As the Internet and other networked computer systems become increasingly integrated into public activities (e.g., management and operation of governmental organizations) and private activities (e.g., personal activities, management and operation of households and businesses, etc.), breaches of computer system security pose an increasingly significant threat to such pursuits. Security breaches generally involve disruptions to the operation of computer systems (e.g., use of computational resources for unauthorized purposes, damage to computer components, computers, or entire networks, etc.) and/or theft of resources from computer systems (e.g., gathering of sensitive data). Computer system users can devote significant resources to detecting security problems (e.g., suspected or actual threats to or breaches of the security of computer systems, etc.) and preventing security problems from disrupting the operations of their computer systems or stealing their computer system-based resources.
Some security breaches are caused by malicious software (“malware”). Malware can be deployed in many forms, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, keystroke loggers, rootkits, bots, crimeware, phishing scams, etc. Conventional cybersecurity engines generally rely on signature-based techniques for detecting malware. In general, signature-based malware detection involves obtaining a copy of a file that is known to contain malware, analyzing the static features of the file (e.g., the sequence of bytes contained in the file) to extract a static signature that is characteristic of the malware, and adding the malware's static signature to a database (often referred to as a “blacklist”) of known malware. When a user attempts to access (e.g., download, open, or execute) a file, the cybersecurity engine scans the file and extracts the file's static signature. If the file's static signature matches a signature on the blacklist, the cybersecurity engine detects the presence of malware and intervenes to prevent the malware from executing (e.g., by quarantining or deleting the file).
Static malware detection techniques are generally useful for quickly detecting known malware. However, these techniques can generally be circumvented by new malware that is not yet blacklisted (e.g., zero-day malware or next-generation malware) or by malware that modifies itself to avoid matching a static signature on the blacklist (e.g., oligomorphic, polymorphic, or metamorphic malware). Furthermore, security problems can arise from sources other than malware (e.g., from denial of service attacks, packet floods, etc.).
Some cybersecurity engines rely on behavior-based techniques for detecting malware and other security problems. In general, behavior-based security techniques involve monitoring occurrences on a computer system, identifying suspicious occurrences, and when suspicious occurrences are identified, intervening to assess the problem (e.g., by initiating a forensic investigation of the occurrence, etc.) and to protect the computer system.