Computer security systems utilize signatures of known malicious code or activities to identify specific attacks. Commercial security system vendors maintain large collections of such signatures which are created over time based on security research and the monitoring of malicious activity across a wide base of organizations and endpoints. The triggering of an individual signature points to an individual security problem, such as java script trying to communicate with a known malicious host, a given fake antivirus advertisement, a reconnaissance of browser plugins, a suspicious port scan, a Flash presence, a network service deficiency, an operating system exploit, etc. When triggered, a signature generates a specific alert concerning the corresponding security issue.
However, contemporary complex attacks consist of multiple malicious activities, which are not detected as a unified attack through individual signature based alerting. These complex attacks can use multiple steps to probe, infect and maintain a presence on systems. Such complex multipart attacks are not described by single signatures. A single alert provides no information as what previous malicious events are likely to have occurred, or what attempted attacks are likely to follow.
Complex attacks may also have stealthy features, such as expansion of exploit trials over long time intervals in order to avoid detection. Furthermore, complex attacks do not necessarily follow any predetermined execution stage ordering. For example, an attacker using an exploit kit can try different individual exploits at different hosts at different times, thus triggering different alerts in different orders on different machines.
It would be desirable to address these issues.