Method of malware detection and system thereof

The invention claimed is: 1. A computer-implemented method of performing a behavior-based analysis of an execution of a program in an operating system, the method comprising: monitoring, by a computer system, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program running in the operating system in a live environment, wherein the monitoring comprises tracking user space operations and the kernel space operations; generating, by the computer system, an event data for each of the one or more monitored operations; normalizing the event data into a logical data structure such that attributes of the event data can accessed and analyzed; building, by the computer system, at least one stateful model of the execution of the program based on the normalized event data, the at least one stateful model comprising a hierarchal structure of the one or more monitored operations performed by the execution of the program in the live environment, the one or more monitored operations linked by an event context, wherein the hierarchal structure comprises: the event context comprising: one or more objects derived from the one or more monitored operations; one or more fields generated for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an associate to the respective object; and one or more relationships identified among the one or more objects; and attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the one or more monitored operations and a source of the one or more events; analyzing, by the computer system, the event context to identify one or more behaviors of the execution of the program related to the one or more events; and applying a score to the stateful model based on the one or more identified behaviors, wherein applying the score to the stateful model comprises: determining a weighted behavior score for each of the one or more identified behaviors, wherein the weighted behavior score indicates a likelihood of the presence of malware based on the one or more identified behaviors; determining the score by computing a sum of the weighted behavior scores for each of the one or more identified behaviors; and comparing the one or more identified behaviors and the score to one or more pre-existing behaviors and a pre-existing score of a pre-existing stateful model. 2. The computer-implemented method of claim 1 , further comprising updating, in real time, the at least one stateful model in response to one or more new events. 3. The computer-implemented method of claim 1 , further comprising outputting, via an output device of the computer system, a representation of the one or more identified behaviors of the execution of the program. 4. The computer-implemented method of claim 1 , further comprising storing the one or more identified behaviors of the execution of the program in a behavioral profile database. 5. The computer-implemented method of claim 1 , wherein the computer system comprises a cloud-based computer system. 6. The computer-implemented method of claim 1 , wherein the computer system comprises one or more functional components distributed over more than one computer. 7. The computer-implemented method of claim 1 , wherein the live environment comprises one or more programs, including the program, operating concurrently and interactively for their intended uses. 8. The computer-implemented method of claim 1 , further comprising aggregating the one or more identified behaviors. 9. The computer-implemented method of claim 1 , wherein the one or more behaviors comprise a representation of a behavior pattern of the execution of the program. 10. The computer-implemented method of claim 1 , further comprising analyzing the one or more behaviors to determine if the execution of the program comprises malware. 11. A system for performing a behavior-based analysis of an execution of a program in an operating system, the system comprising: one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to: monitor, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program running in the operating system in a live environment, wherein monitoring comprises tracking user space operations and the kernel space operations; generate an event data for each of the one or more operations of interest, wherein the event data characterizes one or more events of the one or more monitored operations; normalize the event data into a logical data structure such that attributes of the event data can accessed and analyzed; build at least one stateful model of the execution of the program based on the normalized event data, the at least one stateful model comprising a hierarchal structure of the one or more monitored operations by the execution of the program in the live environment, the one or more monitored operations linked by an event context, wherein the at least one stateful model comprises: the event context comprising: one or more objects derived from the one or more monitored operations; one or more fields generated for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an associate to the respective object; and one or more relationships identified among the one or more objects; and attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the one or more monitored operations and a source of the one or more events; analyze the event context to identify one or more behaviors of the execution of the program related to the one or more events; and apply a score to the stateful model based on the one or more identified behaviors, wherein applying the score to the stateful model comprises: determining a weighted behavior score for each of the one or more identified behaviors, wherein the weighted behavior score indicates a likelihood of the presence of malware based on the one or more identified behaviors; and determining the score by computing a sum of the weighted behavior scores for each of the one or more identified behaviors; and compare the one or more identified behaviors and the score to one or more pre-existing behaviors and a pre-existing score of a pre-existing stateful model. 12. The system of claim 11 , wherein the system is further caused to update, in real time, the at least one stateful model in response to one or more new events. 13. The system of claim 11 , wherein the system is further caused to output, via an output device of the system, a representation of the one of more behaviors of the execution of the program. 14. The system of claim 11 , wherein the system is further caused to store the one or more behaviors of the execution of the program in a behavioral profile database. 15. The sy