Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. For instance, over the past few years, an increasing number of vulnerabilities are being discovered in software that is loaded onto network devices, such as vulnerabilities within operating systems, for example. While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for attack by malware, namely information such as computer code that attempts during execution to take advantage of a vulnerability in computer software by acquiring sensitive information or adversely influencing or attacking normal operations of the network device or the entire enterprise network.
Moreover, with the proliferation of the Internet and the reliance on electronic email (email) as a means of communication, malware is capable of spreading more quickly and affecting a larger subset of the population than ever before.
Although some conventional malware detection systems may be configured to evaluate objects for malware, these conventional systems may produce “false negative” or “false positive” outcomes because the classification of the objects is based on a collection of scores that concentrate on results associated with a single type of analysis. For example, according to conventional malware detection systems, the results from a static analysis of an object (analysis of characteristics of the object) are correlated and subsequently assigned a first score while results from a behavioral analysis of the object (analysis of behaviors associated with the object during processing) are correlated and subsequently assigned a second score. The first and second scores are evaluated to classify the object as malicious or non-malicious.
As a result, in accordance with conventional malware detection systems, an object may contain features that, when analyzed in isolation, may fail to identify the object as malicious when the feature itself does not exhibit maliciousness during the scanning process. This “false negative” tends to occur for objects that are part of a greater, multi-stage attack. Consequently, the malicious object may be allowed to pass through to the end user. It is contemplated that conventional malware detection systems may also experience a “false positive” outcome since there is no correlation of results from different analyses of the object to determine whether the object is malicious.
Accordingly, a need exists for an improved malware detection system, apparatus and method that further mitigates inaccurate outcomes concerning malware detection.