1. Field of the Invention
The present invention relates to the field of network security, and more particularly to malware detection in a computing environment.
2. Description of the Related Art
The Internet has transformed society in many ways. From business use to consumer use, the ability to transfer information between computers has enabled new methods of commerce such as on-line banking and on-line purchasing. The Internet has had profound effects on business processes in many industries. As business functionality has matured, so have operational processes to handle the increasingly complex issues of reliability, privacy and security.
Today, computer users and businesses face a new and growing threat to security and privacy on the Internet. This threat is not only in the form of direct attacks by viruses, but also by indirect access in the form of monitoring programs installed on computers referred to as “malware”. Spyware, a malware species, serves to surreptitiously monitor and report computer user activities to third parties. Although the consequences of spyware may be as minor as annoying advertising pop-ups, spyware has the potential to impart significant damage to a machine and also to an entire network. Spyware-type malware has the ability to capture virtually every online activity. From monitoring all keystrokes, to email snooping, to scanning files on a user's hard drive, to changing system or registry settings, spyware is an immense personal and enterprise security threat. Such activities can lead to identity theft, data corruption, and even theft of company trade secrets.
The traditional approach to detecting malware such as spyware and also computer viruses typically require a database of known signatures that describe malicious content. This database periodically must be pushed to or pulled from client computing systems, where the malware scans usually occur. Current anti-spyware tools operate in a way similar to traditional anti-virus tools, where signatures associated with known spyware programs are checked against newly-installed applications.
The time delays introduced by recognizing an attack, extracting a signature, updating virus definition files and databases, distributing them, scheduling malware scans, and reporting results to a centralized malware management authority result in a less-than-optimal effective response to new malware attacks. Also, attempts by users and enterprises to protect machines from such attacks by using anti-virus programs and firewalls have resulted with a mixed record of success at best.
Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations. One of the main problems with these solutions is that they are dependent on a known repository of malware, failing to provide early detection and containment of the spread of malware. In addition, current techniques to combat malware mostly rely on manual configurations and human intervention, and may fail to react in time to defend against an attack.