Kaspersky Lab has used machine learning to strengthen its security portfolio with the introduction of an algorithm to detect groups of noxious files.
The vendor patented a technology that allows for effective false-positive testing of heuristic signatures describing groups of similar malicious files. This patent is the latest addition to the company’s arsenal and is said to allow for reliable automation of a large proportion of routine virus analysis tasks.
The detection rules, automatically created by processing limited amounts of newly discovered malicious files, describe groups of malicious objects as combinations of various characteristics. These characteristics include, sequences of system calls and events that are common for malicious objects and uncommon for whitelisted files.
Kaspersky Lab director anti-malware research, Timur Biyachuev, said, as the amount of malicious files which the company encounters every day exceeds hundreds of thousands and keeps growing, Kaspersky Lab has been automating a number of virus analysis tasks.
“The patented technology complements the set of machine learning tools our experts are using so that they have more time to concentrate on the most advanced and sophisticated threats,” he said.
The company said the technology, entitled “System and method for evaluating malware detection rules”, allows it to reliably test the automatically created detection rules to determine whether they correctly describe the groups of malicious files in such a way that legitimate ones are not affected. Kaspersky said that through this process, the possibility of generating false positives is greatly reduced.
The system works by testing detection rules in the company's infrastructure and comparing all files found to fall under the description with the set of known benign, or whitelisted, files and a larger set of known malicious objects. If no similarities are found, the detection rule is considered to be accurate and is rolled out to the users.