公开(公告)号：US20240422190A1

公开(公告)日：2024-12-19

申请号：US18619396

申请日：2024-03-28

Applicant: AO Kaspersky Lab

Inventor： Denis I. Parinov ,  Victoria V. Vlasova ,  Alexey M. Romanenko ,  Alexey E. Antonov

IPC: H04L9/40

Abstract: Disclosed herein are systems and methods for classifying objects to prevent the spread of malicious activity. In one aspect, an exemplary method comprises: searching for objects in a network that have generic information with other objects and collecting information about the objects, generating a graph of associations containing classified and unclassified objects in a form of vertices, whereby an association between objects indicates a presence of generic information between the objects, wherein the classified objects comprise malicious objects, extracting from the generated graph of associations at least one subgraph comprising homogeneous objects and containing at least one unclassified object based on at least one of the following: an analysis of the group association between objects; and an analysis of sequential association between objects, classifying each unclassified object in each subgraph based on the analysis using classification rules, and restricting access to an object that is classified as malicious.

公开(公告)号：US10904283B2

公开(公告)日：2021-01-26

申请号：US16012014

申请日：2018-06-19

Applicant: AO Kaspersky Lab

Inventor： Vladislav V. Martynenko ,  Alexey M. Romanenko

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08

Abstract: Systems and methods for countering a cyber attack on computing devices used by users gather data about services with which users are interacting, as well as data about devices used by users for such interactions. The collected data is analyzed to detect when a cyber-attack on the devices is occurring as a result of a data breach of personal data on users from at least one service. Actions are selected for countering the cyber-attack and are sent to the devices of all users of the corresponding cluster in the event that a match is found in the characteristics of the attack vector for at least one device of another user whose devices belong to the corresponding cluster.

公开(公告)号：US20200210577A1

公开(公告)日：2020-07-02

申请号：US16414907

申请日：2019-05-17

Applicant: AO Kaspersky Lab

Inventor： Alexander S. Chistyakov ,  Alexey M. Romanenko ,  Alexander S. Shevelev

IPC: G06F21/56 ,  G06F21/52 ,  G06N20/00

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: forming a feature vector based on behavioral data of execution of a file, calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be malicious, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law, deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.

公开(公告)号：US10558801B2

公开(公告)日：2020-02-11

申请号：US16015654

申请日：2018-06-22

Applicant: AO Kaspersky Lab

Inventor： Alexey V. Monastyrsky ,  Mikhail A. Pavlyushchik ,  Alexey M. Romanenko ,  Maxim Y. Golovkin

IPC: G06F21/00 ,  G06F21/55 ,  G06F21/54 ,  G06F21/56 ,  H04L29/06 ,  H04W12/12

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

公开(公告)号：US10372907B2

公开(公告)日：2019-08-06

申请号：US15215116

申请日：2016-07-20

Applicant: AO Kaspersky Lab

Inventor： Alexey E. Antonov ,  Alexey M. Romanenko

IPC: G06F21/56 ,  G06F21/55

Abstract: Disclosed are systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependacy of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependacy; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

公开(公告)号：US10095865B2

公开(公告)日：2018-10-09

申请号：US15784710

申请日：2017-10-16

Applicant: AO Kaspersky Lab

Inventor： Maxim Y. Golovkin ,  Alexey M. Romanenko ,  Alexey V. Monastyrsky

IPC: G06F21/55 ,  G06F21/56

Abstract: Disclosed are a system and method for protecting computers from unauthorized remote administration. One exemplary method includes: intercepting events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system; determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event; generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event; responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and blocking the identified remote administration application from exchanging data with the computer system.

公开(公告)号：US11880455B2

公开(公告)日：2024-01-23

申请号：US17499413

申请日：2021-10-12

Applicant: AO Kaspersky Lab

Inventor： Alexander S. Chistyakov ,  Alexey M. Romanenko ,  Alexander S. Shevelev

IPC: G06F21/52 ,  G06F21/55 ,  G06F21/56 ,  G06N20/00 ,  G06N3/08 ,  G06N5/04

CPC classification number: G06F21/554 ,  G06F21/52 ,  G06F21/566 ,  G06N20/00 ,  G06F2221/033 ,  G06F2221/034 ,  G06N3/08

Abstract: Disclosed herein are methods and systems for selecting a detection model for detection of a malicious file. An exemplary method includes: monitoring a file during execution of the file within a computer system by intercepting commands of the file being executed and determining one or more parameters of the intercepted commands. A behavior log of the file being executed containing behavioral data is formed based on the intercepted commands and based on the one or more parameters of the intercepted commands. The behavior log is analyzed to form a feature vector. The feature vector characterizes the behavioral data. One or more detection models are selected from a database of detection models based on the feature vector. Each of the one or more detection models includes a decision-making rule for determining a degree of maliciousness of the file being executed.

公开(公告)号：US20220171880A1

公开(公告)日：2022-06-02

申请号：US17672316

申请日：2022-02-15

Applicant: AO Kaspersky Lab

Inventor： Sergey V. Prokudin ,  Alexander S. Chistyakov ,  Alexey M. Romanenko

IPC: G06F21/64 ,  G06F16/13 ,  G06F21/56

Abstract: A method for detecting a false positive outcome in classification of files includes, analyzing a file to determine whether or not the file is to be recognized as being malicious, analyzing a file to determine whether a digital signature certificate is present for the file, in response to recognizing the file as being malicious; comparing the digital certificate of the file with one or more digital certificates stored in a database of trusted files, in response to determining that the digital signature certificate is present for the file; and detecting a false positive outcome if the digital certificate of the file is found in the database of trusted files, when the false positive outcome is detected, excluding the file from further determination of whether the file is malicious and calculating a flexible hash value of the file.

公开(公告)号：US11288401B2

公开(公告)日：2022-03-29

申请号：US16567391

申请日：2019-09-11

Applicant: AO Kaspersky Lab

Inventor： Sergey V. Prokudin ,  Alexander S. Chistyakov ,  Alexey M. Romanenko

IPC: G06F21/00 ,  G06F21/64 ,  G06F16/13 ,  G06F21/56

Abstract: Disclosed herein are systems and methods for reducing a number of false positives in classification of files. In one aspect, an exemplary method comprises, analyzing a file to determine whether or not the file is to be recognized as being malicious, when the file is recognized as being malicious, analyzing the file to detect a false positive outcome, when the false positive outcome is detected, excluding the file from being scanned and calculating a flexible hash of the file, and storing the calculated flexible hash in a database of exceptions.

公开(公告)号：US11176250B2

公开(公告)日：2021-11-16

申请号：US16414907

申请日：2019-05-17

Applicant: AO Kaspersky Lab

Inventor： Alexander S. Chistyakov ,  Alexey M. Romanenko ,  Alexander S. Shevelev

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  G06F21/55 ,  G06N20/00 ,  G06F21/56 ,  G06F21/52 ,  G06N3/08

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: forming a feature vector based on behavioral data of execution of a file, calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be malicious, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law, deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.