Commodity malware is everywhere, which is why signatures catch it — someone, somewhere, saw it first. Targeted malware inverts that: it is crafted for one organization, used once, and never circulated, so there is no prior sample to match. This is the threat that made detection-by-behavior commercially necessary.
FireEye, Inc.'s US10735458B1, “Detection center to detect targeted malware” (issued August 4, 2020; CPC H04L 63/145 — malicious-traffic protection, and G06F 21/554 — detecting malicious behavior), describes a centralized detection center that analyzes content and context to flag malware aimed at a specific target. Read it at US10735458B1.
The mechanism's center of gravity is centralization. Instead of each endpoint deciding alone, the detection center aggregates signals across the estate and the broader telemetry, so a one-off sample can still be judged anomalous in context even with no matching signature anywhere.
Why this is a business story: FireEye built its reputation — and its premium pricing — on detecting advanced, targeted attacks that legacy antivirus missed, and the centralized detection-center model is the architecture behind that pitch. When FireEye later split, with Mandiant going one way and the products to Trellix, this class of IP was part of what made the assets valuable. Targeted-detection capability is the differentiator that justifies an enterprise-grade price tag.
The grounded read: targeted-malware detection gives up on “have I seen this before?” and asks “is this anomalous in context?”, judged centrally. FireEye's 2020 grant names the detection-center architecture that makes that judgment possible against one-off, victim-specific samples.