Kaspersky Lab today announces that its experts have developed and patented an advanced database architecture which significantly accelerates the emulation of an operating system’s file system and system registries. Patent No. 8407196 issued by the United States Patent and Trademark Office describes a hierarchical object-oriented database designed to work with emulators. This kind of database enables faster proactive detection of dangerous applications.
If a security product’s antivirus databases do not include a signature for a specific application, this does not necessarily mean that the application is safe. Emulators built into many antivirus solutions are able to ‘experimentally’ determine whether an application on the computer is malicious or not. An emulator creates a virtual environment (a virtualised copy of the operating system), launches a potentially malicious application in that environment and tracks its behaviour. If an application’s behaviour is determined to be malicious, it is blocked, thereby preventing infection.
Although emulating the operating system is recognised as an effective method of combating malware, its implementations vary significantly. In particular, an emulator’s performance largely depends on the type of database it uses to create a virtual copy of the system.
In the process of creating a virtual copy of the system, an emulator uses what can be described as a ‘map’ of the system’s components – a database containing information about these components and their locations. An emulator’s performance is directly dependent on how quickly it is able to find one component or another.
Many existing emulators use relational databases, where information is organised in tables. Search speeds in these databases can be very low due to the way this type of data organisation works. At the same time, contemporary malware samples can use hundreds and even thousands of different operating system files in the course of their operation. As a result, the process of creating a virtual environment to scan potentially malicious software with an emulator which employs a relational database to store virtualised file system objects may take a long time, affecting the performance of the antivirus solution.
Speeding up the protection
The database architecture patented by Kaspersky Lab experts has a tree structure, which can organise heterogeneous data more efficiently. Without having to search extensive tables in a relational database, the emulator can quickly find an object in the hierarchical structure, determining the path to it based on its type and fields, as well as on additional cross-references between different objects in the database.
According to measurements performed internally by Kaspersky Lab, a complete search of a database containing about 500,000 objects takes less than a second. To put that in context, emulating the Windows 7 operating system in its default state without any additional applications, uses about 50,000 files.
In real life, the advantage of the newly-patented technology is that it enables Kaspersky Lab security products to analyse the behaviour of unknown programs in a virtualised environment faster than can be done by emulators that use databases based on conventional data organisation methods.
Although the patent was only issued in late March, the technology is already operational in the following Kaspersky Lab products: Kaspersky Internet Security, Kaspersky PURE, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Data Protection Edition, Kaspersky Security for Virtualisation, Kaspersky Anti-Virus for Mac, Kaspersky Endpoint Security for Mac, Kaspersky Anti-Virus for Lotus Notes, Kaspersky Anti-Virus for Microsoft ISA Server/Forefront TMG, and Kaspersky Security for Linux Mail Server.
Kaspersky Lab continues to expand its intellectual property. At the beginning of March 2013, the company’s portfolio included over 130 patents issued in the US, Russia, the EU and China. In addition, 200 patent applications are currently being considered by the patent authorities of these countries.