• Behaviour based detection is part of Kaspersky Lab’s multi-layered, next generation approach to protection. It’s one of the most efficient ways to protect against advanced threats like fileless malware, ransomware and zero-day malware.

    The following protection capabilities make up Kaspersky Lab's new Threat Behaviour Engine:
    • Behaviour Detection
    • Exploit Prevention (EP)
    • Remediation Engine
    • Anti-locker

    In real life, threat actors obfuscate malicious code to bypass static detection technologies in and emulation by security products. For example, just-created ransomware code is often packed by custom-made packer with anti-emulation feature. Before execution, any attempt to scan the well-done sample by On Demand Scan or On Access Scan will return no success in detection, so the task of the threat actor is carried out.

    But when it comes to execution stage, the Threat Behaviour Engine analyzes the actual process activity in real time and reveals its malicious nature. All that is needed then is to flag the alarm, terminate the process and perform rollback of the changes.

    In the mentioned example with packed ransomware, the sample could try to

    • Find important files on target system
    • Encrypt important files
    • Delete original files
    • Delete shadow copies

    Such information is enough for detection and does not depend on packer or anti-emulation techniques used. Running Threat Behaviour Engine, armored by both Behaviour heuristics and ML-based models, the product becomes non-sensitive to static avoidance techniques and even sample Behaviour modifications.

    Making Behaviour based judgments, it is important to produce detection of malicious activity as soon as possible, which in combination with proper Remediation Engine allows to prevent any final user’s data loss. Remediation Engine protects different objects, like files, registry keys, tasks, etc.

    Returning to the sample above, let’s assume that before actual malicious activity, the ransomware added itself to autorun (for example, through registry). After detection, Remediation Engine should analyze the Behavioural stream and not just restore user’s data but also delete the created registry key.

    Among other advantages, in some cases Behaviour based detection technology becomes the only means to detect and protect from a threat such as fileless malware. For example, while surfing the internet, a user is targeted by a drive-by based attack. After exploitation, malicious code is executed in the context of web browser. The main goal of the malicious code is to use registry or WMI subscriptions for persistence, and this ends up with no single object for static scan. Nevertheless, the Behaviour Detection component analyses the web browser’s thread behaviour, flags the detect and blocks the malicious activity.

    Behavioural Engine component benefits from ML-based models on the endpoint to detect previously unknown malicious patterns in addition to behaviour heuristic records. Collected from different sources, system events are delivered to the ML model. After processing, ML model produces a verdict if the analysed pattern is malicious. Even in the case of a non malicious verdict, the result from the ML model is then used by Behaviour heuristics, which in turn could also flag the detect.

    Behaviour Detection component implements a Memory Protection mechanism. It guards system critical process like lsass.exe and allows to prevent user credential leakage with the help of mimikatz like malware.

Related Products


Preventing emerging threats with Kaspersky System...

Read more

BlackOasis APT and new targeted attacks leveraging...

Read more

No stone unturned: fighting ransomware on...

Read more

US 9588848 B2

System and method of restoring modified data

Read more

US 7472420 B1

Method and system for detection of previously unknown malware components

Read more

US 8042186 B1

System and method for detection of complex malware

Read more

RSAC 2017

A Deep Look Into the Russian-Speaking Ransomware Ecosystem

Read more

SAS 2017

Ransomware in targeted attacks

Watch video

Independent Benchmark Results

  • AV-Comparatives Whole Product Dynamic Real-World Proteciton Test Feb-Jun 2017

  • SELabs Enterprise Endpoint Protection July-September 2017



  • MRG Effitas 360 certificaiton program

Related Technologies