Leveraging behavior-based rules for malware family classification

What is claimed is: 1. An electronic device comprising: one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors, (i) analyzing a plurality of behaviors by at least monitoring the plurality of behaviors of a sample during execution within one or more virtual machines and determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample, (ii) generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and (iii) attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family. 2. The electronic device of claim 1 , wherein the software stored in the memory, when executed by the one or more hardware processors, attempts to classify the sample by at least comparing a chronological order of the rule aggregation sequence to a chronological order of rules associated with each of a plurality of known malware families, including the rules associated with the known malware family. 3. The electronic device of claim 1 , wherein the software stored in the memory, when executed by the one or more hardware processors, further conducts the analyzing of the plurality of behaviors and conducts the determining whether the sequence of rules corresponds to the potential malicious behaviors by at least (i) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (ii) determining whether the monitored plurality of behaviors are non-compliant with a series of rules, and if so, (iii) including the series of rules as part of the sequence of rules. 4. The electronic device of claim 1 , wherein the software stored in the memory, when executed by the one or more hardware processors, generating the rule aggregation sequence by at least (i) assigning a weight value to each rule of the sequence of rules and (ii) removing a rule from the sequence of rules when the weight value assigned to the rule is determined to fall below a predetermined threshold, the weight value being based on a probability of the behavior associated with malware. 5. The electronic device of claim 1 , wherein the memory comprises software that, when executed by the one or more hardware processors, generates electrical alert signals to identify the sample and an identified malware family to which the sample pertains. 6. The electronic device of claim 1 , wherein the software stored in the memory, when executed by the one or more hardware processors, conducts the analyzing of the plurality of behaviors to determine the sequence of rules comprises (i) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (ii) determining whether a series of the monitored plurality of behaviors are compliant with the series of rules, and if so, (iii) including the series of rules as part of the sequence of rules. 7. The electronic device of claim 1 , wherein the software stored in the memory, when executed by the one or more hardware processors, generates an alert signal in response to classifying the sample as malicious and part of the known malware family. 8. The electronic device of claim 7 , wherein the alert signal being a type of message including a text message or an electronic mail (email) message. 9. An electronic device comprising: one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises dynamic analysis logic that includes components that, when executed by the one or more hardware processors, generate one or more virtual machines that are configured to process a sample and monitor a plurality of behaviors of the sample during processing within the one or more virtual machines, correlation logic that, when executed by the one or more hardware processors, (i) analyzes the plurality of behaviors of the behaviors by determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample within the one or more virtual machines, and (ii) assigns weight values to each of the sequence of rules and generates a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and classification logic that, when executed by the one or more hardware processors and in response to determining that the sequence of rules corresponds to potential malicious behaviors, attempts to classify the sample to a known malware family based on a degree of relatedness between at least a portion of the sequence of rules and rules associated with the known malware family. 10. The electronic device of claim 9 , wherein the classification logic stored in the memory, when executed by the one or more hardware processors, attempts to classify the sample by comparing a chronological order of the portion of the sequence of rules to a chronological order of unique rules associated with each of a plurality of known malware families, including the rules associated with the known malware family. 11. The electronic device of claim 9 , wherein the correlation logic stored in the memory, when executed by the one or more hardware processors, analyzes the plurality of behaviors by determining whether the sequence of rules corresponds to the potential malicious behaviors by performing operations that comprises (i) monitoring the plurality of behaviors of the sample during execution within the one or more virtual machines, (ii) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (iii) determining whether a series of the chronologically ordered, monitored plurality of behaviors are non-compliant with a series of rules included as part of the plurality of rules, and if so, (iv) including the series of rules as part of the sequence of rules. 12. The electronic device of claim 11 , wherein the series of rules depend on a type of the sample where a first series of rules associated with an executable operating as the sample is different from a second series of rules associated with a Portable Document Format (PDF) document. 13. The electronic device of claim 11 , wherein the series of rules depend on a type of the electronic device where a first series of rules associated with a first type of security appliance is different from a second series of rules associated with a second type of security appliance. 14. The electronic device of claim 11 , wherein the correlation logic stored in the memory, when executed by the one or more hardware processors, assigns the weight value to each rule of the sequence of rules and removes a rule from the sequence of rules when generating the rule aggregation sequence when the weight value assigned to the rule is below a predetermined threshold.