1. Field of the Invention
This invention pertains in general to computer security and in particular to the development of signatures to accurately identify malware.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Security computer systems and software for counteracting malware typically operate by seeking to identify malware signatures. Malware signatures contain data describing characteristics of known malware and can be used to determine whether an entity such as a computer file or a software application contains malware. Typically, a set of malware signatures is generated by a provider of security software and is deployed to security software on a user's computer. This set of malware signatures is then used by the security software to scan the user's computer for malware.
During malware signature generation, malware signatures are validated against entities that are known to not contain malware (i.e. innocuous entities) in order to ensure that the malware signatures do not provide false positive detections. In other words, the malware signatures are checked to make sure they do not falsely determine that innocuous entities contain malware. However, it is impossible to validate against all possible innocuous entities that can be encountered by user computers. Thus, even cross-validated signatures can produce false positive results on user computers.
Accordingly, there is a need in the art for decreasing false positive malware detections.