Kaspersky Lab Patents Automated False-Positive Testing Technology Based on Machine Learning Algorithms
The detection rules, which are automatically created by processing limited amounts of newly discovered malicious files, describe groups of malicious objects as combinations of various characteristics. These characteristics include, for example, sequences of system calls and events that are common for malicious objects and uncommon for whitelisted files.
The technology, entitled “System and method for evaluating malware detection rules”, allows Kaspersky Lab to reliably test the automatically created detection rules to determine whether they correctly describe the groups of malicious files in such a way that legitimate ones are not affected (i.e. the possibility of generating false positives is greatly reduced). It works by testing these detection rules in the Kaspersky Lab infrastructure and comparing all files found to fall under the description with the set of known benign (or whitelisted) files and a larger set of known malicious objects. If no similarities are found, the detection rule is considered to be accurate and is rolled out to the users.
“As the amount of malicious files which we encounter every day exceeds hundreds of thousands and keeps growing, we at Kaspersky Lab have been automating a number of virus analysis tasks. For example, such tasks as finding similarities between different malicious files so that we could create heuristic detection rules that describe groups of objects instead of single files. The patented technology complements the set of machine learning tools our experts are using so that they have more time to concentrate on the most advanced and sophisticated threats”, said Timur Biyachuev, Director Anti-Malware Research, Kaspersky Lab.
Комментарии