Kaspersky Lab has patented a technology that allows for effective false-positive testing of heuristic signatures describing groups of similar malicious files. This patent is the latest addition to the arsenal of advanced technologies used by the company in combating cyberthreats that allow for reliable automation of a large proportion of routine virus analysis tasks.
The detection rules, which are automatically created by processing limited amounts of newly discovered malicious files, describe groups of malicious objects as combinations of various characteristics. These characteristics include, for example, sequences of system calls and events that are common for malicious objects and uncommon for whitelisted files.
The technology, entitled “System and method for evaluating malware detection rules”, allows Kaspersky Lab to reliably test the automatically created detection rules to determine whether they correctly describe the groups of malicious files in such a way that legitimate ones are not affected (i.e. the possibility of generating false positives is greatly reduced). It works by testing these detection rules in the Kaspersky Lab infrastructure and comparing all files found to fall under the description with the set of known benign (or whitelisted) files and a larger set of known malicious objects. If no similarities are found, the detection rule is considered to be accurate and is rolled out to the users.
“As the amount of malicious files which we encounter every day exceeds
hundreds of thousands
and keeps growing, we at Kaspersky Lab have been automating a number of virus analysis tasks. For example, such tasks as finding similarities between different malicious files so that we could create heuristic detection rules that describe groups of objects instead of single files. The patented technology complements the set of machine learning tools our experts are using so that they have more time to concentrate on the most advanced and sophisticated threats”, said Timur Biyachuev, Director Anti-Malware Research, Kaspersky Lab.
The patented technology (US Patent No. 9171155) is implemented in the following products: Kaspersky Internet Security, Kaspersky Total Security Multi-Device, Kaspersky Endpoint Security for Business.
Kaspersky Lab continues to develop and patent new data protection technologies. By the end of October 2015, the company had 343 patents in Russia, the US, China and Europe, with 324 more patent applications filed.