Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto endpoint devices present on the network. These vulnerabilities may be exploited by allowing a third-party, e.g., through computer software, to gain access to one or more areas within the network not typically accessible. For example, a third-party may exploit a software vulnerability to gain unauthorized access to email accounts and/or data files.
While some software vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for attack through software vulnerabilities and/or by exploits, namely malicious computer code that attempts to acquire sensitive information, adversely influence, or attack normal operations of the network device or the entire enterprise network by taking advantage of a vulnerability in computer software.
In particular, malware is often placed in objects embedded in network traffic. For example, a portable document file (PDF) document (document object) may be received as part of network traffic and include a second PDF document embedded therein. Current malware detection systems have difficulty detecting the embedded object, especially if the embedded object is not present on the default view (e.g., the first page of a PDF document) of the document object during the malware detection process. For example, current malware detection systems may have difficulty detecting an embedded object that is located on page 50 of an 80 page PDF document, due to, in part, time constraints in analyzing the object.
Additionally, even if current malware detection systems are able to detect an embedded object within a document object, the presence of the embedded object is merely used as one characteristic of the document object. Current malware detection systems typically do not process the embedded object to determine whether the embedded object is itself malicious.
Therefore, current malware detection systems may provide false negatives and/or false positives because a full understanding of the maliciousness of the embedded object is not obtained. Numerous false negatives are reported when the document object is non-malicious, one of the embedded objects is malicious but the mere presence of the embedded object is not sufficient to cause the malware detection system to determine the document object is malicious. Since current malware detection systems do not process the embedded object, the maliciousness goes undetected. Similarly, numerous false positives are reported when the document object and the embedded object are both non-malicious but the mere presence of the embedded object causes the malware detection system to determine the document object is malicious.