Malware infections on computers and other electronic devices are very intrusive and hard to detect and repair. In fact, malware and exploits often evade detection altogether, forcing constant software updates to the prevention and detection technologies installed on user devices. Anti-malware solutions may operate by matching a signature of malicious code or files against software that has been approved (i.e., a “whitelist”) to determine whether the software is harmful to a computing system. However, malware may disguise itself through the use of polymorphic programs or executables, wherein the malware changes itself to avoid detection by anti-malware solutions. In such cases, anti-malware solutions may fail to detect new or morphed malware in a zero-day attack. Malware may include, but is not limited to, spyware, rootkits, password stealers, spam, sources of phishing attacks, sources of denial-of-service-attacks, viruses, loggers, Trojans, adware, or any other digital content that produces unwanted activity.
Existing solutions that attempt to perform malware and anomaly detection using “whitelisting,” while a simple and efficient way to protect a system against malware, are often ineffective against exploits and are highly restrictive—most frequently resulting in ‘binary’ rules to either allow or block actions, making it extremely difficult to use in a fluid and customized consumer setup. While detecting and blocking programs that have been “blacklisted” is achievable, addressing programs that are “gray” (i.e., neither approved nor disapproved) is a growing challenge in the field of malware detection.
Thus, what is needed is a system that performs malware (and other anomaly) detection, leveraging both pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based purely on comparisons of its behavior to known (and characterized) ‘normal’ application behaviors, i.e., the application's “phenotype.” By analyzing the patterns of normal behavior commonly performed by approved applications, one can build a set of sophisticated, content-agnostic behavioral models (i.e., “application phenotypes”) for particular applications—and later compare the processes executed on a user device to the stored behavioral models to determine whether the actual measured behavior differs from the stored behavioral models to a sufficient degree and with a sufficient degree of confidence, thus indicating a potentially malicious process or behavior.