The first patent (No. 2420791) covers the technology involved in assigning a previously unknown file to a particular reference set of files based on the degree of similarity
Kaspersky Lab, one of the leading developers of secure content and threat management solutions, announces that it has obtained two new patents in Russia. The first patent (No. 2420791) covers the technology involved in assigning a previously unknown file to a particular reference set of files based on the degree of similarity. The second patent (No. 2420793) discloses the system of determining potentially malicious software programs by controlling the integrity of files using timestamps.
The technology that identifies similarities among malicious files and automatically refers a new, unknown file to a specific family of files significantly simplifies the process of detecting previously unknown malware. The patent covers a method of comparing files based on their unique lines of program code. What is new about the technology is its ability to indicate the degree of similarity of a new file with the reference set of files. The patent also covers a special algorithm that substantially speeds up searches for similar files. Besides the obvious application of the patented technology in the anti-virus industry, it may also be applied when searching through web pages and documents.
The second patent granted to Kaspersky Lab discloses the technology involved in counteracting unsanctioned changes being made to files. Many malicious software programs become embedded in executable files, as a result of which the launch of a legitimate program causes malicious code to run. In the computer security sphere, checking the integrity of executable files is one of the most important tasks there is, but the existing methods used – like hash checking, digital signing, and traditional tracking of the timing of file modifications have inherent limitations. The first two methods put a heavy load on the system when applied to all files, and the third method is generally not very reliable since a lot of malware is able to restore timestamps, thus hiding the fact that files have been changed.
The patented technology is based on the use of a special interceptor that records programs requests to change file timestamps. This data is then sent to a special module (usually part of an anti-virus system), which can check the number of updated timestamps against the number of actual changes that occurred within the timestamps. A change recorded in the number of timestamps without an equal number of actual corresponding changes in the timestamps themselves signals that a file may be infected with malware. Having received such data, the anti-virus program can then initiate a detailed check of the suspicious file for the presence of malicious code.
At present Kaspersky Lab technologies are protected by 40 Russian and 29 US patents. The patent offices of the USA, Russia, China, and Europe are currently examining more than 100 Kaspersky Lab patent applications for innovational technologies in the information security field.
