1. Field of the Invention
This invention pertains in general to computer security and in particular to assessing risks presented by computer files and/or other entities that can potentially compromise a computer.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing web sites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
While classical malware was usually mass-distributed to many computers, modern malware is often targeted and delivered to only a relative handful of computers. A Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Likewise, a false email can include a phishing attack that is directed to only customers of a certain bank or other electronic commerce site.
Mass-distributed malware can often be detected and disabled by conventional security software. The security software uses techniques such as signature scanning and behavior monitoring heuristics to detect the malware. However, these techniques are less effective for detecting targeted threats since there are fewer instances of the same malware, and the security software might not be configured to recognize it.
Moreover, even mass-distributed malware is becoming harder to detect. A malicious web site might automatically generate new malicious code for every few visitors. As a result, the malware is widely-distributed but only a small number of users have the exact same code, and it becomes impractical to generate signatures (and use signature scanning-based techniques) to detect it. Sometimes, the different versions of the malware perform different functions, which also makes the malware difficult to detect through heuristics and other techniques. Therefore, there is a need in the art for new ways to detect malware.