In today's society, users and organizations are increasingly utilizing network and other service providers to gain access to the Internet, request and access various types of content, access software applications, access software services, access large volumes of data, and perform a variety of other tasks and functions. As an increasing number of users and organizations continue to become increasingly reliant on technology and service providers for an ever-increasing variety of services and needs, the number of network-based attacks perpetrated by individuals both inside and outside of service provider networks will continue to increase. Attacks, such as advanced persistent threat attacks that are perpetrated by malicious insiders, have become serious problems that directly affect service providers and their subscribers on a large scale. As an example, the recent wave of ransomweb attacks that have affected websites typically involves an attacker encrypting critical parameters, such as passwords, with a secret key that the attacker controls. The changes to the systems perpetrated by such attacks are often subtle and are not noticed until the attacker removes the secret key and demands some form of ransom. Once the attacker removes the secret key, systems affected by the attack are rendered inaccessible by users. Such an attack has characteristics of both an advanced persistent threat attack and destructive malware.
In the previously described ransomweb attack, there is often a change in the dynamic system behavior that occurs during the course of the attack. For example, each time a user is authenticated, the system may have to access a secret key that is located remotely on the Internet. This change to the system behavior may go undetected. Since there may be many users accessing the service provided by the service provider at the same time, the system may need to access the Internet. As a result, this may mask the extraneous key access from the Internet. In order to counteract such attacks, current remedies include performing integrity checking on files. While file integrity checking is typically good practice, a malicious insider can easily circumvent such integrity checks due to the dynamic nature of files. For example, a malicious administrator who maintains the service may insert an encrypting script into a website associated with the service at the next scheduled code change for the website.