Over the last decade, malicious software (malware) has become a pervasive problem for Internet users. In some situations, malware is a program or file that is embedded within downloadable content and designed to adversely influence or attack normal operations of a computer. Examples of different types of malware may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device (e.g., computer, tablet, smartphone, server, router, wearable technology, or other types of electronics with data processing capability) without permission by the user or an administrator.
For instance, content may be embedded within objects associated with a web page hosted by a malicious web site. By downloading this content, malware causing another web page to be requested from a malicious web site may be unknowingly installed on the computer. Similarly, malware may also be installed on a computer upon receipt or opening of an electronic mail (email) message. For example, an email message may contain an attachment, such as a Portable Document Format (PDF) document, with embedded executable malware. Also, malware may exist in files infected through any of a variety of attack vectors, which are uploaded from the infected computer onto a networked storage device such as a file share.
Over the past few years, various types of security appliances have been deployed at different segments of a network. These security appliances use virtual machines to uncover the presence of malware embedded within ingress content propagating over these different segments. In particular, virtual machines (VMs) are equipped to monitor operations performed by ingress content during processing. The security appliances analyze the observed operations in an attempt to identify unexpected or anomalous operations that may indicate exploits. However, this operation monitoring is executed conventionally without knowledge of the context in which these operations are performed. This lack of context may occasionally lead to incorrect classification of ingress content as either benign or malicious, that is, as false negatives or false positives respectively in relation to malware detection. False negatives may result in malware going undetected and, therefore, failures to issue appropriate security alerts to network administrators or security professionals. False positives may result in security alerts issuing too often, raising the possibility that false positives will overshadow and dilute responses to ‘true positives’ and render associated remediation misplaced. In extreme situations, false negatives and false positives may impact system performance.