The need for more advanced computer security has continued to rise as computer attacks have become more varied and sophisticated. Computer networks contain vital data and thus strong security measures are necessary to prevent the compromise of such data. However, conventional computer security does not provide adequate protection because it does not reflect how computer attacks have evolved.
Conventional security software and hardware includes virus/worm and intrusion detection and prevention systems. Conventional systems typically take the form of either network based devices, such as intrusion detection systems (IDS) and firewalls, or end system based software, such as virus detection software. Such systems are ill equipped to deal with many forms of attack. Network devices face the challenge of detecting increasingly sophisticated attacks on increasingly high-speed links. An IDS or firewall must be able to understand the potential threat of every conversation that traverses it. Moreover, such network perimeter-based protection systems cannot protect an enterprise from attacks that originate within the enterprise network, for example, from an infected laptop computer unwittingly attached to the corporate network by an employee.
The application of conventional security methods that rely on the use of signatures or rules, or on the use of so-called anomaly detectors, to detect the many varied types of attacks that can occur, results in a high incidence of false positives—alarms that are raised when in fact no attack has taken place, and false negatives—failures to sound an alarm when in fact an attack has taken place. In order to detect security violations, e.g., in order to avoid such failures, conventional systems may rely on overly sensitive detection, thereby creating false positives that greatly outnumber the number of true security threats that are detected, and thereby reducing system efficiency.