Harmful computer programs such as viruses, spyware, malware and others have been prevalent in the computing industry since at least the early 1970's. With each iteration in the development cycle of computer hardware and software, these harmful programs developed as well. The early harmful programs were somewhat more controllable, as system administrators could guard the limited entry points into their computers and computer networks. However, with the advent of the interne and the greater movement towards hyper-connectivity the task of guarding against the various harmful programs became a priority for both enterprise and consumer users.
Several companies, including Kaspersky, Symantec, McAfee, Panda, and Eset, created programs aimed at providing solutions to the problem of harmful programs. Several other programs were tailored to be attachments or plugins to specific network hardware devices or software packages, for example Upload Processor from MSmac Software was an application for uploading attachments to bulletin boards that would perform a virus scan of any identified upload before performing the transaction.
Although programs were developed to thwart and protect against known types of threats, the next wave of harmful programs were more advanced and were able to work around some of the detection and protection mechanisms put in place. These initial adaptations signaled the beginning of an “arms race” in computer protection. Security firms are now locked in a race to protect against the rapidly maturing and developing world of harmful software. Each year this race becomes more and more relevant as the world becomes increasingly reliant on computer systems and infrastructure. It is estimated that harmful computer programs cause billions of dollars in damages each year. Further, cyberattacks and other forms of cyberwarfare utilizing harmful computer programs are major considerations in the defense and protection of various countries around the world.
One of the principle challenges in the development of protection and detection software is how to reduce false positives, which occur when a program or process is labeled as harmful when it actually isn't; and false negatives, which occur when a program or process is deemed safe when it is actually harmful. The false-positives and false-negatives directly impact the overall success rate of the product and directly impact computer systems and functionality. False positives effectively prevent a user from utilizing legitimate software in their systems. Thus, too many false positives can greatly impact the normal workflow operations of businesses and individuals alike and result in a switch to a different program for protection and detection, or even an abandonment of the protection and detection software altogether by users. The abandonment of the protection and detection software is of particular concern in the present day as it opens the door for many types of attacks including those that turn the user's computer into a “bot,” or “drone” of harmful activity that spreads worms or attacks other machines on its network or on the Internet.
False negatives are equally problematic in that the user will not be warned of a harmful program and/or will not have the option to prevent the program from executing. The result may be devastating, as the computer user believes they are protected from harmful programs which are, in fact, potentially executing on their machines. These “protected” computers may then also become bots or drones, proliferating harmful activity.
In both the false positive and false negative situations, there remains the possibility of the additional costs of lost productivity, lost information and information exploitation as a result of the actions of the harmful programs. These additional costs have both immediate ramifications and potential to require businesses and individuals to make significant changes in their daily operations. Thus, many software suppliers offer appliances and applications that aim to reduce the false designations. However, these offerings have proven to be inefficient in providing protection due to long processing times as a result of overly complex algorithms, inaccurate detection methodologies and short lifespan due to lack of flexibility in addressing new threats.
Thus, a need exists for a fast, efficient and accurate method to detect harmful software that is able to adapt to the continually changing face of computer protection.