Field of the invention
This application relates to an apparatus and a method for detection of irregularities on a device, such irregularities include but are not limited to malware or fraud.
Brief Description of the Related Art
The term “malware” is short for “a malicious software” and is software that is used or programmed to disrupt operation of an individual computer and/or computer network, to gather sensitive information or to gain access to private computer systems. The malware can appear in the form of code, scripts, active content, and other software. The malware includes, but is not limited to, computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, outware, rock security software. The majority of active malware threats are usually worms or Trojans, rather than viruses.
As attacks by malware become more frequent, programs and methods have been developed specifically to combat the malware. One commonly used approach is to install a scanner onto a user's computer, which hooks deep into the operating system and functions in a manner similar to the way in which the malware itself would attempt to operate. The scanner, on attempted access of a file, checks if the accessed file is a legitimate file, or not. The access operation would be stopped if the file is considered to be malware by the scanner and the file will be dealt with by the scanner in a pre-defined way. A user will generally be notified. This approach may considerably slow down speed of operation the operating system and depends on the effectiveness of the scanner.
Another approach to combatting malware is to attempt to provide real-type protection against the installation of the malware on the user's computer. This approach scans the incoming network data for a malware and blocks any threats identified.
Empty-malware software programs can be used for detection and removal of the malware that has already been installed onto computer. This approach scans the contents of the operating system registry, operating system files and installed computer programs on the user's computer and provides a list of any identified threats, allowing the user to choose which ones of the files to delete or keep, or to compare this list to a list of known malware and removing the related files.
Typically, malware products detect the malware based on heuristics or on signatures. Other malware products maintain a black list and/or a white list of files that are known to be related to the malware.
Methods of detecting malware using a plurality of detection sources to detect potential attacks of malware are known. The use of more than one detection source enables a more reliable decision to be made about whether a computer network is under attack. For example, US patent application publication No. US 2006/0259967 (Thomas et al.) teaches a method for determining whether a network is under attack by sharing data from several event detection systems and passing the suspicious event data to a centralized location for analysis. The suspicious event data is generated in an event valuation computer including an evaluation component. The evaluation component analyses the suspicious events observed in the network and quantifies the likelihood that the network is infected or under attack by malware. The evaluation component can, in one aspect of the disclosure, determine whether the number of suspicious events in a given timeframe is higher than a predetermined threshold. The evaluation component may also analyze metadata generated by the event detection systems and thereby calculate a suspicious score representing the probability that the network is infected or under attack.
US patent application publication No. 2008/0141371 (Bradicich et al.) discloses a method and system for heuristic malware detection. The detection method includes merging a baseline inventory of file attributes for a number of files from each client computing system. The method includes receipt of an updated inventory of file attributes in a current inventory survey from different ones of the clients. Each received inventory survey can be compared to the merged inventory and, in response to the comparison, a deviant pattern or file attribute changes can be detected in at least one inventory survey for a corresponding one of the clients. The deviant pattern can be classified as one of a benign event or a malware attack.
Similarly, a thesis by Blount entitled “Adaptive rule-based malware detection employing learning classifier systems”, Missouri University of Science and Technology, 2011, discloses a rule-based expert system for the detection of malware with an evolutionary learning algorithm. This creates a self-training adaptive malware detection system that dynamically evolves detection rules. The thesis uses a training set to train the algorithm.