OPTIMIZATION OF ANTI-MALWARE PROCESSING BY AUTOMATED CORRECTION OF DETECTION RULES
First Claim
1. A computer-implemented method for optimization of anti-virus (AV) processing, the method comprising:
- (a) creating a database of malware detection rules and a database of correction coefficients on an AV server, wherein the detection rules include test rules;
(b) updating a user-side database of malware detection rules and a user-side database of correction coefficients with current data from the database of malware detection rules and the database of correction coefficients on the AV server;
(c) receiving, from users running user processes, at the AV server, data related to the user processes, if the process aggregate rating exceeds a safety threshold but is below a danger threshold;
(d) accumulating received data related to the user process on an AV server data storage;
(e) analyzing false-negative determinations; and
(f) generating a database of correction coefficients for correction of the detection rules on the AV server based on the aggregate false-negative determinations.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for optimization of execution of anti-malware (AV) applications. A number of false-positive determinations by an AV system are reduced by correcting malware detection rules using correction coefficients. A number of malware objects detected by the AV system are increased by correction of ratings determined by the rules using correction coefficients. An automated testing of new detection rules used by the AV system is provided. The new rules having zero correction coefficients are added to the rules database and results of application of the new rules are analyzed and the rules are corrected or modified for further testing.
43 Citations
36 Claims
-
1. A computer-implemented method for optimization of anti-virus (AV) processing, the method comprising:
-
(a) creating a database of malware detection rules and a database of correction coefficients on an AV server, wherein the detection rules include test rules; (b) updating a user-side database of malware detection rules and a user-side database of correction coefficients with current data from the database of malware detection rules and the database of correction coefficients on the AV server; (c) receiving, from users running user processes, at the AV server, data related to the user processes, if the process aggregate rating exceeds a safety threshold but is below a danger threshold; (d) accumulating received data related to the user process on an AV server data storage; (e) analyzing false-negative determinations; and (f) generating a database of correction coefficients for correction of the detection rules on the AV server based on the aggregate false-negative determinations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-implemented method for minimization of false-positive determinations in anti-virus (AV) processing, the method comprising:
-
(a) creating a database of malware detection rules and a database of correction coefficients on an AV server; (b) updating a user-side database of malware detection rules and a user-side database of correction coefficients with current data from the database of malware detection rules and the database of correction coefficients on the AV server; (c) receiving, from users running user processes, at the AV server, data related to the user processes, if the process aggregate rating exceeds a danger threshold; (d) accumulating received data related to the user process on an AV server data storage; (e) analyzing false-positive determinations; and (f) generating a database of correction coefficients for correction of the detection rules on the AV server based on the aggregate false-positive determinations. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system implemented on a computer having a processor and a memory for optimization of anti-virus (AV) processing, the system comprising:
-
a report generation unit for processing user requests, wherein a report generation unit is connected to a data storage; an analysis module is connected to the data storage, a black list storage, a rules database, an incorrect rules database and a correction coefficients database; the rules database being accessible by the analysis module for modifying the rules in the rules database; the correction coefficients database being accessible by the analysis module for modifying the coefficients in correction coefficients database for the rules from the rules database; an update module connected to the rules database and to the correction coefficients database; a data storage containing data related to the process, wherein the data storage is accessible by the analysis module and the report generation unit; a black list storage containing data related to known malware objects, wherein the report generation unit receives data related to the process from users and stores received data into the data storage, wherein the rules database and the coefficient database are updated by an analysis module based on analysis of data in the data storage using the black list storage, and wherein the update module sends new versions of the rules database and the correction coefficients database to the user. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification