• Behavior based detection is part of Kaspersky Lab’s multi-layered, next generation approach to protection. It’s one of the most efficient ways to protect against advanced threats like fileless malware, ransomware and zero-day malware.

    The following protection capabilities make up Kaspersky Lab's new Threat Behavior Engine:
    • Behavior Detection
    • Automatic Exploit Prevention (AEP)
    • Rollback component
    • Anti-locker

    In real life, threat actors obfuscate malicious code to bypass static detection technologies in and emulation by security products. For example, just-created ransomware code is often packed by custom-made packer with anti-emulation feature. Before execution, any attempt to scan the well-done sample by On Demand Scan or On Access Scan will return no success in detection, so the task of the threat actor is carried out.

    But when it comes to execution stage, the Threat Behavior Engine analyzes the actual process activity in real time and reveals its malicious nature. All that is needed then is to flag the alarm, terminate the process and perform rollback of the changes.

    In the mentioned example with packed ransomware, the sample could try to

    • Find important files on target system
    • Encrypt important files
    • Delete original files
    • Delete shadow copies

    Such information is enough for detection and does not depend on packer or anti-emulation techniques used. Running Threat Behavior Engine, armored by both behavior heuristics and ML-based models, the product becomes non-sensitive to static avoidance techniques and even sample behavior modifications.

    Making behavior based judgments, it is important to produce detection of malicious activity as soon as possible, which in combination with proper rollback mechanism allows to prevent any final user’s data loss. Rollback procedure protects different objects, like files, registry keys, tasks, etc.

    Returning to the sample above, let’s assume that before actual malicious activity, the ransomware added itself to autorun (for example, through registry). After detection, rollback mechanism should analyze the behavioral stream and not just restore user’s data but also delete the created registry key.

    Among other advantages, in some cases behavior based detection technology becomes the only means to detect and protect from a threat such as fileless malware. For example, while surfing the internet, a user is targeted by a drive-by based attack. After exploitation, malicious code is executed in the context of web browser. The main goal of the malicious code is to use registry or WMI subscriptions for persistence, and this ends up with no single object for static scan. Nevertheless, the Behaviour Detection component analyses the web browser’s thread behaviour, flags the detect and blocks the malicious activity.

    Behavioral Engine component benefits from ML-based models on the endpoint to detect previously unknown malicious patterns in addition to behaviour heuristic records. Collected from different sources, system events are delivered to the ML model. After processing, ML model produces a verdict if the analysed pattern is malicious. Even in the case of a non malicious verdict, the result from the ML model is then used by Behaviour heuristics, which in turn could also flag the detect.

    Behavior Detection component implements a Memory Protection mechanism. It guards system critical process like lsass.exe and allows to prevent user credential leakage with the help of mimikatz like malware.

Related Products

US 9588848 B2

System and method of restoring modified data

Read more

US 7472420 B1

Method and system for detection of previously...

Read more

US 8042186 B1

System and method for detection of complex malware

Read more

WhitePaper

Preventing emerging threats with Kaspersky System Watcher

Read more

BlackOasis APT and new targeted attacks leveraging zero-day exploit

Read more

No stone unturned: fighting ransomware on workstations and servers alike

Read more

RSAC 2017

A Deep Look Into the Russian-Speaking Ransomware Ecosystem

Read more

SAS 2017

Ransomware in targeted attacks

Watch video

Independent Benchmark Results

  • AV-Comparatives Whole Product Dynamic Real-World Proteciton Test Feb-Jun 2017

  • SELabs Enterprise Endpoint Protection July-September 2017

  • AV-Test BEST PROTECTION 2016 (KES)

  • AV-Test BEST PROTECTION 2016 (KSOS)

  • MRG Effitas 360 certificaiton program

Related Technologies

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.

Accept and Close