Viruses, Trojans, spyware, and other kinds of malware are a constant threat to any computing device that requires network connectivity. Many different types of security systems exist to combat these threats, ranging from browser plug-ins to virus scanners to firewalls and beyond. Countless new instances and permutations of malware are created every day, requiring security systems to be constantly updated. Many security systems look for malware not just on the basis of quickly-outdated signatures, but also by tracking each event initiated by unknown processes in order to determine whether those small events add up to a malicious overall picture.
Unfortunately, malware creators have adapted yet again by creating malware that splits up its suspicious actions among multiple different processes. A malicious process may not take any malicious actions directly but instead may spawn child processes that each generate only a portion of the events needed to accomplish a malicious task, making detection more difficult. Other malware may even use trusted processes to trigger some portion of the necessary events. By splitting up actions in this way, malicious processes may avoid being correctly categorized by traditional security systems that only examine a process's actions in the context of other actions performed by that same process. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for categorizing processes as malicious.