OPTIMIZATION OF ANTI-MALWARE PROCESSING BY AUTOMATED CORRECTION OF DETECTION RULES

US 20120167219A1
Filed: 12/24/2010
Published: 06/28/2012
Est. Priority Date: 12/24/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for optimization of anti-virus (AV) processing, the method comprising:

(a) creating a database of malware detection rules and a database of correction coefficients on an AV server, wherein the detection rules include test rules;

(b) updating a user-side database of malware detection rules and a user-side database of correction coefficients with current data from the database of malware detection rules and the database of correction coefficients on the AV server;

(c) receiving, from users running user processes, at the AV server, data related to the user processes, if the process aggregate rating exceeds a safety threshold but is below a danger threshold;

(d) accumulating received data related to the user process on an AV server data storage;

(e) analyzing false-negative determinations; and

(f) generating a database of correction coefficients for correction of the detection rules on the AV server based on the aggregate false-negative determinations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for optimization of execution of anti-malware (AV) applications. A number of false-positive determinations by an AV system are reduced by correcting malware detection rules using correction coefficients. A number of malware objects detected by the AV system are increased by correction of ratings determined by the rules using correction coefficients. An automated testing of new detection rules used by the AV system is provided. The new rules having zero correction coefficients are added to the rules database and results of application of the new rules are analyzed and the rules are corrected or modified for further testing.

43 Citations

View as Search Results

36 Claims

1. A computer-implemented method for optimization of anti-virus (AV) processing, the method comprising:
- (a) creating a database of malware detection rules and a database of correction coefficients on an AV server, wherein the detection rules include test rules;
  
  (b) updating a user-side database of malware detection rules and a user-side database of correction coefficients with current data from the database of malware detection rules and the database of correction coefficients on the AV server;
  
  (c) receiving, from users running user processes, at the AV server, data related to the user processes, if the process aggregate rating exceeds a safety threshold but is below a danger threshold;
  
  (d) accumulating received data related to the user process on an AV server data storage;
  
  (e) analyzing false-negative determinations; and
  
  (f) generating a database of correction coefficients for correction of the detection rules on the AV server based on the aggregate false-negative determinations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the false-negative determination is made when a checksum of the detected suspicious object in an AV server data storage have a matching checksum of the known malware objects in a blacklist database.
  - 3. The method of claim 1, further comprising receiving, from the AV server, a current rating of a user process.
  - 4. The method of claim 3, wherein the current rating is determined based on data related to the process received from several users.
  - 5. The method of claim 1, wherein the data related to the process comprises at least a checksum of the object corresponding to the user process, an aggregate rating of the process, a number of a triggered rule and rating set by the rule.
  - 6. The method of claim 1, wherein the aggregate process rating is generated based at least on application of the detection rules to the user process, the correction coefficients for the detection rules, the static rating and the current rating.
  - 7. The method of claim 6, wherein the static rating is determined based on parameters of the object corresponding to the user process, the parameters comprising at least object attributes, object location, object type and object size.
  - 8. The method of claim 1, wherein the correction coefficients change a rating set by the rules.
  - 9. The method of claim 1, further comprising receiving the data related to the process by the AV server for further analyses, if at least one of the test rules is triggered by the user process.
  - 10. The method of claim 9, further comprising deleting the test rule from the rules database and saving it into an incorrect rules database for further review, if the test rule was triggered incorrectly.
  - 11. The method of claim 9, further comprising deleting the correction coefficients corresponding to the test rule that was triggered incorrectly.
  - 12. The method of claim 9, further comprising setting non-zero coefficient to the test rule, if the test rule was triggered correctly.
  - 13. The method of claim 1, wherein data collected over at least a day is used to correct the detection rules.

14. A computer-implemented method for minimization of false-positive determinations in anti-virus (AV) processing, the method comprising:
- (a) creating a database of malware detection rules and a database of correction coefficients on an AV server;
  
  (b) updating a user-side database of malware detection rules and a user-side database of correction coefficients with current data from the database of malware detection rules and the database of correction coefficients on the AV server;
  
  (c) receiving, from users running user processes, at the AV server, data related to the user processes, if the process aggregate rating exceeds a danger threshold;
  
  (d) accumulating received data related to the user process on an AV server data storage;
  
  (e) analyzing false-positive determinations; and
  
  (f) generating a database of correction coefficients for correction of the detection rules on the AV server based on the aggregate false-positive determinations.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14, further comprising making the false-positive determination when a checksum of the detected object in the AV server data storage does not have a matching checksums of the known malware objects in a blacklist database.
  - 16. The method of claim 14, further comprising receiving, from the AV server, a current rating of a user process.
  - 17. The method of claim 16, wherein the current rating is determined based on data related to the process received from several users.
  - 18. The method of claim 14, wherein the aggregate process rating is generated based at least on application of the detection rules to the user process, the correction coefficients for the detection rules, the static rating and the current rating.
  - 19. The method of claim 18, wherein the static rating is determined based on parameters of the object corresponding to the user process, the parameters comprising at least object attributes, object location, object type and object size.
  - 20. The method of claim 14, wherein the data related to the process comprises at least a checksum of the object corresponding to the user process, an aggregate rating of the process, a number of a triggered rule and rating set by the rule.
  - 21. The method of claim 14, wherein the correction coefficients change a rating set by the rules.
  - 22. The method of claim 14, wherein data collected over at least a day is used to correct the detection rules.

23. A system implemented on a computer having a processor and a memory for optimization of anti-virus (AV) processing, the system comprising:
- a report generation unit for processing user requests, wherein a report generation unit is connected to a data storage;
  
  an analysis module is connected to the data storage, a black list storage, a rules database, an incorrect rules database and a correction coefficients database;
  
  the rules database being accessible by the analysis module for modifying the rules in the rules database;
  
  the correction coefficients database being accessible by the analysis module for modifying the coefficients in correction coefficients database for the rules from the rules database;
  
  an update module connected to the rules database and to the correction coefficients database;
  
  a data storage containing data related to the process, wherein the data storage is accessible by the analysis module and the report generation unit;
  
  a black list storage containing data related to known malware objects,wherein the report generation unit receives data related to the process from users and stores received data into the data storage,wherein the rules database and the coefficient database are updated by an analysis module based on analysis of data in the data storage using the black list storage, andwherein the update module sends new versions of the rules database and the correction coefficients database to the user.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 24. The system of claim 23, wherein the report generation unit receives at least the following:
    - a checksum of the suspicious or malicious object that instantiated a process that triggered a detection rule;
      
      a unique number of the triggered detection rule;
      
      a process rating set by the triggered detection rule; and
      
      an aggregate rating of the process.
  - 25. The system of claim 23, further comprising a rating generation module connected to the report generation unit and the data storage.
  - 26. The system of claim 25, wherein the rating generation module provides a current process rating of the process triggered by the suspicious object based on data related to the process received from several users.
  - 27. The system of claim 23, wherein the static rating is determined based on parameters of the object corresponding to the user process, the parameters comprising at least object attributes, object location, object type and object size.
  - 28. The system of claim 23, wherein the suspect object instantiates a process that has an aggregate rating lower than a danger threshold and higher than a safety threshold.
  - 29. The system of claim 23, wherein the suspect object is treated as malware if a process instantiated by the suspect object has an aggregate rating higher than a danger threshold.
  - 30. The system of claim 23, wherein the rules databases and the coefficients databases are updated independently of each other.
  - 31. The system of claim 23, wherein the rules database comprises test rules having zero correction coefficients in the correction coefficients database.
  - 32. The system of claim 31, wherein the report generation unit receives the data related to the process for further analyses, if at least one of the test rules is triggered by the user process.
  - 33. The system of claim 31, further comprising an incorrect rules database being accessible by the analysis module, wherein, after correcting, rules from the incorrect rules database are added to the rules database;
  - 34. The system of claim 33, wherein the analysis module deletes the test rule from the rules database and saves it into the incorrect rules database for further analyses, if the test rule was triggered incorrectly.
  - 35. The system of claim 33, wherein the analysis module deletes the correction coefficients from the correction coefficients database corresponding to the test rule that was triggered incorrectly.
  - 36. The system of claim 31, wherein the analysis module sets a non-zero coefficient to the test rule, if the test rule was triggered correctly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
ZAITSEV, OLEG V., Mashevsky, Yury, Denishchenko, Nikolay

Granted Patent

US 8,640,245 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

OPTIMIZATION OF ANTI-MALWARE PROCESSING BY AUTOMATED CORRECTION OF DETECTION RULES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

OPTIMIZATION OF ANTI-MALWARE PROCESSING BY AUTOMATED CORRECTION OF DETECTION RULES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links