1. Field of the Invention
This invention pertains in general to computer security and in particular to assessing risks presented by computer files, web sites, and/or other entities that can potentially compromise a computer.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
While classical malware was usually mass-distributed to many computers, modern malware is often targeted and delivered to only a relative handful of computers. A Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Likewise, a false email can include a phishing attack that is directed to only customers of a certain bank or other electronic commerce site.
Mass-distributed malware can often be detected and disabled by conventional security software. The security software uses techniques such as signature scanning and behavior monitoring heuristics to detect the malware. However, these techniques are less effective for detecting targeted threats since there are fewer instances of the same malware, and the security software might not be configured to recognize it.
Moreover, even mass-distributed malware is becoming harder to detect. A malicious website might automatically generate new malicious code for every few visitors. As a result, the malware is widely-distributed but only a small number of users have the exact same code, and it becomes impractical to generate signatures (and use signature scanning-based techniques) to detect it. Sometimes, the different versions of the malware perform different functions, which also makes the malware difficult to detect through heuristics and other techniques. Therefore, there is a need in the art for new ways to detect malware.
Further, security companies that analyze malware in order to develop signatures, heuristics, and other techniques for detecting it receive a large number of malware submissions. The security companies sometimes have no way to effectively measure the threat posed by submitted malware. For example, the security companies might not know whether submitted software is truly malicious or how widely a particular piece of malware is distributed. As a consequence, the security companies have a difficult time ranking or triaging the malware submissions in order to focus on analyzing the submissions that constitute the greatest threats. Accordingly, there is a need in the art for ways to evaluate the threats posed by submitted malware.