Over the last decade, malicious software (malware) has become a pervasive problem for Internet users. Often malware exploits vulnerabilities in networked resources. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto network devices, such as vulnerabilities within operating systems for example. While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for attack by exploits that use malicious computer code. The malware may attempt to acquire sensitive information or adversely influence or attack normal operations of a network device or the entire enterprise network.
Currently, in malware detection systems, one or more virtual machines may be used to process objects, which may include, for example, content from network traffic and/or files retrieved from a storage location, in order to activate, observe, and thereby detect malicious software. However, this processing may require user interaction, for example, in the form of an input initiated by an input device such as a graphical user interface (GUI), mouse, keyboard, keypad or the like. Based on an inability to provide the necessary user input, current malware detection systems may fail to activate the malicious content within the objects. One reason is that sophisticated malware often has a self-defense mechanism, which attempts to detect whether it is running in a virtual environment of a malware detection system rather than the intended environment of a client device under user control. One type of self-defense mechanism involves the malware monitoring whether user input expected by an application is supplied at the appropriate time. If it is not, the malware may simply hibernate (not activate), and thus not present itself for detection by the malware detection system.
Some conventional malware detection systems apply generic, static patterns of simulated input device controls in a virtual run-time environment in the absence of actual human interaction. However, malware creators have been able to identify these patterns. As a result, they have been able to equip their malware to identify such static simulated device controls, and upon detection, cause the malware to refrain from activating the malicious code in order to remain undetected. As a consequence, some conventional malware detection systems may experience unacceptable levels of false negatives or be forced to deploy a multitude of pattern detection schemes that will increase the rate of false positives.