Individuals and organizations typically attempt to protect their computing resources with security software products, including antivirus products. To protect the computing resources, the security software products may identify suspicious or unknown files on the protected computing resources and then attempt to identify those files. In the process of identifying the files, the security software products may create a hash of a file and compare the hash to hashes of other known files in a security database. For example, a client-side security product may compare the hash to hashes of files that the client-side security product has previously encountered and identified. Additionally, or alternatively, the client-side security product may compare the hash to hashes of further files that are stored in a server-side security database. Similarly, security software products may analyze the behavior or other attributes of the file in an attempt to estimate whether the file is safe or malicious. Moreover, the vendor of the security software product may also use human experts who manually inspect the file in an attempt to properly classify the file.
The traditional systems for classifying files described above nevertheless suffer from some disadvantages. The large number of suspicious or unknown files may overwhelm the computing and labor resources of the vendor of the security software product. Moreover, attackers may increase the number of suspicious or unknown files by using polymorphism. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for file classification.