In recent years, malicious programmers have created a variety of sophisticated targeted attacks aimed at high-profile or high-level entities, such as governments, corporations, political organizations, defense contractors, or the like. In many cases, the goal of such targeted attacks is to gain access to highly sensitive or confidential information, such as security credentials, financial information, defense-related information, and/or intellectual property (e.g., source code), and/or to simply disrupt an entity's operations.
Many security software companies attempt to combat targeted attacks by creating and deploying malware signatures (e.g., hash functions that uniquely identify known malware) to their customers on a regular basis. However, a significant number of the above-mentioned attacks involve malware that has been carefully crafted to take advantage of an as-yet-undiscovered vulnerability of a particular application (commonly known as a “zero-day” exploit). As such, these attacks are often difficult for traditional security software to detect and/or neutralize since the exploits in question have yet to be publicly discovered.
In addition to or as an alternative to a signature-based approach, some security software companies utilize a variety of behavior-based heuristics to detect targeted attacks. Unfortunately, a significant number of targeted attacks (e.g., advanced persistent threats) may move at a slow pace such that traditional security software may be unable to distinguish individual malicious behaviors of the targeted attacks from legitimate behaviors, particularly since attacks of this type may involve the use of benign software and/or the actions of authorized users, which are generally not detected either by malware signatures or behavior-based heuristics.
Both the high stakes involved and the changing nature of threats create an increasing need to detect malware as early as possible, before data loss, system compromise, or other damage occurs. Accordingly, the instant disclosure identifies and addresses a need for improved systems and methods for detecting malware.