Kaspersky Lab has successfully patented a system and method for the efficient and exact comparison of software elements. Patent №8499167, granted by the United States Patent and Trademark office, describes a file comparison method that determines the degree of similarity between files in a more efficient manner, and which successfully detects malicious objects that have been modified in an attempt to bypass the detection mechanisms in security software.
Kaspersky Lab experts detect about 200,000 new malware samples every day; a year ago that figure was 125,000. Because of the rapid rise in the amount of malware, the ability to detect new threats fast and accurately is of greater importance to antivirus vendors.
One way to check for a malicious presence is to compare an unknown file with an existing collection of malicious objects. If a comparison shows the new file is very similar to one or several files in the collection, in most cases that file turns out to be malicious. Comparing a new file stream with a collection of known samples helps effectively combat the huge number of malicious software appearing every day. However, the comparison mechanism itself is not ideal.
Two files can be compared using the knowledge of their structure – this method is widely used in the antivirus industry. However, cybercriminals often litter their files with random data, which changes the file structure and means they don’t show any similarities to malware samples in existing collections.
At the same time, emulation is often used to determine a file’s functions and to check if there are any similar files in the malware collection. This approach involves a file being run in a virtual environment where information about its behavior is collected. This data is later compared with existing information on malware behavior. If there are similarities, the file is considered malicious. However, emulation is a resource-intensive and comparatively long process. Moreover, some files can recognize when they are being launched in a virtual environment and stop functioning.
The experts at Kaspersky Lab took all these characteristics into account when developing the new file comparison technology.
The Strings Theory
The newly patented technology is based on the idea that a file’s functionality can be determined based on analyzing the strings contained in it, even before the file is executed. Strings in a file provide information on how it will be executed in the operating system (file names, registry keys, web links), i.e., the file’s ‘synopsis’ of sorts. Historically, practical implementation of this idea ran into a problem: which strings in a file should be analyzed? How do you identify those which indicate that a file has malicious functionality? How should the search be performed to produce results in reasonable time and with minimal consumption of resources?
The technology patented by Kaspersky Lab describes an algorithm for comparing files string-by-string to determine how similar their functionality is. When the antivirus lab receives an unknown file, a special program analyzes the strings contained in it, then filters out those which are not relevant based on a set of rules and then compares the remaining strings with a collection of malicious files analyzed in a similar way.
“What sets our technology apart is that it can quickly compare file ‘synopses’ to an enormous malware database and ‘knows’ where in the file to look for the key elements, an analysis of which can provide an insight into the file’s functionality,” commented Alexey Malanov, a Kaspersky Lab malware expert and developer of the newly-patented technology.
Although the technology was not patented until recently, Kaspersky Lab experts have been using it to detect new malware samples for a long time.
Kaspersky Lab works hard to patent as many advanced technologies that protect digital devices against cyberthreats as possible. As of early August 2013, Kaspersky Lab’s portfolio included over 160 patents issued in the US, Russia, EU and China. In addition to that, over 210 patent applications are currently under consideration by these countries’ patent authorities.