A great deal of time, money, and effort is spent in the fight against security risks, such as viruses, malware, exploits, intrusions, and other dangers to enterprise computing. A malware infection may require a compromised system to be erased and re-imaged to remove the malware, which can also result in great expenditures of time and money as well as loss of productivity.
The general purpose capability of modern computing systems is constructed using a layered stack of hardware and software. An example of the layered arrangement of hardware and software that is present in modern computer systems is shown in FIG. 1. At the lowest layer, there is hardware with a small number of basic general purpose programming capabilities. Upon this hardware layer sits the firmware/BIOS which is responsible for, among other things, initializing hardware resources and loading the operating system. The operating system (OS) provides a file system and functionality which may be used by a variety of different applications. On top of the OS layer run the various applications which provide user-visible rich functionality to the computer. The functionality provided by the application layer is typically the primary concern of the computer user.
While terms such as viruses, malware, and exploits may have specific definitions in the art, as used herein the term “malware” shall refer to any type of computer code and/or other data introduced from outside a computer system or network of computers that may be used to damage or otherwise cause aspects of the computer system or network of computers to malfunction or perform in an unintended manner. Thus, as used herein, the term “malware” encompasses viruses, exploits, worms, and any type of programmatic security risk.
Malware may be introduced into a computer network through a wide variety of avenues, such as email or a malformed JPEG or other code on a web page that is downloaded to a computer via a web browser. Malware generally follows a common lifecycle; namely, the malware will exploit a weakness in the computer system or network, the malware will drop and execute a payload, the malware will attempt to escalate its privileges, the malware will take steps to persist on the system and/or network despite efforts to remove it, and finally the malware will propagate to other computers.
Current approaches to battle malware attempt to detect malware prior to the infection phase and/or exploitation phase. If the malware is unable to be detected using current approaches, then countermeasures cannot be enacted and systems may become infected.