As more users are connected to the Internet and conduct their daily activities electronically, computer users have become the target of an underground economy that infects hosts with malicious software, also known as malware, for financial gain. Unfortunately, even a single visit to an infected web site enables the attacker to detect vulnerabilities in the user's applications and force the download a multitude of malware binaries. Frequently, this malware allows the adversary to gain full control of the compromised systems leading to the ex-filtration of sensitive information or installation of utilities that facilitate remote control of the host.
Internet services are increasingly becoming an essential part of our everyday life. We rely more and more on the convenience and flexibility of Internet-connected devices to shop, communicate and, in general, to perform tasks that would otherwise require our physical presence.
Although very beneficial, Internet transactions can expose user sensitive information. Banking and medical records, authorization passwords and personal communication records can easily become known to an adversary who can successfully compromise any of the devices involved in on-line transactions.
In most cases, a successful exploit results in the automatic installation of a malware binary, also called drive-by download. The installed malware often enables an adversary to gain remote control over the compromised computer system and can be used to steal sensitive information such as banking passwords, to send out spam or to install more malicious executables over time. For instance, FIG. 2 shows a webpage 20 with an original HTML form (i.e., from a machine that is not infected with malware) and FIG. 3 shows a modified HTML form 30 (i.e., the original HTML form with extra malicious parameters, 31 and 32) injected by malware to the login page in order to steal additional user information.
To address this problem and to protect users from being exploited while browsing the web, malware detection tools are required.
It is an object of the present invention to provide a system which is capable of remotely detecting behavior associated with a malware.
Other objects and advantages of the invention will become apparent as the description proceeds.