1. Field of the Invention
The present invention relates generally to communication networks, and more particularly, but not exclusively to the detection and classification of new malware variants and/or families.
2. Description of the Background Art
The amount of malware is constantly increasing due to the creation of new types of malware and variants of existing malware. The number of unique malware has been growing exponentially in recent years.
Conventional anti-virus scanning is typically reactionary. It is reactionary in that the anti-virus software is updated to protect a computer from malware after a signature which identifies the malware is known. If the malware being examined is a new or unknown variant, then conventional anti-virus scanning is unlikely to identify the malware. Unfortunately, this means there is often a substantial delay between the release of a new malware variant and when the protection is effectively implemented.
Another technique for identifying malware involves analyzing the behavior of programs in a protected environment and identifying suspicious activity (such as disabling the malware scanner). However, this behavioral approach to malware identification may be problematic in its accuracy. For example, some malicious activity is difficult to distinguish from the activity of legitimate programs. As a result, some malware may not be identified as doing malicious activity. Other malware may not be detected because they wait for a triggering event before attempting to perform malicious activity.
Another technique for identifying malware involves identifying substrings and patterns within malware code which are common to malware and malware groups. However, this approach often fails to detect new malware variants. This approach also often fails to detect targeted malware outbreaks which occur on only a limited number of hosts (possibly within a single organizational network).
It is highly desirable to improve protection against malware. In particular, it is highly desirable to improve techniques to detect and classify new malware variants and families.