System and method for run-time object classification

What is claimed is: 1. A computerized method for identifying and classifying an object as belonging to a malware family, comprising: receiving one or more anomalous behaviors after processing of the object; and determining if the object is malware by performing a first analysis on the one or more anomalous behaviors and a pre-stored identifier identifying the malware family, the pre-stored identifier is a collection of data associated with anomalous behaviors that identify the malware family, the performing of the first analysis comprises determining a level of correlation between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that are determined by (i) obtaining a plurality of anomalous behaviors, and (ii) removing one or more anomalous behaviors from the plurality of anomalous behaviors when the one or more anomalous behaviors exhibit (a) a first rate of occurrence in the malware family that is less than a first threshold and (b) a second rate of occurrence in one or more malware families other than the malware family that is greater than a second threshold to produce a subset of the plurality of anomalous behaviors that constitute the anomalous behaviors associated with the pre-stored identifier. 2. The computerized method of claim 1 , wherein the malware family is an advanced persistent threat (APT) family. 3. The computerized method of claim 2 , wherein the performing of the first analysis comprises performing a statistical comparison between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that uniquely identify the APT family. 4. The computerized method of claim 3 , wherein the performing of the first analysis further comprises determining that the one or more anomalous behaviors statistically match the anomalous behaviors associated with the pre-stored identifier that uniquely identify the APT family. 5. The computerized method of claim 1 , wherein the removing of the one or more anomalous behaviors from the plurality of anomalous behaviors that exhibit the first rate of occurrence in the malware family comprises filtering at least one anomalous behavior having a count value less than a first count threshold from the plurality of anomalous behaviors to produce a first subset of anomalous behaviors, and the removing of the one or more anomalous behaviors from the plurality of anomalous behaviors that exhibit the second rate of occurrence in malware families other than the malware family comprises filtering at least one anomalous behavior having a count value greater than a second count value for a malware family other than the malware family from the first subset of anomalous behaviors to produce the subset of the plurality of anomalous behaviors, the subset of the plurality of anomalous behaviors being the pre-stored identifier. 6. The computerized method of claim 1 , wherein the anomalous behaviors associated with the pre-stored identifier being a filtered subset of the plurality of anomalous behaviors associated with malware belonging to the malware family, the plurality of anomalous behaviors including the anomalous behaviors and at least one additional anomalous behavior different from any of the anomalous behaviors. 7. The computerized method of claim 1 further comprising performing a second analysis of the one or more anomalous behaviors subsequent to the first analysis upon failing to detect the level of correlation that includes conducting a statistical match after comparison of the one or more anomalous behaviors to any of a plurality of pre-stored identifiers each representing a different malware family, the plurality of pre-stored identifiers including the first pre-stored identifier. 8. The computerized method of claim 7 , wherein the second analysis is conducted to determine if the object is a member of an advanced persistent threat (APT) family. 9. The computerized method of claim 8 further comprising: reporting results of the second analysis to a targeted destination, the results including information identifying one or more of an identifier for the APT family, a name of the APT family, or the one or more anomalous behaviors of the second analysis characteristic of the APT family. 10. The computerized method of claim 1 , wherein the object is a flow comprising a plurality of related packets that are either received, transmitted, or exchanged during a communication session. 11. The computerized method of claim 1 further comprising: reporting results of the first analysis to a targeted destination, the results including information identifying one or more of (i) a family name of the malware family, (ii) the object, or (iii) the subset of the plurality of anomalous behaviors. 12. The computerized method of claim 11 , wherein each of the subset of the plurality of anomalous behaviors is an indicator of compromise. 13. The computerized method of claim 1 , wherein the pre-stored identifier includes a first plurality of indicators of compromise (IOCs) that are filtered from a second plurality of IOCs, where the first plurality of IOCs having a frequency of occurrence within the malware family substantially greater than an occurrence of any of the second plurality of IOCs excluding the first plurality of IOCs within the malware family. 14. The computerized method of claim 13 , wherein the first plurality of IOCs are a combination unique to the malware family. 15. The computerized method of claim 1 , wherein the first analysis on the one or more anomalous behaviors is conducted during run-time being a time that is contemporaneous with the processing of the object by one or more virtual machines and monitoring of the one or more anomalous behaviors. 16. An electronic device, comprising: a processor; and a memory communicatively coupled to the processor, the memory comprises virtual execution logic including at least one virtual machine configured to process content within an object under analysis and monitor for anomalous behaviors during the processing that are indicative of malware, and run-time classifier logic that, when executed by the processor, performs a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family, the first analysis includes determining a level of correlation between the monitored anomalous behaviors and one or more anomalous behaviors associated with the pre-stored identifier that uniquely identify the classified malware family, the one or more anomalous behaviors being selected by (i) obtaining a first plurality of anomalous behaviors associated with malware belonging to the malware family, (ii) filtering at least one anomalous behavior having a count value less than a first count threshold from the first plurality of anomalous behaviors to produce a first subset of anomalous behaviors, (iii) filtering at least one anomalous behavior having a count value greater than a second count value for a malware family other than the malware family from the first subset of anomalous behaviors to produce a second subset of anomalous behaviors, the second subset of anomalous behaviors being the one or more anomalous behaviors associated with the pre-stored identifier. 17. The electronic device of claim 16 , wherein the malware family is an advanced persistent threat (APT) family. 18. The electronic device of claim 17 , wherein the first analysis performed by the run-time classi