Individuals and organizations constantly seek to protect their computing systems from malware and security threats. For example, attackers may drop applications onto a computing system to enable exploits of the system. In many cases, these applications constitute malware. Moreover, a security vendor may have previously identified the application (e.g., by hash) as malware.
In other situations, however, attackers may use multiple applications, tools, scripts, files, etc., together in coordinated attacks. In these attacks, not all of the applications may be known to constitute malware. In fact, some of the applications may be whitelisted or known to be safe, at least safe in certain contexts. Nevertheless, applications that are safe in one context may present a security threat in another context. For example, a database program may be safe on a database server that stores corporate records. The same database program may constitute a security threat on a tablet if the corporation only intends the tablet to function as a voice-over-IP phone. The database program may constitute a security threat on the tablet regardless of whether an attacker placed the program on the tablet by design or instead an administrator placed the program there by accident. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for detecting misplaced applications using functional categories.