1. Field of Disclosure
The disclosure generally relates to the field of computer security, and in particular to detecting malicious software.
2. Description of the Related Art
Modern computer systems are vulnerable to a wide variety of malicious software (“malware”). Many computer security solutions have been developed to enhance computer security by detecting malware and preventing the detected malware from performing undesirable operations. Traditionally, the security solutions examine the target software for a set of distinguishing fingerprints known to be associated with malware, and determine whether the target software is malicious based on the presence of the fingerprints.
Because the signature-based detection cannot detect a piece of malware without knowing its signature, some security solutions utilize behavior-based detection techniques. These techniques use heuristics to identify suspicious behaviors of a target software application. If the target software application's behaviors fit certain suspicious behavior patterns (e.g., attempting to modify/delete an operating system registry), the security solution identifies the target software application as malware and prevents the behaviors from harming the computer system.
Behavior-based detection techniques can generate false-positive malware detections if a legitimate application performs behaviors deemed suspicious. Security solutions with a high false positive rate frustrate users by blocking legitimate applications from performing desired tasks or by issuing false alerts to which the user must respond. Accordingly, there is a need for techniques that can improve the quality of behavior-based malware detection.