One of the largest issues facing modern computing systems and communications systems is the prevalence of malware. Herein, malware includes, but is not limited to, any software and/or code designed to infiltrate a computing system without the owner's informed and/or explicit consent. Some of the better known forms of malware include computer viruses and spyware.
One common mechanism used to transfer malware onto a target computing system involves one or more files being transferred and/or downloaded onto a memory, or other sub-system, of the target computing system via file transfer from another computing system, and/or database, and/or the Internet and/or other network, and/or from a computer program product. Typically, once transferred, the malware is then activated on the target computing system, often by an innocent action taken by the user of the target computing system such as opening an e-mail attachment or inadvertently opening a file and/or executable.
One conventional method for preventing the transfer of malware is to employ a security system, typically in the form of a software application, and/or hardware, installed either on a given “protected” computing system or on a server system associated with the given computing system.
Many conventional security systems attempt to identify malware and block the transfer of the malware onto protected computing systems. One way conventional security systems attempt to identify malware is to analyze and classify incoming files as either potential malware or potential “legitimate” files/applications. Conventionally this is accomplished by analyzing incoming files and comparing various characteristics of incoming files with characteristics of known malware and/or known legitimate files. It follows that in order for conventional security systems to identify malware based on the type of comparison analysis described above, the security systems must have one or more sources of knowledge/data regarding characteristics of identified malware, or legitimate file, to make the comparison. However, in many cases, these sources of knowledge/data regarding characteristics of identified malware, or legitimate files, are limited in the type of information they can provide.
For instance, in cases of new types of files that are not similar enough to identified malware, or legitimate files, there is often no reliable source of knowledge/data regarding characteristics of identified malware, or legitimate file, that is of significant use for making a comparative analysis, at least when the new types of files first appear. Consequently, a significant amount of time may pass before enough reliable data can be collected, and/or analysis can be performed, to make a reasonable classification of the new types of malware and/or new types of legitimate file. This is equally true in cases of rarely occurring malware and/or legitimate files. In addition, virtually every conventional security system that employs a file classification scheme has areas, i.e., types of files, that the security system cannot reliably classify as either malicious or legitimate for any one of various other reasons.
As a result of the situation described above, many new files, both malware and legitimate files, are currently incorrectly classified using conventional security systems. As a result, using conventional security systems, legitimate applications are often incorrectly classified as potential malware and are therefore blocked, often to the annoyance of the end user, or malware applications are potentially not identified, and therefore are not blocked, thus leaving numerous computing systems susceptible to infiltration and/or or damage.