1. Field of the Invention
The present invention relates to computer network security. More specifically, it relates to software and computer systems for creating policies for malware detection and behavior analysis systems.
2. Description of the Related Art
A conventional malware detection and prevention system may operate using malware policies developed for detecting potentially malicious behavior in a computer system. The accuracy and efficiency of such a system depends in large part on the specificity of the policies which it uses to operate. Presently, polices are developed using single events. This limits the abilities of the malware detection system. Processes for analyzing malicious system behavior analyze a single event that results from the malware operating on the system. This may be too narrow and may limit the functionality of the malware detection and prevention system. Analysis based on a single event results in malware policies that are not very precise and which may result in a high frequency of false positives. That is, when a “white list” is checked in the malware prevention system, the event being checked may be in the white list but should not be because it may be part of a malicious process stream. Generally, it is difficult to characterize malicious behavior by examining one event. However, presently it is difficult to obtain policies that are derived from examining multiple events in malicious behavior process streams. For example, conventionally, malware executes on a PC and when the malware's behavior on the PC is analyzed, a single event that is believed to be caused by the malware is used to derive a policy, which is used by the malware detection and prevention system. This system uses a white list to determine which events are acceptable and the white list, in turn, is determined by the policy. If the policy is not precise, then there is a high occurrence of false positives using the white list. Thus, it would be desirable to have a more precise process and system for making malware detection/prevention policies.