Method of malware detection and system thereof

We claim: 1. A computer-implemented method of performing a behavior-based analysis of an execution of a program in an operating system, the method comprising: monitoring, by a computer system, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program, wherein the monitoring comprises tracking at least one of user space operations or the kernel space operations; generating, by the computer system, an event data for each of the one or more monitored operations; normalizing the event data into a logical data structure such that attributes of the event data can accessed and analyzed; building, by the computer system, at least one stateful model of the execution of the program based on the normalized event data, the at least one stateful model comprising a hierarchal structure of the one or more monitored operations, wherein the hierarchal structure comprises an event context comprising: one or more objects derived from the one or more monitored operations; one or more fields for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an association to the respective object; and one or more relationships identified among the one or more objects; and attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the one or more monitored operations and a source of the one or more events; analyzing, by the computer system, the event context to identify one or more behaviors of the execution of the program related to the one or more events; and applying a score to the stateful model based on the one or more identified behaviors, wherein applying the score to the stateful model comprises: determining a weighted behavior score for each of the one or more identified behaviors, wherein the weighted behavior score indicates a likelihood of a presence of malware based on the one or more identified behaviors; and determining the score by computing a sum of the weighted behavior scores for each of the one or more identified behaviors. 2. The computer-implemented method of claim 1 , further comprising updating, in real time, the at least one stateful model in response to one or more new events. 3. The computer-implemented method of claim 1 , further comprising outputting, via an output device of the computer system, a representation of the one or more identified behaviors of the execution of the program. 4. The computer-implemented method of claim 1 , further comprising storing the one or more identified behaviors of the execution of the program in a behavioral profile database. 5. The computer-implemented method of claim 1 , wherein the computer system comprises a cloud-based computer system. 6. The computer-implemented method of claim 1 , wherein the computer system comprises one or more functional components distributed over more than one computer. 7. The computer-implemented method of claim 1 , wherein the program is executed in a live environment, wherein the live environment comprises one or more programs, including the program, operating concurrently and interactively for their intended uses. 8. The computer-implemented method of claim 1 , further comprising aggregating the one or more identified behaviors. 9. The computer-implemented method of claim 1 , wherein the one or more behaviors comprise a representation of a behavior pattern of the execution of the program. 10. The computer-implemented method of claim 1 , further comprising analyzing the one or more behaviors to determine if the execution of the program comprises malware. 11. A system for performing a behavior-based analysis of an execution of a program in an operating system, the system comprising: one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to: monitor, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program, wherein monitoring comprises tracking at least one of user space operations or the kernel space operations; generate an event data for each of the one or more monitored operations; normalize the event data into a logical data structure such that attributes of the event data can accessed and analyzed; build at least one stateful model of the execution of the program based on the normalized event data, the at least one stateful model comprising a hierarchal structure of the one or more monitored operations, wherein the hierarchal structure comprises an event context comprising: one or more objects derived from the one or more monitored operations; one or more fields for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an association to the respective object; and one or more relationships identified among the one or more objects; and attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the one or more monitored operations and a source of the one or more events; analyze the event context to identify one or more behaviors of the execution of the program related to the one or more events; and apply a score to the stateful model based on the one or more identified behaviors, wherein applying the score to the stateful model comprises: determining a weighted behavior score for each of the one or more identified behaviors, wherein the weighted behavior score indicates a likelihood of a presence of malware based on the one or more identified behaviors; and determining the score by computing a sum of the weighted behavior scores for each of the one or more identified behaviors. 12. The system of claim 11 , wherein the system is further caused to update, in real time, the at least one stateful model in response to one or more new events. 13. The system of claim 11 , wherein the system is further caused to output, via an output device of the system, a representation of the one of more behaviors of the execution of the program. 14. The system of claim 11 , wherein the system is further caused to store the one or more behaviors of the execution of the program in a behavioral profile database. 15. The system of claim 11 , wherein the system comprises a cloud-based computer system. 16. The system of claim 11 , wherein the system comprises one or more functional components distributed over more than one computer. 17. The system of claim 11 , wherein the program executes in a live environment, wherein the live environment comprises one or more programs, including the program, operating for concurrently and interactively for their intended uses. 18. The system of claim 11 , wherein the system is further caused to aggregate the one or more identified behaviors. 19. The system of claim 11 , wherein the one or more behaviors comprise a representation of a behavio