Computer malware, such as viruses, worms and Trojan horses, presents one of the most significant security threats to computer systems. It is estimated that yearly financial losses of U.S. businesses caused by malware is in the tens of billions of dollars. To combat the increasing spread of computer malware, a number of antivirus detection techniques have been developed. Most detection techniques generally operate by scanning the program code and comparing portions thereof with a collection of known malicious codes contained in a “library.” If a substantial similarity is found between the two, the code is flagged as malicious.
Another popular approach for detecting computer malware is via heuristic analysis of the program code. Heuristic analysis is a behavior-based technique in which a computer program is emulated in a secure computer environment, e.g. a virtual computer, thereby simulating what would happen if the program were to be executed while keeping the suspicious code isolated from the real-world machine. Behavior of the emulated program is analyzed for common malicious actions such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If malicious actions are detected, the program is flagged as malicious.
However, these techniques may fail to detect or to provide conclusive results when presented with codes not contained in the library or codes having suspicious, but not clearly malicious behavior. In such cases, the suspicious code may be sent to a human analyst, who would review the code and decides whether such code is malicious. The process of human review generally provides accurate results, however it is time consuming and inefficient. Accordingly, there is need for a more efficient technique of malware detection.