RU2706883C1 - System and method of reducing number of false triggering of classification algorithms - Google Patents

Abstract

FIELD: computer engineering.

SUBSTANCE: invention relates to the computer engineering. Method of reducing the number of false triggering comprises steps of recognizing, by means of a malicious file detection means, a file belonging to a certain category of files; detecting false triggering of malware detection means by means of evaluation means; calculating, by means of false triggering means, a flexible hash file; adding, by means of false triggering means, the calculated flexible hash to the exception database; method is used to detect malicious files for analyzing files in order to recognize files belonging to a certain category of files, wherein the malicious file detection means excludes from the analysis performed for the purpose of recognizing the file relating to a certain file category, if the flexible hash value of the said file is stored in the exception database.

EFFECT: reduced number of false triggering of methods, having generalizing capacity, in relation to files, in respect of which verification has not yet been carried out in order to assign them to a certain category of files.

4 cl, 3 dwg

Description

Technical field

The invention relates to the field of file classification, and in particular to systems and methods for reducing the number of false positives of classification algorithms.

State of the art

Currently, computing devices - smartphones, computers, tablets, etc. - have become a mandatory attribute of almost every person. With these devices, people perform many everyday tasks: from communicating by e-mail to paying for purchases in stores. The wide distribution of such devices motivates cybercriminals to create and use malicious programs - programs, in particular those designed for unauthorized access to user data, as well as to the resources of computing devices in general.

Currently, anti-malware programs are widely used to combat malicious programs - programs designed to detect malicious programs and protect computing devices from these malicious programs. To provide such protection, various approaches and technologies are used: signature analysis, behavioral analysis, heuristic rules, etc. But as anti-virus technologies develop, attackers improve ways to bypass these defense mechanisms. Thus, the development of anti-virus technologies is always an urgent task, the purpose of which is to improve the quality of malware detection - to reduce the errors of the first (false positive) and second kind when malware is detected.

To improve the quality of malware detection, classification algorithms based on machine learning are increasingly being used. Such algorithms distinguish all kinds of signs (information about the compilers used to create applications, information about the sizes of executable files, sets of machine instructions, etc.) from the analyzed applications, in particular executable files (for example, PE files), and based on these signs they refer the analyzed application to one of the application classes; accordingly, the malicious application is detected when the analyzed application is assigned to the class of malicious applications. Well-trained classification algorithms do a good job of detecting malicious applications, however, the number of false positives (or other metrics based on the number of false positives) of the algorithm is also its important characteristic. Therefore, the possibility of timely correction of false positives is a necessity when using such classification algorithms.

US 8719935 B2 describes an approach to reducing the number of false positives by comparing information that identifies a file that is recognized as malicious with similar information from a trusted copy of the file. In one implementation, such information is a hash of a file. In the event of a difference in information, a decision is made to detect and correct a false positive.

However, the prior art does not describe approaches to simultaneously correct a number of false positives. The present invention is intended to quickly and effectively solve this problem.

Disclosure of invention

The present invention is intended to reduce the number of errors of the first kind, carried out when determining the category of files.

The technical result of the present invention is to implement the claimed purpose.

Another technical result of the claimed invention is the reduction in the number of false positives of methods with a generalizing ability, in relation to files in respect of which has not yet been verified in order to classify them in a certain category of files.

A way to reduce the number of false positives, according to which: using a means of detecting malicious files, a file is recognized as belonging to a certain category of files; at the same time, a method with generalizing ability is used to recognize a file as belonging to a certain category of files; detect, with the help of an evaluation tool, a false positive of the malware detection tool when a file is recognized as belonging to a certain category of files by analyzing said file; using a means of correcting false positives, they calculate a flexible hash of a file, the recognition of which as belonging to a certain category of files is a false positive; the values of the flexible hashes of two similar files are the same; add the calculated flexible hash to the exception database using the false positive correction tool; they use a malware detection tool to analyze files in order to recognize files as belonging to a certain category of files, while a malware detection tool excludes a file from the analysis performed to recognize a file as belonging to a certain category of files if the value of the flexible hash of the file is stored in the database data exceptions.

In another embodiment of the method, correcting the false positive of the method used to recognize the file as malicious is a time-consuming operation.

In another embodiment of the method, the method, the correction of a false positive which is a time-consuming operation, is a classification algorithm.

In another embodiment of the method, the classification algorithms are:

- decision tree;

- gradient boosting;

- random forest;

- classification algorithms based on neural networks.

In another variant of the method, correction of a false positive is a laborious operation if one of the conditions is fulfilled:

- correction of false positives of such a method requires significant time costs;

- Correction of the false positive of this method requires a significant amount of data transmitted over the network.

In another embodiment of the method, the category of files to which the malware detection tool can relate a file is one of the following categories:

- category of malicious files;

- category of junk files.

A system for reducing the number of false positives, which contains: a malware detection tool designed to recognize a file belonging to a certain category of files; the malware detection tool excludes the file from the analysis performed to recognize the file as belonging to a certain category of files if the value of the flexible hash of the file is stored in the exception database; at the same time, a method with generalizing ability is used to recognize a file as belonging to a certain category of files; evaluation tool for detecting a false positive of a malicious file detection tool when a file is recognized as belonging to a certain category of files by analyzing said file; a false positive correction tool designed to calculate a flexible hash of a file, recognizing it as belonging to a certain category of files is a false positive, and also to add a calculated flexible hash to the exception database; the values of the flexible hashes of two similar files are the same.

In another version of the system, fixing the false positive of the method used to recognize the file as malicious is a time-consuming operation.

In another version of the system, the method, the correction of the false positive of which is a laborious operation, is a classification algorithm.

In another embodiment of the system, classification algorithms are:

- decision tree;

- gradient boosting;

- random forest;

- classification algorithms based on neural networks.

In another version of the system, correcting a false positive is a laborious operation if one of the conditions is met:

- correction of false positives of such a method requires significant time costs;

- Correction of the false positive of this method requires a significant amount of data transmitted over the network.

In another embodiment of the system, the category of files to which the malware detection tool can relate a file is one of the following categories:

- category of malicious files;

- category of junk files.

Brief Description of the Drawings

Additional objectives, features and advantages of the present invention will be apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

FIG. 1 illustrates an exemplary diagram of the components of a system for reducing the number of false positives of classification algorithms.

FIG. 2 illustrates an exemplary embodiment of a method for reducing the number of false positives of classification algorithms.

FIG. 3 illustrates an embodiment of a general purpose computer system circuit.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood, however, that the purpose of the description is not to limit the invention to its specific embodiment. On the contrary, the purpose of the description is to cover all changes, modifications that are included in the scope of this invention, as defined by the attached formula.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details necessary to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined in the scope of the attached claims.

We introduce a number of definitions and concepts that will be used in the description of embodiments of the invention.

Malicious application - an application that can harm a computing device or user data of a computing device (in other words, a computer system: personal computer, server, mobile phone, etc.), for example: a network worm, a keylogger, a computer virus. The damage may be caused by unauthorized access to computer resources, including data stored on a computer for theft, as well as unlawful use of resources, including for storing data, performing calculations, etc.

A trusted application is an application that does not harm the computer or its user. A trusted application can be considered an application developed by a trusted manufacturer of software (software) downloaded from a trusted source (for example, a site listed in the database of trusted sites) or an application whose identifier (or other data by which you can uniquely identify the application) which (for example , the hash of the application file) is stored in the trusted application database. The manufacturer’s identifier, such as a digital certificate, can also be stored in a trusted application database.

An untrusted application is an application that is not trusted, but is also not considered malicious, for example, using an anti-virus application. In this case, an untrusted application can subsequently be recognized as malicious, for example, by means of an anti-virus scan.

Malicious file - a file that is a component of a malicious application and contains program code (executable or interpreted code).

Untrusted file - a file that is a component of an untrusted application and contains program code (executable or interpreted code).

Trusted file - a file that is a component of a trusted application.

Predefined application categories - at least the category of trusted applications, the category of untrusted applications, the category of malicious applications.

False positive - committing a mistake of the first kind.

Flexible hash (English "similarity preserving hash" ¹ ( ¹ Sparse similarity-preserving hashing, Jonathan Masci et al., Https://arxiv.org/pdf/1312.5479.pdf), in particular "locality sensitive hash ² " ( ² Locality Sensitive Hashing, Ravi Kumar, https://users.soe.ucsc.edu/ ^~ niejiazhong / slides / kumar.pdf)) - the hash of the file, calculated on the basis of the data stored in the file, and the value of which remains unchanged when partially changed such data. In yet another embodiment, for calculating a flexible hash, additionally used data obtained by processing data stored in a file, for example: as data for calculating a flexible hash, records of function calls from a file execution log obtained by one of the known from the level can be used techniques of methods, for example, when executing a file or emulating file execution. In one embodiment, a flexible hash can be represented as a vector of values.

In one embodiment, a flexible hash is a hash that for two similar files will have the same value (the values of flexible hashes calculated based on the characteristics of the files are the same). By a flexible hash of a group of files (a flexible hash corresponding to a group of files) we mean a flexible hash, the value of which is the same for each file from the mentioned group. Files with the matching value of the flexible hash, in particular files from such a group, can be considered similar with some accuracy (accuracy in this context can be understood as the mean or rms value of the degree of similarity, for example, between every two files from such a group), which is determined by the accuracy of the method itself flexible hash calculations.

Two files will be considered similar if the degree of similarity between them exceeds a predetermined threshold (for example, exceeds 85%, in other words, exceeds 0.85). The degree of similarity can be calculated using any of the known approaches, for example, based on the calculation of measures:

- Jacquard;

- Dyce;

- Levenshtein;

- Hamming;

- etc.

System means in the present invention are understood to be real devices, systems, components, groups of components implemented using hardware such as integrated circuits (application-specific integrated circuit, ASIC) or programmable gate arrays (English field-programmable gate array , FPGA), or, for example, in the form of a combination of software and hardware, such as a microprocessor system and a set of software instructions, as well as on neuromorphic chips (English neurosynaptic chips) The functionality of these system tools can be implemented exclusively in hardware, as well as in the form of a combination, where part of the functionality of the system is implemented in software, and part in hardware. In some embodiments, part of the means, or all means, may be executed on a processor of a general-purpose computer (for example, which is shown in Fig. 3). At the same time, system components can be implemented within the framework of a single computing device, or spaced between several connected computing devices.

In FIG. 1 shows an exemplary diagram of the components of a system for reducing the number of false positives of classification algorithms. The system includes the following components: malware detection tool 110, evaluation tool 120, false positive correction tool 130, and exception database 140. In one embodiment of the invention, all system components are located on a user's computing device — a client, in another implementation system components are located on a remote server. In yet another embodiment, the malware detection tool 110 and the exception database 140 are located on the user's computing device, and the evaluator 120 and the false positive correction tool 130 are located on the server. In yet another embodiment, the malware detection tool 110, the exception database 140, and the evaluation tool 120 are located on the client, and the tool 130 is located on the server. In yet another embodiment, the evaluation tool 120 is located on the server, and the remaining components of the system are located on the client. In another embodiment, all of the system’s facilities are located on a remote server, and an agent is located on the client that is capable of transmitting to the remote server all the data necessary for the functioning of the system’s facilities.

Malware Detector 110 is designed to detect malicious files. It is worth noting that malicious files are a special case of a category of files that have common characteristics, namely the fact that files from this category can harm a computing device or its user. All the algorithms, methods and approaches described in the framework of this invention can apply not only to malicious files, but to files from a certain category. One such category is the malware category. In another embodiment of the invention, this category is the category of junk files, for example, related to unwanted software, such as adware (from the English adware), or to software that changes the settings of other applications, in particular the browser start page. In the future, to describe an example implementation of the present invention, an example of the mentioned category will be the category of malicious files, and as files not included in this class, the category of trusted files. Accordingly, by false positives we mean the erroneous recognition of a file as belonging to a certain category (in particular, to the class of malicious files), which do not belong to this category (in particular, trusted files).

Detection of a malicious file is accomplished by recognizing the file being analyzed by means 110 as malicious. To recognize the file as malicious, tool 110 can use any method known from the prior art that has the peculiarity - fixing a false positive of such a method is a time-consuming operation, in particular:

- correction of false positives of such a method requires significant time costs;

- or correcting the false positive of such a method requires a significant amount of data transmitted over the network.

In yet another embodiment of the invention, the method used to detect a malicious file has a generalizing ability: one record (for example, a heuristic rule, a flexible hash, etc.) for detecting a malicious file can be used to detect many unique files. At the same time, a significant amount of time to correct a false positive is a time period that exceeds a set threshold value, for example 1 hour or more, and a significant amount of data transmitted over a network to correct a false positive is considered a data volume that exceeds a set threshold value, for example 1 megabyte or more.

In one embodiment of the invention, the malware detection tool 110 uses a classification algorithm to detect malicious files, which accordingly takes a considerable amount of time to correct a false positive, since correcting such a false positive requires retraining the classification algorithm and also has a generalizing ability. In one embodiment, such classification algorithms are:

- decision tree (English "decision tree");

- gradient boosting (English "gradient boosting");

- random forest (English "random forest");

- classification algorithms based on neural networks.

The learning process (as well as retraining) of any classification algorithm is known from the prior art and will not be described in the framework of the materials of the present invention.

To check the file 105 for the purpose of detecting a malicious file 105 (in other words, recognizing the file 105 as malicious), the malware detection tool 110 uses a classification algorithm. A file 105 is one of a plurality of files 115. A plurality of files 115 is a plurality of files against which the malware detection tool 110 did not perform a check to detect malicious files. In one embodiment of the invention, such files may be files on a user's computing device, in another embodiment, on a remote server. The malware detection tool 110 scans the file 105, as a result of such a scan, the tool 110 either recognizes the file 105 as malicious or not. If the file 105 is recognized as malicious, the malware detection tool 110 transfers the file 105 (or all necessary information about it) to the rating tool 120.

Evaluation tool 120 is for analyzing file 105 (or file information 105). The purpose of the evaluation tool 120 by analyzing the file 105 is to detect a false positive of the malware detection tool 110, in particular when the file 105 is considered malicious. Any method known in the art can be used to detect false positives when a file 105 is recognized as a malicious assessment tool 120, in particular, the assessment tool can compare the file identifier 105, for example, the file checksum (MD5 or SHA-1, etc.) with identifiers trusted files that are stored in the database of trusted files 125, this database 125 can be located both within the same computing device with a means of evaluation 120, and remotely relative to the evaluation tool 120. If the identifier file 105, a recognized means for detecting malicious file 110 is present in a database of trusted files 125, the estimating means 120 detects a false positive detection of malware files means 110 recognizing malicious file 105. Otherwise, the evaluation tool 120 does not detect a false positive of the malware detection tool 110.

In yet another embodiment, the evaluator 120 compares the EDS certificate (if the signature is present in the file 105) with the certificates stored in the trusted file database 125. If the EDS certificate is signed in the database 125, which the file 105 is recognized as malicious, and the EDS is valid, then the evaluator 120 detects a false positive of the malware detection tool 110 upon the recognition of the file 105 as malicious. Otherwise, the evaluation tool 120 does not detect a false positive of the malware detection tool 110.

The data stored in the database 125 can be added and modified by specialists in the field of information security, for example using a remote connection.

After detection by the evaluation tool 120 of the false positives of the malware detection tool 110, the tool 120 transfers the file 105, which was mistakenly detected by the malware detection tool 110 as malicious, to the false-error correction tool 130.

The false positive correction tool 130 is intended to calculate a flexible hash of 135 files. In one embodiment of the invention, such a file is a file 105 that has been mistakenly recognized by the malware detection tool 110 as malicious. The calculated flexible hash 135 of file 105 is passed to exception database 140.

In turn, the flexible hashes 135 stored in the exclusion database 140 can be used by the malware detection tool 110 when checking files: if the flexible hash of the file to be scanned is present in the exclusion database, such a file is excluded from the scan. In another embodiment, if the flexible hash of the file to be checked is presented as a vector of values [x ₁ , x ₂ , x ₃ ...], and the exception has such a flexible hash [y ₁ , y ₂ , y ₃ ...], for which the indices of the elements of the vector I are indicated for which one of the following conditions is satisfied:

- ∀i ∈ I: x _i <y _i ,

- ∃K ⊂ I, ∀i ∈ K: x _i <y _i ,

then such a file is excluded from the scan. In one embodiment of the invention, such a file is recognized as trusted. Moreover, the malware detection tool 110 is able to calculate the flexible hash of the file 105, as well as compare this hash with the hashes stored in the exception database 140 (for example, by comparing the values of the hashes).

Thus, during a double check (which will be performed as part of the application of the malware detection tool 110) by the malware detection tool 110 of the file 105, the specified file 105 will not be recognized as malicious. Moreover, if the malware detection tool 110 needs to check against a plurality of files 115, provided that a false positive was detected for the tool 110, which recognized the file 105 as malicious, then all files 136 will be excluded from the scan by the tool 110, the value of flexible whose hashes are present in the database of exceptions 140, in particular, matching the flexible hash 135 of the file 105. In FIG. 1, a plurality of such files is schematically indicated by the vicinity of the file 105 — the area 136, symbolizing a plurality of files similar to the erroneously recognized malicious file 105 from the plurality of files 115.

Using the above-described approach avoids the situation where each file-like file 105 will be recognized as malicious using the malware detection tool 110, which will subsequently require changes to the algorithm that the tool 110 recognizes files as malicious in order to avoid false positives in the future. The use of flexible hash 135 to exclude files from verification by means 110 allows not only to avoid false alarms of means 110 with respect to file 105 used to calculate flexible hashes 135, but also with similar files 136 (which are recognized by means 110 in one embodiment of the invention trusted), in respect of which the malware detection tool 110 has not yet been checked. Thus, the claimed approach solves the technical problem of reducing the number of false positives. in having generalizing capability, in particular, classifying algorithms, while avoiding the possibility of false alarms concerning the files 136, to which have not audited for malicious (e.g., using the detection means 110 malicious files). At the same time, the claimed approach also solves a technical problem - quick (comparative), as well as correction of false positives that do not require a large amount of data transmitted over the network for malicious file detection methods that require significant time costs or a large amount of data transmitted over the network to fix false positives. The solution to this technical problem is due to the fact that fixing a false positive using a flexible hash does not require, for example, retraining the classification algorithm.

In FIG. 2 shows a diagram of a method for reducing the number of false positives of classification algorithms. At step 201, the malware detection tool 110 analyzes the file 105, the purpose of this analysis is to recognize the file 105 as malicious. If the file 105 is recognized as malicious by the malware detection tool 110, then at step 202, the evaluator 120 re-analyzes the recognized malicious file 105 to detect a false positive of the malware detection tool 110. If the malicious tool 110 does not detect a false positive of the malware detection tool 110 upon recognition file 105 is malicious, then at step 203 the decision to recognize file 105 as malicious does not change. Otherwise, at step 204, a flexible hash 135 of file 105, which was mistakenly malicious, is calculated using the false positive correction tool. After that, at step 205, the flexible hash 135 is added to the exception database 140. In one embodiment, adding the flexible hash 135 to the database 140 using the false positive correction tool 130. After that, at step 206, the detection tool is applied malicious files 110, for example, to analyze other files 115 not yet parsed by tool 110, so that files 115, the value of flexible hashes of which are present in the exception database 140, are excluded from the analysis performed by tool 110 with Strongly recognize malicious files. In the particular case of implementation, files excluded from analysis by means of 110 are recognized as trusted.

FIG. 3 represents an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any prior art bus structure comprising, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26, contains basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating ROM systems 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer can be equipped with other peripheral output devices (not displayed), for example, speakers, a printer, etc. .

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 3. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims.

Claims (21)

1. A way to reduce the number of false positives, according to which: a) recognize the file as belonging to a certain category of files using the malware detection tool; at the same time, a method with generalizing ability is used to recognize a file as belonging to a certain category of files; b) detect, with the help of an evaluation tool, a false positive of the malware detection tool when a file is recognized as belonging to a certain category of files by analyzing said file; c) using a means of correcting false positives, a flexible hash of a file is calculated, the recognition of which as belonging to a certain category of files is a false positive; the values of the flexible hashes of two similar files are the same; d) add the calculated flexible hash to the exception database using the false positive correction tool; e) a malware detection tool is used to analyze files in order to recognize files as belonging to a certain category of files, while malware detection means excludes a file from the analysis performed to recognize a file as belonging to a certain category of files if the flexible hash value of the said file is stored in the exception database. 2. The method according to claim 1, in which the correction of the false positive of the method used to recognize the file as malicious is a time-consuming operation if one of the conditions is met:

correcting the false positive of such a method requires significant time costs;

correcting the false positive of this method requires a significant amount of data transmitted over the network. 3. A system for reducing the number of false positives, which contains: a) a malware detection tool for recognizing a file belonging to a certain category of files; the malware detection tool excludes the file from the analysis performed to recognize the file as belonging to a certain category of files if the value of the flexible hash of the file is stored in the exception database; at the same time, a method with generalizing ability is used to recognize a file as belonging to a certain category of files; b) an evaluation tool designed to detect a false positive of the malware detection tool when a file is classified as a file category by analyzing the file; c) a false positive correction tool designed to calculate a flexible hash of a file, recognizing it as belonging to a certain category of files is a false positive, and also to add a calculated flexible hash to the exception database; the values of the flexible hashes of two similar files are the same. 4. The system according to claim 3, in which the correction of the false positive of the method used to recognize the file as malicious is a time-consuming operation if one of the conditions is met:

correcting the false positive of such a method requires significant time costs;

correcting the false positive of this method requires a significant amount of data transmitted over the network.

Images