1. Field of the Invention
This invention pertains in general to computer security and in particular to the development of signatures to accurately identify malicious software.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can stealthily capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
One method used to detect malware is to identify malware signatures. Malware signatures contain data describing characteristics of known malware and are used to determine whether an entity such as a computer file or a software application contains malware. Typically, a set of malware signatures is generated by a provider of security software and is deployed to security software on a user's computer. This set of malware signatures is then used by the security software to scan the user's computer for malware.
During malware signature generation, malware signatures are typically validated against entities that are known to not contain malware, herein referred to as “goodware,” in order to ensure that the malware signatures do not generate false positive identifications of malware. In other words, the malware signatures are validated to ensure they do not falsely identify goodware as malware. Typically, a malware signature is first generated by a security analyst or a computer and then compared to a dataset of goodware in order to determine whether the malware signature generates false positive identifications of malware. Due to the large size of the dataset of all known goodware and the rapidly increasing amount of malware, generating malware signatures and vetting these signatures against a dataset of goodware has become increasingly difficult.
Accordingly, there is a need in the art for ways to generate malware signatures which do not rely on a comparison with a dataset of goodware and are unlikely to cause false positive detections.