In computing, executable content generally causes a computing device (e.g., desktop, laptop, tablet, smartphone, etc.) to perform indicated tasks according to encoded instructions (e.g., by a central processing unit (CPU) or the like), as opposed to a data file that typically must be parsed by a program to be meaningful. For instance, an executable program is a program that has been compiled from source code into binary machine code that is directly executable by the CPU of a computing device. Almost every application (e.g., email client, word processor, spreadsheet, etc.) begins with execution of an executable file which is typically considered safe so long as they are obtained directly from the application's publisher and/or if the publisher is otherwise trusted.
Malware (malicious software) is executable content used or programmed by attackers to disrupt computer operation, gather sensitive information, gain access to private computer systems, and/or the like and can appear in the form of code, scripts, active content, and other software. For instance, malware may include computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, rogue security software, and/or the like. In some situations, malware may be disguised as genuine software and may even come from an official company website in the form of a useful or attractive program which has the harmful malware embedded in it (e.g., along with additional tracking software that gathers marketing statistics).
Current manners of identifying malware and/or limiting malware attacks are often deployed with respect to individual computing devices (e.g., hosts) of an organization or enterprise (e.g., as part of any appropriate cyber security practices) and include use of programs such as anti-virus software, anti-malware software, firewalls, and the like. However, these current practices often rely on point solutions that provide signature-based identification of known malicious content which necessarily limits identification of malicious content that is not yet known as being “malicious.” For instance, rule-based compliance systems depend on keyword matches or content identification (e.g., using a fingerprinting algorithm or the like). Some systems can identify possibly malicious content based on correlations between an executable file of interest and a known malicious file.
For malicious content that has not been previously identified as being malicious, current solutions often alert on the effects of the malicious content. However, the aforementioned effects can be difficult to isolate from the effects of non-malicious content and often require prioritization, time-consuming manual discovery, and forensic review leading to long periods of time before significant breaches can even be detected. Oftentimes, cyberspace decision makers are forced to react with incomplete, misleading, and/or outdated information that can lead to suboptimal outcomes.