Currently, it is common for malicious software such as computer viruses, worms, spyware, etc., to affect a computer such that it will not behave as expected. Malicious software can delete files, slow computer performance, clog e-mail accounts, steal confidential information, cause computer crashes, allow unauthorized access and generally perform other actions that are undesirable or not expected by the user of the computer.
Current technology allows computer users to create backups of their computer systems and of their files and to restore their computer systems and files in the event of a catastrophic failure such as a loss of power, a hard drive crash or a system operation failure. Assuming that the user had performed a backup prior to the failure, it can be straightforward to restore their computer system and files to a state prior to the computer failure. Unfortunately, these prior art techniques are not effective when dealing with infection of a computer by malicious software. It is important to be able to detect such malware when it first becomes present in a computer system, or better yet, before it can be transferred to a user's computer.
One prior art technique for detecting a virus is known as the signature matching technique. This technique is able to detect known malware using a predefined pattern database that compares a known pattern (the virus signature) with a suspected virus in order to perform detection. This technique, though, is unable to handle new, unknown malware. Further, although this technique works well with traditional types of computer viruses, for example, it does not work well with more recent, popular malicious software such as “Mass Mailer” and self-compressed viruses. Other prior art techniques use predefined rules or heuristics to detect unknown malware. These rules take into account some characteristics of the malware, but these rules need to be written down manually and are hard to maintain. Further, it can be very time-consuming and difficult to attempt to record all of the rules necessary to detect many different kinds of malware. Because the number of rules is often limited, this technique cannot achieve both a high detection rate and a low false-positive rate.
The detection of computer worms can be especially problematic. Prior art techniques rely upon creating a pattern file for a newly detected worms and for updating that file as a new worms are found. But a worm is inherently different from other types of computer viruses in that a worm can generate many variants very quickly. It can be extremely difficult to generate the signature files needed to detect all of the new variants of a computer worm.
Given the difficulties in the prior art with detecting malware in general, and computer worms in particular, a new technique is desired.