In recent years, malicious individuals and organizations have created a variety of sophisticated targeted attacks aimed at high-profile or high-level entities, such as governments, corporations, political organizations, defense contractors, or the like. In many cases, the goal of such an attack is to gain access to highly sensitive or confidential information, such as financial information, defense-related information, and/or intellectual property (e.g., source code), and/or to simply disrupt an entity's operations. Many targeted attacks use email-attachment based spear phishing tactics to infiltrate target networks. In these attacks, a malicious document (such as a malicious Portable Document Format (PDF) document or a MICROSOFT OFFICE document), which may be sent as an email attachment to an unsuspecting user, may exploit a zero-day-vulnerability in a document-handling application on the user's computer.
Such targeted attacks are growing in popularity and are increasingly successful for a variety of reasons. First, documents are generally less suspicious than executables to normal users. Second, it is often easy to construct different documents to evade typical anti-virus (AV) detection methods. For example, traditional security systems generally rely on signature-based techniques for detecting document-based threats, which are typically unable to detect zero-day-vulnerability threats. Moreover, while traditional security systems may allow entities to block access to email attachments of particularly dangerous file types (such as executable files), many entities are reluctant to block access to a variety of commonly used, but nonetheless exploitable, document types (such as PDF documents, MICROSOFT OFFICE documents, media files, video files, etc.) since these document types are frequently used as a means for exchanging information electronically. Finally, there are plenty of vulnerabilities in document-handling applications.
Accordingly, the instant disclosure identifies a need for systems and methods capable of more accurately identifying security threats, especially systems and methods capable of more accurately distinguishing between malicious and benign documents.