Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. For instance, over the past few years, an increasing number of vulnerabilities are being discovered in software that is loaded onto network devices. While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for attack by malware, namely information such as computer code that attempts during execution to take advantage of a vulnerability in computer software by acquiring sensitive information or adversely influencing or attacking normal operations of the network device or the entire enterprise network.
Moreover, with the proliferation of the Internet and the reliance on electronic mail (email) as a means of communication, malware is capable of spreading more quickly and effecting a larger subset of the population than ever before. This is especially true because individual users and businesses can receive hundreds or even thousands of emails every day.
Conventional malware detection systems have been developed in an attempt to identify an email as malicious by (i) scanning content of the header and body of the email and (ii) comparing the scanned content with predetermined data patterns. These predetermined data patterns represent data that has previously been identified as being associated with malicious or suspicious activity. Hence, in response to detection of such data within the scanned content of the email, the conventional malware detection systems may block delivery of the email to the targeted recipient. No further analysis of the particular characteristics of the email message is considered as factors (and/or being used to derive the contextual information) in determining whether the email is associated with a malicious attack.
In fact, while some conventional antivirus programs may be configured to scan emails for malware, the methods currently in use may produce “false negative” results because an email may contain a malicious object that is part of a greater, multi-stage attack, but the object may not itself exhibit maliciousness during the scanning process. Consequently, the malicious object may be allowed to pass through to the end user. Also, updating of the scanning patterns is quite labor intensive, especially as more and more scan patterns are needed based on future detections of new types of malicious emails by the conventional malware detection system and perhaps other systems communicatively coupled to the conventional malware detection system. Using a scanning pattern is a reactive solution since these deterministic patterns are issued after analyzing the attack.
Accordingly, a need exists for an improved malicious message detection system, especially to detect potentially malicious suspicious email messages in a proactive manner.