Malware such as viruses, spyware, adware, worms, etc., is software designed to infiltrate and/or damage computer systems without their owners' consent. Malware attacks computer systems both large and small, such as workstations, desktop computers, notebook computers, tablet computers, personal digital assistants (PDAs), smart mobile telephones (smartphones), etc. and often causes great damage. Needless to say, it is very important to protect computer systems against various forms of malware.
Many software applications have been developed to protect computer systems against various types of malware. Examples of anti-malware software products include Symantec's™ Norton AntiVirus, McAfee's® VirusScan® Plus, BitDefender's Total Security, etc. Typically, once such a software application has been installed on a computer system, it may scan the entire computer system, i.e., the files on the computer system, or a selected portion of the computer system from time to time to detect and remove known types of malware. This technique uses a virus scan engine and virus patterns (or “virus signatures”) to scan the files looking for matches to any of the virus patterns.
Recently, it has become more commonplace for anti-malware software products to forgo complete directory scanning and use of the virus patterns and instead watch for suspicious behavior on the computer system as a clue as to which files to scan. As hard drives become increasingly large, and thus increasingly more time consuming to scan as a whole, it is expected that this trend towards monitoring system behavior will continue. Different from the traditional signature-based defense, behavior monitoring watches all activities of all processes in real time. If any activity is malicious the process is stopped immediately. This technique does not use the pattern or signature of a particular malware in order to protect against that malware.
In such systems, it is necessary to monitor system behavior, and then apply a set of rules to the monitored behavior in order to determine whether an activity is suspicious or not. If an activity is suspicious, it may be blocked and a message is sent to the user asking how to handle the activity. FIG. 1 is a prior art diagram illustrating an example of a user-received pop-up window in response to the detection of suspicious behavior. The offending process 100 is identified, and the user is permitted to quarantine the process 102, terminate the process 104, or allow 106 the process to continue execution.
One of the problems encountered with this approach is false positives. Many legitimate applications perform activities (and cause computer system events) that might be seen by a behavior monitoring engine as suspicious. These false positives unduly interrupt users with pop-up windows which can become an annoyance, or worse, the legitimate application is blocked. Furthermore, when users are presented with an annoying number of pop-up requests to verify the permissibility of an action, there is a tendency for the response by the user to become “automatic,” meaning the user simply allows a process to continue execution without thinking or without reading the alert in detail. This automatic response by the user ends up actually increasing the likelihood of a malicious process being accidentally permitted by the user to continue execution. Altering the rules or thresholds in order to reduce these false positives can have the negative impact of increasing the likelihood that a malicious process would not be flagged at all.
Considering the drawbacks of previous approaches, a behavior monitoring technique that reduces false positives without increasing the likelihood of false negatives is desirable.