Detection and minimization of false positives in anti-malware processing

US 7,640,589 B1
Filed: 06/19/2009
Issued: 12/29/2009
Est. Priority Date: 06/19/2009
Status: Active Grant

First Claim

Patent Images

1. A method for protecting against malware and correcting a white list, the method being performed on a computer having a processor and a memory, the method comprising:

(a) creating a white list of clean objects and a black list of malicious objects;

(b) collecting metadata related to a suspicious object;

(c) adding a new malware-related record to a black list or adding a new white list record based on the metadata;

(d) comparing the metadata and the malware-related record against the white list or the metadata and a new white list record against the black list;

(e) detecting a collision due to an object being assigned to the wrong list;

(f) analyzing the collision and, if the collision is a false positive event, correcting the black list and correcting the white list if the collision is a false negative event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for detection of false positives occurring during execution of anti-malware applications. The detection and correction of the false positives is implemented in two phases, before creation of new anti-virus databases (i.e., malware black lists) or before creation of new white lists, and after the anti-virus databases or new white lists are created and new false positives are detected. The system calculates a probability of detection of a certain potential malware object. Based on this probability, the system decides to either correct a white list (i.e., a collection of known clean objects) or update a black list (i.e., a collection of known malware objects). A process is separated into a several steps: creation and update (or correction) of white lists; creation and update of black lists; detection of collisions between these lists and correction of black lists or white lists based on the detected collisions.

122 Citations

View as Search Results

11 Claims

1. A method for protecting against malware and correcting a white list, the method being performed on a computer having a processor and a memory, the method comprising:
- (a) creating a white list of clean objects and a black list of malicious objects;
  
  (b) collecting metadata related to a suspicious object;
  
  (c) adding a new malware-related record to a black list or adding a new white list record based on the metadata;
  
  (d) comparing the metadata and the malware-related record against the white list or the metadata and a new white list record against the black list;
  
  (e) detecting a collision due to an object being assigned to the wrong list;
  
  (f) analyzing the collision and, if the collision is a false positive event, correcting the black list and correcting the white list if the collision is a false negative event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the white list is created based on object'"'"'s parameters including any of:
    - a hash value;
      
      a context;
      
      a signature;
      
      a license;
      
      user statistics; and
      
      behavior.
  - 3. The method of claim 2, wherein the object context comprises:
    - a software name;
      
      a vendor information;
      
      a product version;
      
      an operating system used; and
      
      environment variables.
  - 4. The method of claim 1, wherein the object is any of:
    - a file;
      
      a URL;
      
      as instant messenger account;
      
      a host name;
      
      an IP addresses;
      
      a domain name; and
      
      an email message.
  - 5. The method of claim 1, further comprising creating a weight coefficient tree upon the collision detection.
  - 6. The method of claim 5, wherein the weight coefficient tree comprises a plurality of probabilities of the false positive calculated as a different criteria.
  - 7. The method of claim 1, wherein correction of the white list comprises removing an object from the white list based on a black list verdict.
  - 8. The method of claim 1, wherein correction of the black list comprises removing an object from the black list based on a white list verdict.

9. A method for minimizing generation of false positive records during anti-malware processing, the method being performed on a computer having a processor and a memory, the method comprising:
- creating a white list of clean objects and a black list of known malware objects;
  
  based on a suspect object'"'"'s metadata, generating a record pertaining to detection of the suspect object;
  
  retrieving a record corresponding to the suspect object from the black list or from the white list;
  
  providing the records to a false positive correction module;
  
  calculating a probability of a false positive detection by the false positive correction module; and
  
  generating a false positive verdict, wherein;
  
  corrections are made in the white list, if the suspect object deemed to be malicious based on the metadata; and
  
  corrections are made in the black list, if the suspect object deemed to be non-malicious based on the metadata.

10. A system for minimizing generation of false positive records during anti-malware processing on a computer having a processor and a memory, the system comprising the following software modules loaded into the memory:
- a detection system;
  
  a false positive detection module interfacing to the detection system;
  
  a false positive correction module;
  
  a defense module;
  
  a white list database accessible by the false positive detection module and by the false positive correction module;
  
  an antivirus (AV) record database coupled to the defense module and accessible by the false positive detection module and by the false positive correction module,wherein;
  
  the detection system generates a record pertaining to the detection of a suspect object based on the suspect object'"'"'s metadata and the record is provided to the false positive detection module; and
  
  a probability of a false positive detection is calculated by the false positive correction module using the white list or black list data provided by the false positive detection module;
  
  a false positive verdict is generated by the false positive correction module based on the probability, wherein;
  
  corrections are made to the white list database, if the suspect object deemed to be malicious based on the suspect object'"'"'s metadata; and
  
  corrections are made to the AV records database, if the suspect object deemed to be non-malicious based on the suspect object'"'"'s metadata; and
  
  wherein the defense module continues to use the corrected AV records database for protection against the malware.
- View Dependent Claims (11)
- - 11. The system of claim 10, wherein the probability is calculated using a weight coefficient tree.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Mashevsky, Yuri V., Efremov, Andrey A., Chekunov, Igor G., Zelensky, Pavel A., Denishchenko, Nikolay V., Namestnikov, Yuri V.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/487,713
Time in Patent Office

193 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

Detection and minimization of false positives in anti-malware processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

122 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and minimization of false positives in anti-malware processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links