Virtualization Technology News and Information
Kaspersky Receives Patent for Sandbox that Automates Malware Detection
Today, Kaspersky is pleased to announce it has received a patent (US10339301) from the United States Patent and Trademark Office for a technology designed to simplify the detection of malicious functionality in a virtual machine. The patent entitled "System and Method of Analysis of Files for Maliciousness in a Virtual Machine" describes a technology that automatically triggers the execution of malicious files and the appropriate conditions for each one. 

By creating the exact conditions that triggers malware execution, this patent allows researchers to analyze a suspicious file in a single attempt. When implemented, the technology is predicted to increase the detection rate of sandboxing, a method of malicious file behaviors ran in an isolated virtual machine, and automate the work that analysts would otherwise perform manually.

While this method simplifies malware analysis, it still requires some manual work to create the appropriate environment in which the malware will reveal itself. Cybercriminals often implement sandbox evasion techniques to bypass antivirus detection. To avoid exposure, a malicious file may first investigate if it's in a virtual machine or stay inactive for a period of time until the sandbox is no longer operating. In such cases, the patented technology speeds up the time flow inside the virtual machine so the malicious code is forced to execute sooner. 

Additionally, malware may not show its malicious behavior if it targets a specific application that is missing in the sandbox. To resolve this challenge, researchers must review logs, understand what is missing, add it to a virtual machine environment and run this process again. In doing so, when malware tries to access an application, the patented system intercepts this attempt. It doesn't wait until the file execution is finished, but rather pauses the process to create the required application as well as the content.

Detection rules that describe how to react to a specific event are not preinstalled or implemented inside the engine, but can be easily updated and added. Any new findings will not involve changing the entire engine, but will increase the available malicious behavior scenarios.

"As cybercriminals constantly come up with new evasion techniques, we have to make our technologies more sophisticated to detect malicious behavior," said Vladislav Pintiysky, emulation technologies group manager at Kaspersky, and one of the technology inventors. "For example, sleep timers are becoming more widespread now. According to Kaspersky's malware analysts, almost half of samples overlooked by automatic tools use delays in execution. This patented technology intelligently manages the file flow in sandbox, allowing it to receive everything it needs."

"As a result, the verdict can be carried out after the first request," adds Denis Kobychev, testing group manager at Kaspersky, and co-inventor of the technology. "Given the high-performance requirement of sandboxes, it will save company resources while increasing the accuracy of malware detection."

This technology will be used internally to analyze malware and be implemented in solutions with sandboxes.

Kaspersky has made an ongoing commitment to develop and patent new protection technologies. By early August 2019, the company has earned 814 patents in Russia, the U.S., China and Europe, with 407 additional patent applications filed.

Published Wednesday, August 14, 2019 8:26 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2019>