Method of malware detection and system thereof

The invention claimed is: 1. A computer-implemented method of detecting malware in real time in a live environment, the method implemented on a computer that performs each step of the method, the method comprising: monitoring one or more operations of at least one program concurrently running in the live environment, wherein the step of monitoring further comprises: for each monitored operation of the one or more operations, generating an event data characterizing an event representing the monitored operation, wherein said event data includes at least the following attributes of said event: operation type, and source of the event; building at least one stateful model in accordance with the one or more operations, wherein the stateful model is a data structure representing information indicative of a real time updated system state resulting from a sequence of linked operations performed in the live environment, wherein the step of building the at least one stateful model comprises: for each said event data: i) normalizing the event data giving rise to an abstract event, wherein the abstract event comprises formatted and parsed event data; ii) retrieving one or more objects from the abstract event, each of said objects representing an entity involved in a corresponding operation and being of a type selected from a group that includes: process object, file object, network object, registry object and windows object, at least one of said objects representing the source of the event; iii) identifying one or more relationships among the one or more objects in accordance with said abstract event, the identified relationships including type of the corresponding operation and connections between the objects retrieved from the corresponding operation, and for each object of the one or more objects, generating one or more parameters characterizing said object, the parameters indicative of objects related thereto and identified relationships between the object and the related objects; giving rise to an event context comprising the one or more objects and the relationships therein; and iv) in case of said event being a first event of a stateful model, generating a stateful model including said event context; otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous event that precedes the event, said updating including: in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model; otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model; thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said linked operations and interconnections between the entities which are resulted from the linked operations; analyzing the at least one stateful model to identify one or more behaviors, wherein the step of analyzing the at least one stateful model comprises: analyzing the event context in view of the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of behavioral patterns each representing entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, said analyzing including matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics; determining that at least one behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, and determining the presence of malware based on the identified one or more behaviors. 2. The computer-implemented method of claim 1 , wherein the monitoring the one or more operations further includes: selecting at least one operation of interest from the one or more operations, and monitoring the selected at least one operation of interest. 3. The computer-implemented method of claim 2 , wherein the at least one operation of interest includes one or more in-process operations and/or one or more kernel related operations. 4. The computer-implemented method of claim 3 , wherein the kernel related operations include one or more of the following: file system operations, process and memory operations, registry operations, and network operations. 5. The computer-implemented method of claim 3 , wherein the in-process operations are monitored by intercepting one or more library calls representing said in-process operations. 6. The computer-implemented method of claim 3 , wherein the kernel related operations are monitored by intercepting one or more system calls representing said kernel related operations. 7. The computer-implemented method of claim 3 , wherein the kernel related operations are monitored by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions. 8. The computer-implemented method of claim 1 , wherein each of said at least one stateful model is a program-level stateful model that represents a sequence of linked operations related to a given program of said at least one program. 9. The computer-implemented method of claim 1 , wherein said at least one stateful model is a system-level stateful model that represents operations related to all programs that run concurrently in the live environment. 10. The computer-implemented method of claim 9 , wherein said system-level stateful model includes one or more program-level stateful models each representing a sequence of linked operations related to a given program of said all programs. 11. The computer-implemented method of claim 1 further comprising: monitoring one or more kernel related operations of said at least one program; building at least one stateful model based on said monitored kernel related operations; analyzing the at least one stateful model to identify one or more behaviors; and determining the presence of malware based on a behavioral score of said stateful model. 12. The computer-implemented method of claim 11 wherein said at least one stateful model includes one or more objects derived from said one or more operations and one or more relationships identified among said objects in accordance with said operations. 13. The computer-implemented method of claim 11 wherein the kernel related operations include one or more of the following: file system operations, process and memory operations, registry operations, and network operations. 14. The computer-implemented method of claim 11 further comprising monitoring the one or more kernel related operations by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions. 15. The computer-implemented method of claim 1 , further comprising selecting selected event data associated with events of interest from said event data based on one or more predefined filtering rules and applying said normalizing of the event data with respect to said selected event data. 16. The computer-implemented method of claim 15 , wherein the one or more predefined filtering rules include filtering out event data associated with the following events: uncompleted events, memory related events in which a targeting process is not a remote process, and events in wh