One conventional approach to preventing malicious activity on a computer network is to scan network traffic for malicious signatures listed on a signature blacklist. For example, network devices such as a firewall can be configured to block network traffic containing a specific domain (i.e., website), a specific IP address, or a specific Uniform Resource Locator (URL). Some network devices may even block network traffic if the network devices find blacklisted signatures within files, javascript and/or Flash objects.
Another conventional approach to preventing malicious activity on a computer network is to intercept network traffic containing potentially malicious code and then run that code in a sandbox (i.e., a computerized platform which is isolated from the network). If the code running in the sandbox turns out to be malicious (e.g., by infecting a sandbox device with a computer virus, by attempting to spread malware, by attempting to extract data and communicate that data to an attacker's device, etc.), the effects are contained and prevented from spreading to devices on the network.
Unfortunately, there are deficiencies to the above-described conventional approaches to preventing malicious activity on a computer network. For example, there are many threats that go undetected by blacklists such as those having newer malicious signatures that have not yet been added to the blacklists Additionally, experimenting with potentially malicious code in a sandbox typically requires close and extensive attention from a human expert.