Conventional malware detection system detects a malicious process by identifying traces from system calls generated by a process, and then comparing these traces against known benign or malicious processes. Such malware detection system typically runs on the same computing device that executes the process. However, such malware detection system will not work in a network environment where thousands of processes generate millions of system calls each second. Further, filtering some of the system call traces is not a solution because the malware detection system can misclassify a malicious process using the filtered system call traces.
Embodiments of the disclosure and their advantages are best understood by referring to the detailed description that follows. It should be appreciated that like reference numerals are used to identify like elements illustrated in one or more of the figures, wherein showings therein are for purposes of illustrating embodiments of the disclosure and not for purposes of limiting the same.