Some anti-malware systems may generate notifications (e.g., security events) in response to detecting certain types of suspicious activities on computing devices. Such notifications may be useful in warning users or administrators that a file on a computing device is malicious and/or that an attacker has accessed sensitive information on the computing device. For example, a notification that a program is hiding its system files may indicate a rootkit infection.
However, many of these notifications may simply describe normal computing behaviors of legitimate programs. As such, the majority of notifications may provide little or no value in detecting malware infections. For example, because hiding system files may be a behavior exhibited by many non-malicious programs, a traditional anti-malware system may ignore a notification that a program is hiding its system files in order to avoid a false alarm. In general, notifications associated with benign activities may create “noise” that overwhelms or obscures notifications describing malicious activities. As a result, conventional anti-malware systems that rely on analyzing notifications of suspicious behaviors may incorrectly classify benign activities as malicious and/or fail to accurately identify actual threats. The current disclosure, therefore, identifies and addresses a need for improved systems and methods for detecting malware infections on computing devices.