Security systems have generally been developed for detecting unwanted activity. For example, such unwanted activity has oftentimes been a result of unwanted code (e.g. root kits, etc.). In some security systems, unwanted activity has been detected utilizing signature-based techniques, in which code is compared to known unwanted code to determine whether such code matches the known unwanted code. However, such signature-based techniques have various limitations. For example, signature-based techniques customarily require identification of known unwanted code, before the aforementioned comparison can take place. In addition, signature-based techniques are also sometimes capable of being circumvented by maliciously changing computer system memory content to be different than memory content that is executed.
In other security systems, unwanted activity has been detected utilizing differencing-based techniques, in which different views of a system (e.g. with respect to different operating system contexts, different object enumerations, etc.) are compared for identifying anomalous discrepancies in internal and external operating system objects. Unfortunately, such differencing-based techniques also have various limitations. For example, differencing-based techniques conventionally rely on specialized internal knowledge of the system to be secured. Utilizing such specialized and often privileged implementation details presents challenges in keeping detection software up to date when the underlying software system changes (e.g. such as, for example, when a software platform changes, etc.), and potentially makes changes to the internal implementation details that were previously relied upon. Further, differencing-based techniques many times result in false positive identification of unwanted activity due to inaccurate comparisons resulting from race conditions and the like. For example a false positive detection may be generated if a file is created or deleted between the start of a differencing comparison and the end of such differencing comparison.
There is thus a need for addressing these and/or other issues associated with the prior art.