Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques

The invention claimed is: 1. A computer implemented method for determining whether a software application is malicious, comprising: extracting a feature vector from said software application; transmitting said feature vector from said software application to a server application; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector; extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed; transmitting said metadata and contextual information to said server application, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information; computing a generic fingerprint for the software application; transmitting said generic fingerprint to said server application; and receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint. 2. A computer implemented method for determining whether a software application is malicious, comprising: receiving at a server application information from a client application concerning: (i) a feature vector from said software application; (ii) metadata about the application and contextual information about a system on which the software application may be installed, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; and (iii) a generic fingerprint for the software application; applying a machine-learning derived classification algorithm to the feature vector, if feature vector information is received from the client application; examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system; determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client application; and making a determination as to whether the software application should be deemed malicious with regard to the client application; and transmitting to the client application information generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint and concerning the determination as to whether the software application should be deemed malicious. 3. The computer implemented method according to claim 2 , wherein said metadata is selected from the group consisting of traditional fingerprints and generic signatures. 4. The computer implemented method according to claim 2 , wherein said server application and said client application reside on separate and remote computing devices. 5. The computer implemented method according to claim 2 , wherein said client application continuously gathers contextual information. 6. Non-transitory computer readable storage medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for: extracting a feature vector from said software application; transmitting said feature vector to a server application; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector; extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed; transmitting said metadata and contextual information to the server application; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; computing a generic fingerprint for the software application; transmitting said generic fingerprint to said server application; and receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint. 7. Non-transitory computer readable storage medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for: receiving at a server application information from a client application concerning: (i) a feature vector from said software application; (ii) metadata about the software application and contextual information about a system on which the software application may be installed, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; and (iii) a generic fingerprint for the software application; applying a machine-learning derived classification algorithm to the feature vector, if feature vector information is received from the client system; examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system; determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client system; making a determination as to whether the software application should be deemed malicious with regard to the client application; and transmitting to the client application information generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint and concerning the determination as to whether the software application should be deemed malicious to. 8. The non-transitory computer readable storage medium according to claim 7 , wherein said metadata is selected from the group consisting of traditional fingerprints and generic signatures. 9. The non-transitory computer readable storage medium according to claim 7 , wherein said server application and said client application reside on separate and remote computing devices. 10. The non-transitory computer readable storage medium according to claim 7 , wherein said client application continuously gathers contextual information.