An enterprise computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the enterprise network to different security vulnerabilities.
Conventional techniques for detecting network attacks use pattern matching. For example, an enterprise may deploy one or more security devices that inspect network traffic for viruses or other security threats. The security device typically applies regular expressions or sub-string matches to the network traffic to detect defined patterns within a protocol stream. Multiple patterns may be used in an attempt to detect different types of attacks and generally improve the accuracy and robustness of the attack detection.