Many malicious files are seen only once and only on one machine. Such files are known as singletons. While many singletons are malicious, singletons cannot reliably be automatically classified as malicious because several benign factors produce singletons, including bytecode that is produced by development environments for high-level programming languages and then just-in-time compiled to native code, which creates executable files that are frequently unique to an individual machine. Other benign sources of singletons include innocuous files which embed directly in the file license strings and other material unique to each instance of a file.
Many traditional systems for determining whether a file is malicious rely on reputation databases that store fingerprints of files known to be malicious or benign. However, such systems are ineffective at classifying singletons based on reputation because singletons have not been observed on other machines and given a reputation. While some methods of exonerating benign singletons exist, traditional methods are often not thorough enough to safely exonerate a sufficient proportion of files such that any file not exonerated can be safely convicted. Unfortunately, just-in-time compilation appears to be one of the leading causes of benign singletons, and exonerating all such singletons would allow attackers to better use bytecode for distribution of malware. The instant disclosure, therefore, identifies and addresses a need for systems and methods for evaluating unfamiliar executables.