Malware infection is a major problem for users of Internet connected network devices, such as for example computers, cell-phones, iPod™, personal digital assistants (PDA). Malware comes in a number of forms such as, for example, virus, worm, spyware, adware, Trojan, bot, root-kit, and other similar forms of malware. Infection by malware can cause a device to malfunction, reveal personal information, participate in illegal activities, reinfect others and cause embarrassment and liability to the owners of the infected devices.
Various intrusion-detection system (IDS) mechanisms have tried to address this threat. Typically each of the known IDS mechanisms has implementation drawbacks. For example, host based detection systems require detection software on the host system. Some users object to having to run invasive, and potentially performance impacting, software on their computing device. Existing network based systems typically focus on who and what are being attacked rather than detecting evidence of infection and are not designed to inform the end-user that an infection has been detected
Although intrusion detection system that can be used to detect malware based on traffic on a network, these systems are typically intended for deployment on a single computer or small network. The current intrusion detection systems cannot scale to a large enough deployment in order to effectively determine malware infections of computers attached to a large network, such as an Internet Service Provider's (ISP) network. These networks may commonly have millions or tens of millions of subscribers connected.
It is therefore desirable to have a system that can detect the presence of malware on computers connected to a large network.