1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting abnormal computer files.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, technology for detecting malicious code is also generally referred to as “antivirus.” Malicious codes have become so prevalent that experienced computer users have some form of antivirus in their computers. Antivirus for scanning data for malicious codes is commercially available from several computer security vendors, including TREND MICRO, INC.
Malicious codes may be embedded in files, referred to herein as “malicious files.” An antivirus needs a signature or other information for detecting a malicious file. Creating a signature for malicious code takes time and requires an exact sample of the particular malicious code. Unknown malicious codes, i.e., those that are yet to be detected by antivirus researchers and/or have no corresponding signature, are thus not readily detectable by an antivirus. Furthermore, creating a complete set of signatures is getting more difficult with the increasing varieties of malicious files.