Most computer networks are connected to the Internet. This is particularly the case with networks operated by companies to allow communication between the computers of employees of those companies (sometimes referred to as “enterprise networks”). Even with the correct use of “firewalls”, the flow of network traffic between an enterprise network and the Internet can be used by hackers to attack the enterprise network. Current intrusion detection systems (IDS) and intrusion protection systems (IPS) are based on inspecting packets in data traffic and comparing these with patterns, sometimes referred to as “packet signatures”, recorded in a database indicative of previous attacks. An alert is issued when an inspected packet matches one of previously recorded signatures. However, as this approach checks against a record of previous attacks, it can fail to detect or protect against new attacks that may differ from previous ones. This is one drawback with existing approaches.
Furthermore, it is difficult to address this shortcoming by basing an IDS or IPS on identifying anomalous behaviour in network activity that might be indicative of an attack, as it can be difficult to identify a regular pattern of activity on most networks, and so detecting anomalies in such a pattern is at least as problematic.
As compromised network security can have catastrophic consequences for a company, and indeed for governmental organisations, there exists an urgent need to address these problems and to provide a solution for detecting malicious activity directed at networks.