Because newer, more sophisticated cyberattacks try to overcome existing protection, it is crucial to mount layered defenses, covering both different levels of infrastructure and applying multiple protection layers of varied nature to every protected asset. This allows effective protection against different types of malware while making the system too well-defended for the majority of attackers.
The image above shows how threats are blocked with various layers of the file antivirus.
The first layer constitutes a reliable and ultra-fast technology that detects malware by masks and hashes.
The second layer uses emulation, which runs suspicious code in an isolated environment. Both binaries and scripts are emulated, which is critical for protection against web threats.
The third layer is a classic detection routine. It’s a tool that allows Kaspersky Lab experts to write a code and deliver it directly to the user in databases. This technology is truly irreplaceable; it complements the solution with decryptors for ransomware and unpackers for legitimate packers.
The fourth layer assumes the use of machine-learning models on the client’s end. The models’ high generalization ability helps to prevent the loss of quality in detecting unknown threats, even if an update of databases was not available for more than two months.
The fifth layer is cloud detection using big data. It leverages threat analytics from all endpoints in Kaspersky Security Network, which, in turn, enables unprecedented reaction to new threats and minimizing false positives.
The sixth layer is heuristics-based on execution logs . There is no more fail-safe way to catch a criminal than catching him in the act. Instant backup of data impacted by a suspicious process and automated roll-back neutralize malware the moment it’s detected.
The seventh layer involves gathering real-time behavioral insights on files to create deep learning models . The model is capable of detecting a file’s malicious nature while analyzing a minimal amount of instructions. This helps to minimize threat persistence, and machine learning provides high detection rates even when model update is unavailable for a long time.
As you can see, using machine learning on various layers of a file antivirus’ subsystem is, in its very essence, a proof of Kaspersky Lab’s multi-layered, next generation approach to protection. Internally, this is referred to as "multi-layered machine learning" or ML2 for short.
We use the same approach when making other security solutions as well.