In recent years, malicious programmers have created a variety of sophisticated targeted attacks and advanced persistent threats aimed at high-profile or high-level entities, such as governments, corporations, political organizations, defense contractors, or the like. In many cases, the goal of such targeted attacks is to gain access to highly sensitive or confidential information, such as financial information, defense-related information, and/or intellectual property (e.g., source code), and/or to simply disrupt an entity's operations.
Many such attacks involve sending emails to a targeted entity that contain an attachment that has been carefully crafted to take advantage of an as-yet-undiscovered vulnerability of a particular application (commonly known as a “zero-day” exploit). Because many security software companies attempt to combat malware by creating and deploying malware signatures (e.g., hash functions) that uniquely identify known malware, this type of targeted attack (commonly known as a “spear phishing” attack) is often difficult for traditional security software to detect and/or neutralize since the exploits in question have yet to be publicly discovered.
Consumers and businesses face a growing tide of malicious software that threatens the stability and performance of their computers and the security of their data. Computer programmers with malicious motivations have created and continue to create viruses, Trojan horses, worms, and other programs (collectively known as “malware”) in an attempt to compromise computer systems. In an attempt to evade detection, malicious programmers may inject malware into or among legitimate programs.
Many security software companies attempt to combat malware by creating and deploying malware signatures (e.g., hash functions that uniquely identify malware) to their customers on a regular basis. However, a significant amount of malware has not yet been identified and therefore cannot be detected using traditional signature-based malware-detection mechanisms, particularly since malware authors may regularly modify their malware in an attempt to circumvent commonly employed signature-based malware-detection mechanisms. Furthermore, signature-based malware detection may fail to provide zero-day protection against new malware.
In addition to or as an alternative to a signature-based approach, security software companies may apply a variety heuristics to classify programs (e.g., as malware or as safe). Unfortunately, heuristic classification methods may result in false negatives, allowing malware to continue to execute. Some heuristic classification methods may use more expansive techniques to reduce false negatives, only to result in false positives, potentially interfering with legitimate software applications.
Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for reducing false positives when using event-correlation graphs to detect attacks on computing systems.