1. Field
The embodiments generally relate to security in a computing environment.
2. Background Art
Wide area computer networks, such as the Internet, are replete with deceptive executable content that adversely impacts both user experience and company revenues. This deceptive executable content may include deceptive binary executable programs, such as malware, spyware and adware that can be found in the websites that host free downloads. Instead of attempting to exploit vulnerabilities on the users' computer system, the deceptive binary executable programs may use social engineering to entice users to download and run the malicious content.
Malware is essentially a hostile or intrusive executable program designed to disrupt or deny operation, steal information leading to loss of privacy, gain unauthorized access to system resources or perform other abusive behavior.
Executable programs such as spyware record users' keystrokes, web surfing habits and send the information to interested parties without knowledge of the users. As a result, private information such as login names, passwords and credit card numbers are susceptible to theft, imposing security risk to both individual users and organizations as a whole.
Adware is another type of executable program that displays advertising banners on web browsers, which creates undesirable effects on a system, such as overlaying spam advertisements and causing degradation in system performance. Indeed, adware is often installed in tandem with spyware. Accordingly, both programs feed off each other's functionalities: spyware programs profile users' interne behavior, while adware programs display targeted ads corresponding to the gathered user profile to monetize the control over infected systems.
Different efforts have been made to identify and remove malware. One approach has focused on using “signatures” or “heuristics” to detect and identify specific malware. These signatures or heuristics may be characteristics such as a bit pattern unique to a type of malware. In this approach, anti-malware performs a scan by examining the user's computer system for matching malware signatures. When matches indicative of the presence of malware are found, the anti-malware may quarantine or remove the infected files. This conventional approach is limited, however, as it only detects malware after a system is already infected by deceptive executable content. In addition, the scanning process is computationally expensive and lacks behavioral analysis of the infected system. As a result, implications of the presence of deceptive executable content either at the user level or enterprise level remain unknown.