Malicious software, commonly referred to as malware, describes any software designed for infiltration into a computer system in order to gain control over such a system and to perform unauthorized actions, such as theft of confidential information, for example. A wide variety of malware exists today, including network worms, trojan programs, rootkits, exploits and computer viruses. Therefore, many owners of computer devices (for example, personal computers) use various antivirus applications for protection, which allow to detect and remove malicious programs. Usually, today's antivirus applications are multi-component complex systems, which include various protection modules.
One of the protection technologies is signature scanning, which allows to identify known malicious programs among all programs installed in a computer system. For this purpose, this technology has a database which contains information on known malicious programs—for example, in the form of hashes of such programs. Such databases are usually updated by receiving information on newly detected malicious programs from a manufacturer of antivirus security through distribution on the Internet.
Another protection technology is the technology known as “whitelisting”, which ensures monitoring of applications using “white” lists of trusted programs. This technology allows not to restrict and to permit operation of software in a computer system, if the software is classified as trusted.
Another technology, which is also used in contemporary antivirus applications, is behavioral detection, which allows to analyze the behavior of applications. This technology can be based, for example, on the interception of the application programming interface (API) functions called by an application, and on their subsequent analysis. It should be noted that it is not the API functions themselves that are studied, but the sequence of the calls for various API functions and their parameters. The analysis identifies various suspicious actions, such as an attempt to access system files by a non-trusted process (for example, a process launched from a file which appeared in the system rather recently and has not been checked by an antivirus application). After the identification of suspicious actions, an analysis is performed, and a decision is made regarding the maliciousness of the software.
The above-described technologies, used jointly to detect malicious programs, have one substantial deficiency. This deficiency is related to the fact that a malicious code (for example, due to a vulnerability of the program or of the operating system) can infiltrate the address space of a trusted process and continue to be executed with the rights of the trusted process. Then an access attempt by the infiltrated malicious code will not be considered suspicious and will be completed, because it will be completed (apparently) by the trusted process.
In known approaches for detecting malicious programs, monitoring, analysis, and evaluation of the behavior of all the processes, are very resource-consuming tasks, the performance of which can cause the so-called “freezing” of the applications run by the user or of the whole operating system. A solution to these, and related issues, is needed.