1. Field of the Invention
The present invention(s) generally relate to malware detection. More particularly, the invention(s) relate to systems and methods for virtualization and emulation assisted malware detection.
2. Description of Related Art
Malware and advanced persistent attacks are growing in number as well as damage. In 2010, the rise of targeted attacks included armored variations of Conficker.D and Stuxnet (which was referred to as the most advanced piece of malware ever created). Targeted attacks on Google, Intel, Adobe, Boeing, and an estimated 60 others have been extensively covered in the press. The state of the art security defenses have proved ineffective.
Cyber-criminals conduct methodical reconnaissance of potential victims to identify traffic patterns and existing defenses. Very sophisticated attacks involve multiple “agents” that individually appear to be legitimate traffic, then remain persistent in the target's network. The arrival of other agents may also be undetected, but when all are in the target network, these agents can work together to compromise security and steal targeted information. Legacy security solutions use a structured process (e.g., signature and heuristics matching) or analyze agent behavior in an isolated context, without the ability to detect future coordinated activity. As a result, legacy security solutions are not able to detect sophisticated malware that is armored, component based, and/or includes different forms of delayed execution.