Currently, it is common for malicious software such as computer viruses, worms, spyware, etc., to affect a computer such that it will not behave as expected. Malicious software can delete files, slow computer performance, clog e-mail accounts, steal confidential information, cause computer crashes, allow unauthorized access and generally perform other actions that are undesirable or not expected by the user of the computer.
Current technology allows computer users to create backups of their computer systems and of their files and to restore their computer systems and files in the event of a catastrophic failure such as a loss of power, a hard drive crash or a system operation failure. Unfortunately, these prior art techniques are not effective when dealing with infection of a computer by malicious software. It is important to be able to detect such malware when it first becomes present in a computer system.
One prior art technique for detecting a virus is known as the signature matching technique. This technique is able to detect known malware using a predefined pattern database that compares a known pattern (the virus signature) with the pattern of a suspected virus in order to perform detection. This technique, though, is unable to handle new, unknown malware. Although a new pattern is developed for a computer virus (for example) as soon as the new virus is detected, there is always an interval between when the virus first begins its destruction and when it can be successfully detected and prevented because the spread of a virus is so rapid. Other disadvantages with this technique are that a large pattern database must be maintained and that it can be difficult to defend against an ingenious polymorphic virus.
Other prior art techniques use predefined rules or heuristics to detect unknown malware (heuristic scan techniques). These rules take into account some characteristics of the malware, but these rules need to be written down manually and are hard to maintain. Further, it can be very time-consuming and difficult to attempt to record all of the rules necessary to detect many different kinds of malware. Because the number of rules is often limited, this technique often has a high false-positive rate and a high false-negative rate. Also, a heuristic scan algorithm is fixed so a malicious hacker can attempt to write a new virus in order to bypass the heuristic algorithm.
Prior art mechanisms for installing the above anti-virus techniques also could benefit from improvements. For example, firewall anti-virus software is typically installed on a router, switch or host in order to catch and analyze network data packets. This technology, though, focuses on network data and a hacker attack so it might not have the ability to protect against local propagation and attack. An intrusion detection system or an intrusion prevention system (IDS/IPS) focuses on detecting and preventing an attack over a network. This technique has a speed limitation and further is typically based on pattern recognition and thus inherits the limitations of that prior art technique.
Due to the limitations of the above prior art and a need to detect unknown malicious software as well as limit false positives and false negatives, and improved detection technique is desired.