With the widespread use of web-based applications and the Internet in general, concerns have been raised with the availability of server protection against malicious content sent through seemingly innocuous packets requesting access to server-based applications. Such packets may include viruses, data sniffers, or other undesirable and unauthorized requests to the application server. Some of the most serious network security threats come from attacks that target vulnerabilities in enterprise applications. In order to prevent the introduction of undesirable packets, networks implement so-called firewalls that examine incoming packets according to different rules that detect undesirable data in packets.
The application of different rules to examine incoming packets for content that has a undesirable effect is known as negative security. Negative security may be defined as a security approach that detects undesirable content (such as a virus, an attack, exploitation of a vulnerability, etc.) by maintaining a list of indicators such as patterns and signatures of the undesirable content. A rule includes a given representation of the undesirable content provided to a matching agent in order to check whether or not an item such as a packet contains the content that is represented in the list. An advantage of this approach is that if the undesirable content is known and how to find the content is known, then negative security is an easy and simple way to find undesirable content through the application of rules. The disadvantage to such an approach is that network protection is limited to existing rules and does not detect malicious packets that are written to circumvent existing rules. Network administrators therefore constantly update and add rules to detect new known threats. However, the application of multiple rules requires multiple passes over an incoming packet to check the rule, as each pass of the packet must be performed for each different rule. The use of more rules to detect new threats therefore increases computational overhead to the application of such rules for negative security.