Malicious files may contain harmful content, such as malware, than can damage a computing system. Traditionally, security software may detect these malicious files using known data about similar files or through identifying unusual files. For example, a security system may maintain a database of information on malware files and compare files on a computing device against the database to detect possible known malware. Security software may also detect unusual files with unknown attributes on the computing device and flag them as potential malware.
However, many files on computing devices may have unique attributes that cannot be compared with known files. For example, singleton files are the only ones of their kind that are detected in a computing system or organization. Sometimes, security software that may collect information on files across multiple computing systems may collect very little information on singleton files due to privacy issues. Furthermore, it may be costly to collect more detailed information on a vast number of singleton files. Thus, in some cases, malicious files with unique attributes or the first occurrence of a malware file may not be easily identified without information to compare the attributes to known malware. Additionally, benign files with unknown attributes may be wrongly flagged as malware. In many cases, a majority of singleton files may not be accurately identified when the file attributes are too unique for traditional security systems to handle. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for identifying potentially malicious singleton files.