. A traditional security system cannot prevent such an attack because the attack is occurring inside the data center well past any entry points where traditional security systems are normally located.
Furthermore, a traditional security system merely blocks malicious data traffic upon detection without performing any further analysis with regards to the attacker. This approach leaves the intent of the attacker unknown. Accordingly, no improvements to future security response are made.