The invention relates the field of computer system security.
Computer systems are vulnerable to various kinds of attacks or threats, including so-called “advanced persistent threats” or APTs which can be very sophisticated and dangerous from a security perspective. The term APT generally refers to an attacker having capabilities and resources to persistently target a specific entity, along with the techniques they use including malware that infects a system under attack. An APT may be capable of locating and taking harmful action with respect to sensitive data in a computer system, such as copying confidential data to an external machine for criminal or other ill-intended activities. The APT performs its tasks in a stealthy manner so as to avoid detection. In some cases, an APT may be active in a system for a very long period of weeks or months and create corresponding levels of damage.
It is desirable to protect computer systems and their data from threats such as APTs. Among the mechanisms that can be utilized are detection mechanisms for detecting the presence of an APT in a computer system. Generally, any malware that has entered a system can only be removed or disabled after it has first been identified in some manner. Identification in turn requires detection, i.e., acquiring knowledge indicating possible or actual presence of an APT or similar threat in a protected system.