1. Field of the Invention
This invention pertains in general to computer security and in particular to the identification of malicious software (malware).
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Security software commonly functions to identify malware threats based on signatures that define information that is unique to known malware threats. Typically, a security software provider transmits a set of signatures to a client running the provider's software. The signatures are then used by the provider's security software to scan the client system for files with information matching the signatures.
Signature-based methods of malware threat identification are complicated by the large number of new malware threats or variations of existing malware threats (i.e. polymorphic malware) that are continuously being disseminated into computing environments. The continuous development and introduction of new malware threats into computing environments makes the generation of a comprehensive set of malware signatures corresponding to malware threats difficult. Also, the corresponding set of malware signatures that must be created in association with the large number of malware threats can range from thousands to millions of signatures, creating further difficulties associated with the efficiency and scalability of transmitting the set of malware signatures to the clients and using the set of malware signatures to scan the clients.
Due to the problems associated with signature-based approaches for malware identification, alternate approaches such as behavior-based identification of malware threats have been developed. Behavior-based identification of malware seeks to identify malware threats by monitoring behaviors or actions performed by software applications as they execute on a client system. In behavior-based identification of malware threats, software applications that perform one or more behaviors or actions that are associated with a high likelihood of being performed by a malware threat may be identified as malware threats.
Although behavior-based identification of malware provides a beneficial alternative to signature-based identification of malware, it is difficult to assess whether an application is a malware threat based only on behaviors or actions that have a high likelihood of being performed by malware threats. Specifically, it is difficult to assess whether behaviors that have a high likelihood of being performed by malware may sometimes be performed by applications that are not malware threats. Consequently, there is a high likelihood of generating false positive identifications of malware using behavior-based methods of malware identification. Accordingly, there is a need in the art for improved methods of identifying malware threats.