The average Internet user encounters hundreds if not thousands of files on a daily basis. These can range from Hypertext Markup Language files that display web pages, embedded audio and visual files that play music and movies, image files, and document files, to email attachments containing files of all those types and more. The vast majority of files encountered in web traffic are benign. However, it may take as little as a single malicious file to cause serious damage to a computing system. Malicious files may delete crucial documents, rewrite operating system settings, send spam from a user's account, expose confidential data, or take other malicious actions.
Traditional systems for detecting suspicious, potentially malicious files often rely on heuristics that analyze the file for markers of malicious potential. However, some file types, including executable files, are very difficult to analyze in this fashion because many actions, such as sending or deleting files, are benign in some contexts but malicious in others. Traditional systems may either flag these files as suspicious, generating a large number of false positives, or ignore the files, potentially allowing a malicious file to reach a user. Neither of these consequences is ideal from the user's perspective. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for detecting suspicious files.