ELIMINATION OF FALSE POSITIVES IN ANTIVIRUS RECORDS
First Claim
Patent Images
1. A method for managing antivirus records, the method comprising:
- providing a data store of antivirus records;
providing an antivirus application to be executed on each of a plurality of user computers, each antivirus application configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status; and
executing instructions by a remote server, the remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, cause the remote server to implement;
a processing tool configured to;
collect at least one antivirus record parameter for a particular antivirus record from the plurality of user computers, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record,collect statistical data of the detection events of the antivirus record from the plurality of user computers, anddetermine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, anda classification tool configured to;
determine, if the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, andchange the status of the antivirus record from working status to test status,wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for managing antivirus records. A method can include providing a data store of antivirus records, providing an antivirus application to be executed on each of a plurality of user computers, and executing instructions by a remote server to implement a processing tool configured to collect an antivirus record parameter for a particular antivirus record and collect statistical data of a detection events associated with the antivirus record, and a processing tool to configured to determine a false activation using the antivirus record parameter and the statistical data.
17 Citations
20 Claims
-
1. A method for managing antivirus records, the method comprising:
-
providing a data store of antivirus records; providing an antivirus application to be executed on each of a plurality of user computers, each antivirus application configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status; and executing instructions by a remote server, the remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, cause the remote server to implement; a processing tool configured to; collect at least one antivirus record parameter for a particular antivirus record from the plurality of user computers, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record, collect statistical data of the detection events of the antivirus record from the plurality of user computers, and determine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, and a classification tool configured to; determine, if the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, and change the status of the antivirus record from working status to test status, wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 11, 12, 13)
-
-
2. (canceled)
-
10. (canceled)
-
14. A system for managing antivirus records, the system comprising:
-
a data store of antivirus records; and a remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, wherein the remote server is configured to implement; a processing tool configured to; collect at least one antivirus record parameter for a particular antivirus record from a plurality of user computers, each of the plurality of user computers executing an antivirus application, wherein the antivirus application is configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record, collect statistical data of the detection events of the antivirus record from the plurality of user computers, and determine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, and a classification tool configured to; determine, if the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, and change the status of the antivirus record from working status to test status, wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store. - View Dependent Claims (17)
-
-
15-16. -16. (canceled)
-
18. A method for managing antivirus records, the method comprising:
-
gathering at least one antivirus record parameter for a particular antivirus record utilized on a user device, the antivirus record being utilized to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status; gathering at least one statistical measure after the occurrence of a malicious software file detection event on the user device for a particular antivirus record, the malicious software file detection event activating the antivirus record; determining a total number of user devices on which the antivirus record was activated over a predetermined period of time; determining whether the total number of user devices on which the antivirus record was activated exceeds a predetermined device threshold, wherein the predetermined device threshold is based on the at least one antivirus record parameter; determining, if the total number of user devices exceeds the device threshold, whether the antivirus record contains a false activation by a classification algorithm comprising a support vector machine operating on antivirus records in attribute space that utilizes the at least one antivirus record parameter and the at least one statistical measure, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records; and updating the status of the antivirus record from working status to test status if the classification algorithm determines the antivirus record contains a false activation. - View Dependent Claims (19)
-
-
20. (canceled)
Specification