A computer network allows interconnected computing systems to communicate with one another. One example of a computer network may include multiple computing nodes connected via a number of network devices (e.g., switches routers, etc.). Further, the computer network may include an intrusion detection system (IDS) that monitors network or system activity for malicious activities or violations within the network and produces reports to a management console. Generally, an IDS is signature-based, i.e., the IDS may be configured with signatures to detect malicious or unwanted activity. As known, an attack signature is a sequence of computer activities (or alterations to those activities) corresponding to a known attack, e.g., towards a vulnerability in an operating system or application.
For example, an IDS may be configured with an attack signature that detects a particular virus in an e-mail message. The signature may contain information about subject field text included in previous e-mails that have contained the virus or attachment filenames in the past. With the signature, the IDS can compare the subject of each e-mail with subjects contained in the signature and also attachments with known suspicious filenames. However, a signature based approach raises several concerns. For example, although an IDS may possibly detect alterations to a particular attack, the alterations typically need to be defined in the signature to do so. Similarly, because attack signatures are predefined, the IDS is susceptible to new attacks that have not yet been observed, e.g., 0-day attacks.