General purpose computers in the form of a CPU afford engineers and other makers a versatile component to achieve design goals. Yet, their ever increasing complexity promotes an incremental design style where functionality is refined after observing earlier versions of the device in use. This design strategy is not a convenience, but a consequence of the general purpose nature of the CPU and the impossibility of predicting its behavior in general except by observing it operate (see the halting problem in Turing 1936). The design difficulties of devices incorporating CPUs facilitate their exploitation by utilizing their unforeseen modes of operation. A cyber security industry has arisen to understand and thwart such exploits.
Current tools used by cyber security industry tend to systematize the practice of its experts. Through this approach, network practices become the domain of firewalls and forensic tactics to identify malicious program files become the domain of security information and event management systems. As the techniques used by experts and programs to protect computers disseminate, malicious program developers create new techniques to circumvent them, leading to an escalation in the complexity of tactics employed by both camps.
Efficiency considerations in current hardware require that only a subset of activities (often called events or indicators) of an executing program be monitored in any possible malicious program analyses. Common choices include observing changes to the long-term data storage subsystem, log activities, or network flows. The need arises to have a representation of executing code richer in information than current indicators yet sufficiently compact so that it may be manipulated without presenting an undue burden on the device being monitored.
As may be appreciated, a computer, in this case, is any collection of CPUs that can share threads of execution, memory, and data.