Patent attributes
A method for runtime malware detection is described. In one embodiment, the method may include classifying a first file as clean and a second file as malware, performing a sample execution of the first and second files, identifying system processes called during sample executions of the first and second files, mapping each system process of the host operating system to a position on an image matrix, indicating each system process called during the sample execution of the first file in a first image matrix and each system process called during the sample execution of the second file in a second image matrix, and determining at runtime a probability an unknown file includes malware based at least in part on an analysis of the unknown file in relation to at least one of the first instance and the second instance of the generated image matrix.