Method of malware detection and system thereof

The invention claimed is: 1. A computer-implemented method of performing a behavior-based analysis of an execution of a program in an operating system, the method comprising: monitoring, by a computer system, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program running in the operating system in a live environment, wherein the monitoring comprises tracking user space operations and the kernel space operations; selecting at least one operation of interest from the one or more operations; generating, by the computer system, an event data for each of the at least one operation of interest, wherein the event data characterizes one or more events of the at least one operation of interest; filtering event data of interest from the event data for each of the at least one operation of interest, the filtering based on one or more predefined filtering rules; normalizing the event data of interest into a logical data structure such that attributes of the event data of interest can accessed and analyzed; building, by the computer system, at least one stateful model of the execution of the program based on the normalized event data of interest, the at least one stateful model comprising a hierarchal structure of the at least one operation of interest performed by the execution of the program in the live environment, the at least one operation of interest linked by an event context, wherein the hierarchal structure comprises: the event context comprising: one or more objects derived from the one or more monitored operations; one or more fields generated for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an associate to the respective object; and one or more relationships identified among the one or more objects; and attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the at least one operation of interest and a source of the one or more events, wherein the type comprises an identifier of the at least one operation of interest that characterizes the one or more events, and wherein the source comprises an originating entity that performs the at least one operation of interest, wherein each of the one or more objects represent an entity related to the one or more monitored operations; analyzing, by the computer system, the event context in view of the at least one stateful model to identify one or more behaviors of the execution of the program related to the one or more events; applying a score to the stateful model based on the one or more identified behaviors, wherein applying the score to the stateful model comprises: determining a behavior score for each of the one or more identified behaviors; assigning a weight factor to each behavior score associated with the one or more identified behaviors to generate a weighted behavior score for each of the one or more identified behaviors, wherein the weighted behavior score indicates the likelihood of the presence of malware based on the one or more identified behaviors; determining a sum of the weighted behavior scores for each of the one or more identified behaviors; and comparing the one or more identified behaviors and the score to one or more pre-existing behaviors and a pre-existing score of a pre-existing stateful model, wherein the computer system comprises a processor and memory. 2. The method of claim 1 , further comprising updating, in real time, the at least one stateful model in response to one or more new events. 3. The method of claim 1 , further comprising outputting, via an output device of the computer system, a representation of the one or more identified behaviors of the execution of the program. 4. The method of claim 1 , further comprising storing the one or more identified behaviors of the execution of the program in a behavioral profile database. 5. The method of claim 1 , wherein the computer system comprises a cloud-based computer system. 6. The method of claim 1 , wherein the computer system comprises one or more functional components distributed over more than one computer. 7. The method of claim 1 , wherein the live environment comprises one or more programs, including the program, operating concurrently and interactively for their intended uses. 8. The method of claim 1 , further comprising aggregating the one or more identified behaviors. 9. The method of claim 1 , wherein the one or more behaviors comprise a representation of a behavior pattern of the execution of the program. 10. The method of claim 1 , further comprising analyzing the one or more behaviors to determine if the execution of the program comprises malware. 11. A system for performing a behavior-based analysis of an execution of a program in an operating system, the system comprising: one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to: monitor, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program running in the operating system in a live environment, wherein monitoring comprises tracking user space operations and the kernel space operations; select at least one operation of interest from the one or more operations; generate an event data for each of the at least one operation of interest, wherein the event data characterizes one or more events of the at least one operation of interest; filter event data of interest from the event data for each of the at least one operation of interest, the filtering based on one or more predefined filtering rules; normalize the event data of interest into a logical data structure such that attributes of the event data of interest can accessed and analyzed; build at least one stateful model of the execution of the program based on the normalized event data of interest, the at least one stateful model comprising a hierarchal structure of the at least one operation of interest performed by the execution of the program in the live environment, the at least one operation of interest linked by an event context, wherein the at least one stateful model comprises: the event context comprising: one or more objects derived from the one or more monitored operations; one or more fields generated for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an associate to the respective object; and one or more relationships identified among the one or more objects; and attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the at least one operation of interest and a source of the one or more events, wherein the type comprises an identifier of the at least one operation of interest that characterizes the one or more events, and wherein the source comprises an originating entity that performs the at least one operation of interest, wherein each of the one or more objects represent an entity rel