The rapid development of computer technologies in the last decade, as well as the widespread use of various computing devices (personal computers, notebooks, tablets, smartphones, etc.), have become a great incentive for the use of these devices in various areas of activity and to solve a huge number of problems (from Internet surfing to bank transfers and electronic document circulation). In parallel with the growth in the number of computing devices and software running on these devices, the number of malicious programs has also grown at a rapid pace.
At present, a huge number of kinds of malicious programs exist. Some of them steal personal and confidential user data from the devices of users (such as logins and passwords, banking information, electronic documents). Others turn the devices of users into so-called botnets for attacks, such as denial of service (DDOS) attacks, or to sort through passwords using the brute force method, on other computers or computer networks. Still others propose paid content to users through intrusive advertising, paid subscriptions, sending of SMS to toll numbers, and so on.
Specialized programs, or antivirus applications, are used to deal with malicious programs (that is, to detect malicious programs, prevent infection and restore computer systems infected with malicious programs). Antivirus programs employ diverse technologies to detect a whole array of malicious programs, such as:                signature analysis—searching for correspondences of a particular code section of a program being analyzed to a known code (signature) from a database of signatures of malicious programs;        heuristic analysis—emulation of the working of the program being analyzed, creating emulation logs (containing data on the API function calls, the parameters transmitted, the code sections of the program being analyzed, and so on), and searching for correspondences of the data from the logs so created with data from a database of emulations of malicious programs;        white and black lists—searching for a computed check sum of a program being analyzed (or portions thereof) in a database of check sums of malicious programs (black lists) or a database of check sums of legal programs (white lists); and        proactive protection—intercepting of application-programming interface (API) function calls of a program being analyzed and running in the system, creating of logs on the working of the program being analyzed (containing data on the API function calls, the parameters transmitted, the code sections of the program being analyzed, and so on), and searching for correspondences of the data from the logs so created with data from a database of calls of malicious programs.        
In response to these antivirus applications, malicious programs are increasingly making use of methods to counteract detection of their presence on infected computer systems by antivirus programs, such as:                code obfuscation to defeat signature analysis—converting the original text (such as JavaScript scripts) or executable code of programs to a form which retains their functionality, yet which impedes analysis, an understanding of the working algorithms, and modification during decompilation;        complication of the behavior to defeat heuristic analysis—the use of a large number of API function calls or operations not affecting the program I/O working results, yet interfering with its emulation by antivirus programs; and        tracking the behavior of foreign programs to defeat proactive protection—constant tracking of the behavior of foreign programs in the operating system, searching for antivirus programs and counteracting them (for example, concealment or substitution of own code for analysis).        
By utilizing various resources such as code generators (construction programs able to automatically create malicious programs, having a functionality specified by the hacker), obfuscators (programs able to alter the executable code of programs, thereby complicating their analysis, without altering their functionality), packers (program modules embedded into programs, encrypting the executable code of the programs and decrypting it when the program is launched), and so on, hackers are able to quickly and easily create and disseminate a large number of new versions of their malicious programs undetectable by antiviruses.
Thus, even with antiviruses installed, the users' computers may be subjected to an infection, as an antivirus tracking the behavior or structure of all applications installed on the users' computers may not detect new modifications or new varieties of malicious applications. While trying to conceal their presence on the computers of users, malicious programs continue to perform their malicious activity which, even though concealed, is present on the computers and leaves traces. Based on the traces left behind, and by the uncharacteristic behavior of applications individually and the entire computer system as a whole, one may identify malicious applications.
In carrying out targeted cyber attacks (Advanced Persistent Threats, APT), which are a technology of attacking selected computer systems (internal networks of major enterprises, corporate databases, personal data of a tremendous number of users stored in centralized manner, such as banking or passport data, and so on), hackers must possess a modern level of expert knowledge and substantial resources, allowing them to create ways of achieving their goals by various attack vectors (such as informational, physical, and deception). These goals usually include installing and propagating their presence inside the computer technology infrastructure of the target organization to achieve the intentions of extracting information, disruption, or creating interference to critical aspects of the task, program, or service being provided, or to take up a position allowing these intentions to be carried out in future. A targeted cyber attack, such as an “advanced persistent threat,” accomplishes its goals more than once in the course of a prolonged period of time; adapts to the efforts of the defenders to present resistance to the threat; and aims to preserve its level of penetration in the target infrastructure, which level is needed to accomplish its intentions.
For example, in order to sabotage the working of an enterprise, decrease the effectiveness of the working of its information systems or entirely shut them down, hackers must know how those computer systems work, what hardware they are using, which applications are running on the hardware, which defensive means are being used, and what strong and weak points they possess. With such informational preparation, hackers may be able to create malicious programs which will be invisible to the antivirus applications running on the computer system being attacked and employ methods of introducing the created malicious programs not leaving behind any traces of such introduction.
The basic principle of detecting such targeted cyber attacks may include the detection of malicious activity being carried out on the protected computer system.
The known techniques may handle the tasks of detecting known malicious applications (both in terms of structure and behavior), as well as new malicious applications but with already known behavior. These known techniques may not adequately handle the task of detecting applications which mask themselves and are in no way manifested, and designed to defeat the known means of defense.
Accordingly, there is a need to solve the problem of detecting malicious computer systems, i.e., systems on which malicious activity is taking place, even in cases when the sources of the malicious activity remain concealed, and the malicious applications themselves present active countermeasures to the known means of defense.