Individuals and organizations typically seek to protect their computing resources from malware attacks. Traditional security systems may attempt to provide this protection by generating signatures for various malware programs. The security systems may then generate further signatures for any candidate malware programs that are under evaluation. Accordingly, the security systems may detect the presence of instances of the malware programs by determining that a newly generated signature matches a previously generated signature for a known malware program.
Unfortunately, attackers have responded to these traditional systems for detecting malware by using polymorphic malware, which may randomly or arbitrarily modify numerous copies of the malware program such that the copies are sufficiently unique to break the previously generated signature. The random modifications may be trivial or nonfunctional such that they do not significantly alter the functionality of the malware program, yet the modifications may also be sufficient to generate a different signature for the modified copy, thereby breaking the signature detection. For example, attackers may modify the package name and the application name for malware directed to ANDROID mobile computing systems. Similarly, attackers may modify malware programs to include different string constants or encrypted strings, or otherwise modify the programs to obfuscate the code. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for identifying malware.