Systems and methods for using attribute data for system protection and security awareness training

We claim: 1. A method for creating attribute data for a file of an application, the method comprising: (a) registering, by a service executing on a device, a driver into an operating system of the device to monitor processes, the driver configured to receive notifications from the operating system of processes started or terminated on the device; (b) executing, an attribute data writer on the device, the attribute data writer in communication with the driver to receive notifications from the driver of processes started on the device; (c) receiving, by the attribute data writer, a process id from the driver for a process of an application detected by the driver as starting on the device; (d) injecting, by an injector program launched by the attribute data writer, an attribute data writer library into the process of the application corresponding to the process id; (e) classifying, by the attribute data writer library, the application into a class of a plurality of classes; and (f) causing, by the attribute data writer library, the application to create attribute data corresponding to the class responsive to a file being one of created or opened by the application. 2. The method of claim 1 , wherein (b) further comprises executing, by the service, the attribute data writer responsive to a user being logged in. 3. The method of claim 1 , wherein (c) further comprises receiving, by the attribute data writer, a second process id corresponding to a parent process. 4. The method of claim 1 , further comprising determining, by the attribute data writer, if one of the path or name of the file, determined from the process is, is in a list of applications to be monitored by the attribute data writer. 5. The method of claim 4 , further comprising determining, by the attribute data writer responsive to the file being in the list of applications to be monitored, a type of architecture of the application. 6. The method of claim 5 , wherein (d) further comprises launching, by the attribute data writer, a version of the injector program corresponding to the type of architecture. 7. The method of claim 1 , wherein (e) further comprises obtaining, by the attribute data write library, information on the injected application and classifying, based on the information, the application into the class of the plurality of classes comprising an email client, a word processor, a web browser, a portable document format reader or writer. 8. The method of claim 1 , further comprising causing, by the attribute data writer library, the data to be stored to one of a master file table or an alternate data stream. 9. The method of claim 1 , further comprising: identifying an attribute data file of a second file being one of opened or created by the application; identifying from one or more attribute data values in the attribute data file a class of the application; and identifying from one or more attribute data values in the attribute data file a non-system initiator application of the application. 10. The method of claim 9 , further comprising determining that the second file is suspicious based on the one or more attribute data values. 11. The method of claim 10 , further comprising displaying, responsive to the determination, a prompt that the second file is suspicious.