Many computer system are vulnerable to attacks by an attacker that cause the computer systems to behave in unexpected ways, often with undesirable outcomes. For example, a successful attack may allow an attacker to gain illegitimate access to data, to flood a computer system with bogus requests so that legitimate users are prevented from utilizing system resources, to gain full control of the computer system, etc. Such attacks can lead to extended service interruptions and/or compromise of critical data, which can result in economic losses for businesses, damages to the information technology infrastructure and/or inconvenience to the users.
Vulnerabilities can exist on different parts of a computer system, including software applications, operating systems, firmware and/or hardware. When a vulnerability is discovered, a provider of the vulnerable component often develops a patch (also known as an update) to remove the vulnerability. The patch is then made available to users for download and installation. However, there is often a window between the points in time when the vulnerability is discovered and when the patch becomes available. During this time window, computer systems having the vulnerable component remain susceptible to the so-called “zero-day” attacks, that is, those attacks that target unknown vulnerabilities or newly disclosed vulnerabilities for which patches are not yet released.
Attack prevention techniques have been employed that seek to detect malicious software, or “malware,” and to prevent it from being executed on a target system. For example, some attacks have been carried out by embedding malicious executable instructions into text, image, audio or video files. The malicious instructions are executed when a user unwittingly allows a vulnerable application to load the data file, which triggers the attack and allows the attacker unintended access to the target system.
One way of protecting the target system against malware attacks is to scan incoming data files for malware before the files are loaded by any applications. Conventionally, this type of scanning is performed by an anti-malware program that maintains a list of specific patterns, or “signatures,” associated with known malware. During a scan, the anti-malware program looks for these patterns and declares the data file to be potentially malicious if one or more of the patterns are found. The list of known patterns is updated periodically, for example, by communicating with an anti-malware server that publishes new malware reports.