Detection and minimization of false positives in anti-malware processing
First Claim
1. A method for protecting against malware and correcting a white list, the method being performed on a computer having a processor and a memory, the method comprising:
- (a) creating a white list of clean objects and a black list of malicious objects;
(b) collecting metadata related to a suspicious object;
(c) adding a new malware-related record to a black list or adding a new white list record based on the metadata;
(d) comparing the metadata and the malware-related record against the white list or the metadata and a new white list record against the black list;
(e) detecting a collision due to an object being assigned to the wrong list;
(f) analyzing the collision and, if the collision is a false positive event, correcting the black list and correcting the white list if the collision is a false negative event.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and computer program product for detection of false positives occurring during execution of anti-malware applications. The detection and correction of the false positives is implemented in two phases, before creation of new anti-virus databases (i.e., malware black lists) or before creation of new white lists, and after the anti-virus databases or new white lists are created and new false positives are detected. The system calculates a probability of detection of a certain potential malware object. Based on this probability, the system decides to either correct a white list (i.e., a collection of known clean objects) or update a black list (i.e., a collection of known malware objects). A process is separated into a several steps: creation and update (or correction) of white lists; creation and update of black lists; detection of collisions between these lists and correction of black lists or white lists based on the detected collisions.
122 Citations
11 Claims
-
1. A method for protecting against malware and correcting a white list, the method being performed on a computer having a processor and a memory, the method comprising:
-
(a) creating a white list of clean objects and a black list of malicious objects; (b) collecting metadata related to a suspicious object; (c) adding a new malware-related record to a black list or adding a new white list record based on the metadata; (d) comparing the metadata and the malware-related record against the white list or the metadata and a new white list record against the black list; (e) detecting a collision due to an object being assigned to the wrong list; (f) analyzing the collision and, if the collision is a false positive event, correcting the black list and correcting the white list if the collision is a false negative event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for minimizing generation of false positive records during anti-malware processing, the method being performed on a computer having a processor and a memory, the method comprising:
-
creating a white list of clean objects and a black list of known malware objects; based on a suspect object'"'"'s metadata, generating a record pertaining to detection of the suspect object; retrieving a record corresponding to the suspect object from the black list or from the white list; providing the records to a false positive correction module; calculating a probability of a false positive detection by the false positive correction module; and generating a false positive verdict, wherein; corrections are made in the white list, if the suspect object deemed to be malicious based on the metadata; and corrections are made in the black list, if the suspect object deemed to be non-malicious based on the metadata.
-
-
10. A system for minimizing generation of false positive records during anti-malware processing on a computer having a processor and a memory, the system comprising the following software modules loaded into the memory:
-
a detection system; a false positive detection module interfacing to the detection system; a false positive correction module; a defense module; a white list database accessible by the false positive detection module and by the false positive correction module; an antivirus (AV) record database coupled to the defense module and accessible by the false positive detection module and by the false positive correction module, wherein; the detection system generates a record pertaining to the detection of a suspect object based on the suspect object'"'"'s metadata and the record is provided to the false positive detection module; and a probability of a false positive detection is calculated by the false positive correction module using the white list or black list data provided by the false positive detection module; a false positive verdict is generated by the false positive correction module based on the probability, wherein; corrections are made to the white list database, if the suspect object deemed to be malicious based on the suspect object'"'"'s metadata; and corrections are made to the AV records database, if the suspect object deemed to be non-malicious based on the suspect object'"'"'s metadata; and wherein the defense module continues to use the corrected AV records database for protection against the malware. - View Dependent Claims (11)
-
Specification