Abstract: Disclosed herein are methods and systems for selecting a detection model for detection of a malicious file. An exemplary method includes: monitoring a file during execution of the file within a computer system by intercepting commands of the file being executed and determining one or more parameters of the intercepted commands. A behavior log of the file being executed containing behavioral data is formed based on the intercepted commands and based on the one or more parameters of the intercepted commands. The behavior log is analyzed to form a feature vector. The feature vector characterizes the behavioral data. One or more detection models are selected from a database of detection models based on the feature vector. Each of the one or more detection models includes a decision-making rule for determining a degree of maliciousness of the file being executed.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: selecting a file from a database of files used to perform training of a model for detecting a malicious file, forming one or more behavior patterns from intercepted one or more commands and parameters during execution of the file, forming a detection model, wherein the detection model selects a method of machine learning and is initialized with one or more hyper-parameters, training the detection model by calculating the one or more hyper-parameters based on the one or more behavior patterns to form a group of rules for calculating a degree of maliciousness of a resource and calculating a degree of maliciousness of another file based on the trained detection model.

Abstract: Disclosed herein are methods and systems for selecting a detection model for detection of a malicious file. An exemplary method includes: monitoring a file during execution of the file within a computer system by intercepting commands of the file being executed and determining one or more parameters of the intercepted commands. A behavior log of the file being executed containing behavioral data is formed based on the intercepted commands and based on the one or more parameters of the intercepted commands. The behavior log is analyzed to form a feature vector. The feature vector characterizes the behavioral data. One or more detection models are selected from a database of detection models based on the feature vector. Each of the one or more detection models includes a decision-making rule for determining a degree of maliciousness of the file being executed.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises emulating execution of a file under analysis, forming a behavior log of the emulated execution of the file under analysis, forming one or more behavior patterns from commands and parameters selected from the behavior log, calculating a convolution of the one or more behavior patterns, selecting two or more models for detecting malicious files from a database, calculating a degree of maliciousness of the file being executed based using the convolution and the two or more models, forming a decision making template based on the degree of maliciousness and determining that the file is malicious when a degree of similarity between the decision making template and a predetermined decision making template exceeds a predetermined threshold value.

Abstract: Methods and systems are described in the present disclosure for classifying malicious objects. In an exemplary aspect, a method includes: collecting data describing a state of an object of the computer system, forming a vector of features, calculating a degree of similarity based on the vector, calculating a limit degree of difference that is a numerical value characterizing the probability that the object being classified will certainly belong to another class, forming a criterion for determination of class of the object based on the degree of similarity and the limit degree of difference, determining that the object belongs to the determined class when the data satisfies the criterion, wherein the data is collected over a period of time defined by a data collection rule and pronouncing the object as malicious when it is determined that the object belongs to the specified class.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: forming a feature vector based on behavioral data of execution of a file, calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be malicious, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law, deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.

Abstract: Methods and systems are described in the present disclosure for training a model for detecting malicious objects on a computer system. In an exemplary aspect, a method includes: selecting files from a database used for training a detection model, the selection is performed based on learning rules, performing an analysis on the files by classifying them in a hierarchy of maliciousness, forming behavior patterns based on execution of the files and parameters of the execution, training the detection model according to the analysis of the files and the behavior patterns, verifying the trained detection model using a test selection of files to test determinations of harmfulness of the test selection of files, and when the verification fails, retraining the detection model using a different set of files from the database, otherwise applying the detection model to a new set of files to determine maliciousness.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises emulating execution of a file under analysis, forming a behavior log of the emulated execution of the file under analysis, forming one or more behavior patterns from commands and parameters selected from the behavior log, calculating a convolution of the one or more behavior patterns, selecting two or more models for detecting malicious files from a database, calculating a degree of maliciousness of the file being executed based using the convolution and the two or more models, forming a decision making template based on the degree of maliciousness and determining that the file is malicious when a degree of similarity between the decision making template and a predetermined decision making template exceeds a predetermined threshold value.

Abstract: Methods and systems are described in the present disclosure for classifying malicious objects. In an exemplary aspect, a method includes: collecting data describing a state of an object of the computer system, forming a vector of features, calculating a degree of similarity based on the vector, calculating a limit degree of difference that is a numerical value characterizing the probability that the object being classified will certainly belong to another class, forming a criterion for determination of class of the object based on the degree of similarity and the limit degree of difference, determining that the object belongs to the determined class when the data satisfies the criterion, wherein the data is collected over a period of time defined by a data collection rule and pronouncing the object as malicious when it is determined that the object belongs to the specified class.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: selecting a file from a database of files used to perform training of a model for detecting a malicious file, forming one or more behavior patterns from intercepted one or more commands and parameters during execution of the file, forming a detection model, wherein the detection model selects a method of machine learning and is initialized with one or more hyper-parameters, training the detection model by calculating the one or more hyper-parameters based on the one or more behavior patterns to form a group of rules for calculating a degree of maliciousness of a resource and calculating a degree of maliciousness of another file based on the trained detection model.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: forming a feature vector based on behavioral data of execution of a file, calculating parameters based on the feature vector using a trained model for calculation of parameters, wherein the parameters comprise: i) a degree of maliciousness that is a probability that the file may be malicious, and ii) a limit degree of safety that is a probability that the file will definitely prove to be malicious, wherein an aggregate of consecutively calculated degrees is described by a predetermined time law, deciding that the file is malicious when the degree of maliciousness and the limit degree of safety satisfy a predetermined criterion, wherein that criterion is a rule for the classification of the file according to an established correlation between the degree of maliciousness and the limit degree of safety.

Abstract: Methods and systems are described in the present disclosure for training a model for detecting malicious objects on a computer system. In an exemplary aspect, a method includes: selecting files from a database used for training a detection model, the selection is performed based on learning rules, performing an analysis on the files by classifying them in a hierarchy of maliciousness, forming behavior patterns based on execution of the files and parameters of the execution, training the detection model according to the analysis of the files and the behavior patterns, verifying the trained detection model using a test selection of files to test determinations of harmfulness of the test selection of files, and when the verification fails, retraining the detection model using a different set of files from the database, otherwise applying the detection model to a new set of files to determine maliciousness.