ELIMINATION OF FALSE POSITIVES IN ANTIVIRUS RECORDS

US 20180032726A1
Filed: 02/14/2017
Published: 02/01/2018
Est. Priority Date: 07/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method for managing antivirus records, the method comprising:

providing a data store of antivirus records;

providing an antivirus application to be executed on each of a plurality of user computers, each antivirus application configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status; and

executing instructions by a remote server, the remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, cause the remote server to implement;

a processing tool configured to;

collect at least one antivirus record parameter for a particular antivirus record from the plurality of user computers, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record,collect statistical data of the detection events of the antivirus record from the plurality of user computers, anddetermine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, anda classification tool configured to;

determine, if the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, andchange the status of the antivirus record from working status to test status,wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing antivirus records. A method can include providing a data store of antivirus records, providing an antivirus application to be executed on each of a plurality of user computers, and executing instructions by a remote server to implement a processing tool configured to collect an antivirus record parameter for a particular antivirus record and collect statistical data of a detection events associated with the antivirus record, and a processing tool to configured to determine a false activation using the antivirus record parameter and the statistical data.

17 Citations

View as Search Results

20 Claims

1. A method for managing antivirus records, the method comprising:
- providing a data store of antivirus records;
  
  providing an antivirus application to be executed on each of a plurality of user computers, each antivirus application configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status; and
  
  executing instructions by a remote server, the remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, cause the remote server to implement;
  
  a processing tool configured to;
  
  collect at least one antivirus record parameter for a particular antivirus record from the plurality of user computers, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record,collect statistical data of the detection events of the antivirus record from the plurality of user computers, anddetermine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, anda classification tool configured to;
  
  determine, if the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, andchange the status of the antivirus record from working status to test status,wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 11, 12, 13)
- - 3. The method for managing antivirus records of claim 1, wherein the classification tool is further configured to build a classification algorithm using a training set for which the first class and the second class are predetermined, wherein processing tool is further configured to send training set to the plurality of user computers, and collect the at least one antivirus record parameter and the statistical data of the detection events of antivirus record for the training set for a predetermined collection period.
  - 4. The method for managing antivirus records of claim 1, wherein the antivirus application comprises a plurality of security modules, and wherein the at least one antivirus record parameter includes a weight based on the particular security module corresponding to the antivirus record activated for the software file.
  - 5. The method for managing antivirus records of claim 4, wherein at least two security modules corresponding to at least for two antivirus records detected the software file, and wherein the at least one classification algorithm considers the false activation to decrease.
  - 6. The method for managing antivirus records of claim 1, wherein the antivirus record parameter includes at least one of:
    - a timestamp of occurrence of detection event of the antivirus record,a name of the software file which was detected by the antivirus record,a path to the software file,a type of antivirus record including at least one of signature, heuristics, or parental control tool,a type of user application, ora location of the user computer.
  - 7. The method for managing antivirus records of claim 1, wherein the at least one classification algorithm includes at least one of a support vector machine, a Bayesian classifier, a neural network, or a logistic regression.
  - 8. The method for managing antivirus records of claim 1, wherein statistical data of the detection events of the antivirus record is analyzed by the classification algorithm according to at least one of a statistical function, a moment, a sampling moment, an autocorrelation of coefficients, a trend, a probability distribution, a seasonality component, or a period of seasonality component.
  - 9. The method for managing antivirus records of claim 1, wherein the statistical data of the detection events of the antivirus record includes a weight based on at least one of an antivirus application type and an antivirus record type.
  - 11. The method for managing antivirus records of claim 1, wherein the hyperplane is the vector wx−
    - b=0, wherein wx is the dot product of vectors w and x, and b is at least one antivirus record parameter, and hyperplanes wx−
      
      b=1 and wx−
      
      b=−
      
      1 are selected that intersect support vectors of the first class and the second class and are parallel to the hyperplane.
  - 12. The method for managing antivirus records of claim 1, wherein the data store is provided on the remote server.
  - 13. The method for managing antivirus records of claim 1, wherein the data store is provided on each of the plurality of user computers.

2. (canceled)

10. (canceled)

14. A system for managing antivirus records, the system comprising:
- a data store of antivirus records; and
  
  a remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, wherein the remote server is configured to implement;
  
  a processing tool configured to;
  
  collect at least one antivirus record parameter for a particular antivirus record from a plurality of user computers, each of the plurality of user computers executing an antivirus application, wherein the antivirus application is configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record,collect statistical data of the detection events of the antivirus record from the plurality of user computers, anddetermine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, anda classification tool configured to;
  
  determine, if the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, andchange the status of the antivirus record from working status to test status,wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store.
- View Dependent Claims (17)
- - 17. The system for managing antivirus records of claim 14, wherein the hyperplane is the vector wx−
    - b=0, wherein wx is the dot product of vectors w and x, and b is at least one antivirus record parameter, and hyperplanes wx−
      
      b=1 and wx−
      
      b=−
      
      1 are selected that intersect support vectors of the first class and the second class and are parallel to the hyperplane.

15-16. -16. (canceled)

18. A method for managing antivirus records, the method comprising:
- gathering at least one antivirus record parameter for a particular antivirus record utilized on a user device, the antivirus record being utilized to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status;
  
  gathering at least one statistical measure after the occurrence of a malicious software file detection event on the user device for a particular antivirus record, the malicious software file detection event activating the antivirus record;
  
  determining a total number of user devices on which the antivirus record was activated over a predetermined period of time;
  
  determining whether the total number of user devices on which the antivirus record was activated exceeds a predetermined device threshold, wherein the predetermined device threshold is based on the at least one antivirus record parameter;
  
  determining, if the total number of user devices exceeds the device threshold, whether the antivirus record contains a false activation by a classification algorithm comprising a support vector machine operating on antivirus records in attribute space that utilizes the at least one antivirus record parameter and the at least one statistical measure, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records; and
  
  updating the status of the antivirus record from working status to test status if the classification algorithm determines the antivirus record contains a false activation.
- View Dependent Claims (19)
- - 19. The method for managing antivirus records of claim 18, further comprising communicating the updated status of the antivirus record to the user device.

20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
PARINOV, DENIS I., SVIRIDOV, KONSTANTIN Y., ULASEN, SERGEY I.

Granted Patent

US 9,990,495 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

ELIMINATION OF FALSE POSITIVES IN ANTIVIRUS RECORDS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ELIMINATION OF FALSE POSITIVES IN ANTIVIRUS RECORDS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links