Skip to main

Behavior-based Protection

Threat Behavior Engine with ML-based models can detect previously unknown malicious patterns at the earliest stages of execution, while memory protection and remediation engine prevent user data compromise and loss.

Behavior based detection is part of Kaspersky Lab’s multi-layered, next generation approach to protection. It’s one of the most efficient ways to protect against advanced threats like fileless malware, ransomware and zero-day malware.

The following protection capabilities make up Kaspersky Lab's new Threat Behavior Engine:
  • Behavior Detection
  • Exploit Prevention (EP)
  • Remediation Engine
  • Anti-locker

In real life, threat actors obfuscate malicious code to bypass static detection technologies in and emulation by security products. For example, just-created ransomware code is often packed by custom-made packer with anti-emulation feature. Before execution, any attempt to scan the well-done sample by On Demand Scan or On Access Scan will return no success in detection, so the task of the threat actor is carried out.

But when it comes to execution stage, the Threat Behavior Engine analyzes the actual process activity in real time and reveals its malicious nature. All that is needed then is to flag the alarm, terminate the process and perform rollback of the changes.

In the mentioned example with packed ransomware, the sample could try to

  • Find important files on target system
  • Encrypt important files
  • Delete original files
  • Delete shadow copies

Such information is enough for detection and does not depend on packer or anti-emulation techniques used. Running Threat Behavior Engine, armored by both behavior heuristics and ML-based models, the product becomes non-sensitive to static avoidance techniques and even sample behavior modifications.

Making behavior based judgments, it is important to produce detection of malicious activity as soon as possible, which in combination with proper Remediation Engine allows to prevent any final user’s data loss. Remediation Engine protects different objects, like files, registry keys, tasks, etc.

Returning to the sample above, let’s assume that before actual malicious activity, the ransomware added itself to autorun (for example, through registry). After detection, Remediation Engine should analyze the behavioral stream and not just restore user’s data but also delete the created registry key.

Among other advantages, in some cases behavior based detection technology becomes the only means to detect and protect from a threat such as fileless malware. For example, while surfing the internet, a user is targeted by a drive-by based attack. After exploitation, malicious code is executed in the context of web browser. The main goal of the malicious code is to use registry or WMI subscriptions for persistence, and this ends up with no single object for static scan. Nevertheless, the Behaviour Detection component analyses the web browser’s thread behaviour, flags the detect and blocks the malicious activity.

Behavioral Engine component benefits from ML-based models on the endpoint to detect previously unknown malicious patterns in addition to behaviour heuristic records. Collected from different sources, system events are delivered to the ML model. After processing, ML model produces a verdict if the analysed pattern is malicious. Even in the case of a non malicious verdict, the result from the ML model is then used by Behaviour heuristics, which in turn could also flag the detect.

Behavior Detection component implements a Memory Protection mechanism. It guards system critical process like lsass.exe and allows to prevent user credential leakage with the help of mimikatz like malware.

Related Products

Kaspersky Anti Targeted Attack Platform

Proven advanced threat detection empowered by machine learning and HuMachine™ intelligence

Kaspersky Endpoint Security for Business

The leading multi-layered endpoint protection platform based on Next Gen cybersecurity technologies.

Kaspersky Small Office Security

Kaspersky Small Office Security protects more of the things that matter to your business – including your money, identity & confidential customer information.

Kaspersky Anti Ransomware Tool

Don’t get held to ransom! Protect your business today!

Kaspersky Security for Virtualization

Protect your virtual infrastructure

Kaspersky Anti-Virus

Safeguards your PC and all the precious things you store on it

Kaspersky Internet Security

Helps protect every aspect of your digital life – on PC, Mac & Android

Kaspersky Total Security

Gives you a smarter way to protect your family – on PC, Mac, Android, iPhone & iPad


Preventing emerging threats with Kaspersky System...

BlackOasis APT and new targeted attacks...

No stone unturned: fighting ransomware on...

The return of Mamba ransomware

Independent Benchmark Results

Related Technologies


Ransomware protection on both delivery and execution stages by technologies from Multi-layered protection stack

Exploit Prevention

Exploit Prevention (EP) protects against malware that takes advantage of software vulnerabilities.

Machine Learning

ML-based technologies are used in both products and infrastructure.

Multi-layered Approach to Security

Multi-layered approach allows effective protection against different types of malware.

Fileless Threats

Fileless threat does not store its body directly on disk and requires special attention from security solutions