The United States Patent and Trademark Office has granted patent 8,762,948 to Kaspersky Lab for a technology that establishes a system and method for filtering insignificant events during software analysis.
Emulation is one of the most effective methods of analyzing malicious software, but it requires a huge amount of data to be analyzed. It works as follows: the program code is divided into separate commands, each of which is run on a virtual machine. This approach makes it possible to monitor the behavior of the commands without compromising the operating system of the computer. This process generates an event log which is then analyzed to identify potentially harmful elements.
However, this log usually contains many insignificant events which do nothing to help identify whether a program is malicious, and can make the analysis process less effective. First of all, analyzing these insignificant events complicates the identification of genuinely malicious events that might just get lost in the mass of data. Secondly, it creates excessive strain on computing resources. Rather than overburdening the log with insignificant events, pre-filtering mechanisms are applied that can remove all insignificant events from the log prior to the start of the analysis. This special filtration module removes all insignificant events from the logs using an updated database of filtering rules.
The patent describes the method that generates these rules. The method is essentially the same program emulation carried out on a remote system in the antivirus company. At first, a number of test programs based on the most popular development tools are created. They are run on an isolated virtual machine where the event log is recorded. This log is analyzed and repetitive insignificant events are detected. Since these events do nothing to determine the level of malware danger, information about them is added to a database of filtering rules. Therefore, whenever a similar event appears in the log during the use of the emulator, the filtering module automatically removes it before beginning the analysis.
An example of a log event that would be deemed insignificant by this method would be the function call for ’GetVersion ()’ which is a request for the operating system version. This request is always made by any application written in Delphi 7, and is not an indication of malware.
“When developing an effective analytical module, it is important to maintain a balance so that effective protection does not restrict computing performance. First and foremost, we cannot overload this module with insignificant information – it already has enough work to do,” commented Oleg Zaitsev, Lead Technical Specialist at Kaspersky Lab and the author of the patented technology.
This technology is already integrated into Kaspersky Endpoint Security 8.0 for Windows, Kaspersky Endpoint Data Protection Edition (Endpoint 10), Kaspersky Internet Security, Kaspersky Internet Security for Virtualization and Kaspersky PURE.
Kaspersky Lab continues to obtain more and more patents for its cutting-edge information security technologies. As of July 2014, Kaspersky Lab’s portfolio includes 219 patents issued in Russia, the US, the EU and China. An additional 276 patent applications are currently under consideration by the patent authorities in these countries.