Malware (such as viruses, spyware, adware, Trojans, worms, etc.), is software designed to infiltrate and/or damage computer systems without their owners' consent. Malware attacks computer systems both large and small, such as workstations, desktop computers, notebook computers, tablet computers, personal digital assistants (PDAs), smart mobile telephones (“smartphones”), etc. and often causes great damage. Needless to say, it is very important to protect computer systems against various forms of malware.
Many software applications have been developed to protect computer systems against various types of malware. Examples of anti-malware software products include Symantec'S™ Norton AntiVirus, McAfee's® VirusScan® Plus, BitDefender's Total Security, etc. Typically, once such a software application has been installed on a computer system, it may scan the entire computer system, i.e., the files on the computer system, or a selected portion of the computer system from time to time to detect and remove known types of malware.
Recently, it has become more commonplace for anti-malware software products to forgo complete directory scanning and instead watch for suspicious behavior in the computer system for clues as to which files to scan. As hard drives become increasingly large, and thus increasingly more time consuming to scan as a whole, it is expected that this trend towards background virus scanning will continue.
In such systems, it is necessary to monitor system behavior, and then apply a rule to the monitored behavior in order to determine whether an activity is suspicious or not. The drawback to such an approach is that many types of malware are not reliably detectable by looking for a single activity in using a single rule. Certain malware often cause multiple activities to be performed, each individually not being very suspicious.
Considering the previous approach of looking for a single suspicious activity and its disadvantages, a behavior monitoring system is desired that would be able to identify sequences of activities that are suspicious while not falsely identifying innocent individual activities as suspicious.