Over the years, security solutions have attempted to combat the relentless onslaught of malware in a variety of ways. Early malware detection solutions rely on signature checking. However, while signature-based solutions may adequately identify known malware samples, malware authors may easily evade signature-based detection by changing a few lines of code or designing a program that mutates before each new attack. Responding to this, some newer malware-detection solutions rely on pattern-recognition technologies. These solutions may structurally analyze a program file's structure (e.g., by analyzing the file's binary code instruction sequences), thereby devising predictions prior to execution about the maliciousness of the files. However, malware authors may pack malware, making it difficult to inspect the structure of the malware, or may obfuscate malware to avoid structural classification engines.
Other newer malware-detection solutions rely on behavioral detection technologies to identify malware based on the behavioral features of a program in execution. Traditional behavioral detection technologies may use n-grams of behavioral events (e.g., a subsequence of n items derived from a given sequence, such as a sequence of API calls) to build statistical models for malware detection. However, malware authors may fool such behavioral detection technologies by creating minor system event re-orderings, thereby limiting the technologies' robustness. Accordingly, the instant disclosure identifies a need for improved systems and methods for accurately detecting malware.