Over the next decade, computer security programs may continue to transition from primarily blacklist-based anti-malware solutions to whitelist-based solutions. Whitelist-based solutions may allow whitelisted software applications to run while blocking all other applications. However, whitelist-based solutions may not block all malicious code from executing. For example, a publisher may provide legitimate software for a period of time in order to gain trust and have the software whitelisted. The publisher may then introduce malicious code into the whitelisted software. As another example, a malicious developer in a trusted software company may introduce malware in a whitelisted program.
Traditional behavior-monitoring systems may provide some protection against malware in whitelisted software. Behavior-monitoring systems may monitor a software application and attempt to block malicious actions of the application. However, most traditional behavior-monitoring systems do not effectively evaluate and control the behavior of software applications.
Traditional behavior-monitoring systems may be ineffective because they may lack the information needed to determine whether a software application is acting maliciously. Behavior-monitoring systems may use generalized rules to monitor applications, but they may be unable to determine whether an application should be allowed to access a particular file or network resource.
Behavior-monitoring systems may attempt to analyze an application and determine all of the normal activities performed by the application. The behavior-monitoring systems may then prevent abnormal activity. However, analyzing most applications may result in a broad list of actions and may not provide the monitoring system with information that will allow effective behavior monitoring. For example, malicious activities may be treated as normal activities and may not be blocked.