1. Field of the Invention
This invention pertains in general to computer security and in particular to the identification of malware.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Security computer systems and software for counteracting malware typically operate by seeking to identify malware using malware signatures and/or heuristics. Malware signatures contain data describing characteristics of known malware and can be used to determine whether an entity such as a computer file or a software application contains malware. Malware heuristics contain data describing behaviors performed by malware entities. Typically, malware signatures and heuristics are generated by a provider of security software and deployed to security software on a client computer. The malware signatures are then used by the security software to scan a set of software applications stored on the client computer for malware. The security software uses the malware heuristics to determine whether behaviors of entities on the client computer indicate that the entity is malware.
The use of malware signatures and heuristics to detect malware is complicated by the large variance in behavior and characteristics exhibited by malware. This variance is often based on the computer system on which a piece of malware is executing, herein referred to as “system specific variance”. System specific variance may be due to differences in operating systems, resources, hardware components, files and software applications (e.g. such as security software or patches) specific to computer systems. For example, a heuristic describing a behavior of known malware may not detect the malware if the malware is not able to perform the behavior because a particular software application relied upon by the malware is not installed on the system.
The behavior and characteristics exhibited by malware may also vary over time, herein referred to as “temporal variance”. Temporal variance may be due to the different behaviors associated with different stages of malware attacks (i.e. the malware “life cycle”). For instance, a heuristic describing a behavior specific to a virus dropper may detect the virus dropper only when it is active.
Characteristics and behaviors exhibited by malware may also vary due to polymorphisms in the malware. Polymorphisms are small changes to data associated malware that may alter the characteristics of the malware. Polymorphisms may also cause variance in the behaviors exhibited by malware.
The use of additional malware signatures and heuristics cannot fully compensate for temporal, system specific and polymorphic variance in malware characteristics and behaviors. Further, due to the large amount of malware to which a computer system can be exposed, increasing the number of new malware signatures and malware heuristics is not a scalable approach to compensate for variation in characteristics and behaviors. Accordingly, there is a need in the art for methods of malware detection which compensate for this variation.