1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting malicious applications.
2. Description of the Background Art
Malicious codes may be detected using traditional antivirus algorithms, such as pattern matching and behavior monitoring. Pattern matching involves using a scanner to match contents of a file or other data against signatures of known malicious codes. Although effective in detecting malicious codes, pattern matching is processor-intensive and requires a relatively large storage space to store the signatures. Like pattern matching, behavior monitoring consumes a relatively large amount of computing resources to be able to monitor and make decisions on particular activities of application programs (“applications”) being monitored. In addition, behavior monitoring may result in a large number of false positives, i.e., declaring an application to be malicious when it is actually not.
The above problems are exacerbated when pattern matching or behavior monitoring is employed in a low resource computer, such as a mobile computing device. Compared to a regular computer, such as a desktop or laptop computer, a typical mobile computing device has low memory and processing resources. As a result, algorithms for detecting malicious codes in regular computers may not be suitable for use in mobile computing devices.