Minimizing False Positives – Bitdefender TechZone

Our malware protection operates at the endpoint level, blocking and deleting any suspicious or malicious files. However, to ensure we do not take any action against legitimate files, we have implemented several mitigation techniques. While we will not describe all the mechanisms, we will highlight the most important ones.

Firstly, our cloud service contains a massive database with billions of verified software. The software is sourced from our internal research and partnerships with business associates and this allows us to extract each application and define all the files within. During each scan, we create a local hash for any detected file on the computer and check it against our cloud service to determine whether we have seen it before. If the hash exists, we reply with information confirming the file is clean.

We have implemented another technique which is the anomaly detection mechanism to measure our response. In case we do not have a particular application or file in our internal database, we measure the number of verifications done on it within a defined time interval. If we notice an unusual increase in verification, it could be a potential false positive, and it will be forwarded to our Bitdefender Lab for further verification. Based on the outcome of the verification, we will update our internal database and provide information to the endpoints on the appropriate action to be taken. We will not take any action to clean files, and malicious files will be automatically blocked. This enables us to quickly address any false positive detections without having a significant impact on the customer, with just a few hundred detections.

To remediate False Positives, it is crucial to verify the digital signature of the file. We check whether the file has been signed by a trusted CA and whether the certificate has not been revoked, rejected, or stolen. However, signing a file with a trusted certificate does not automatically mean that we trust the file. Therefore, we run several verification mechanisms in the background to be sure we are detecting suspicious behavior.

Finally, in the event of False Positive detection, customers can submit the files to our Bitdefender Labs for further verification. After the verification process, we can create an additional exclusion for a specific file or application.

Network Protection has two main components. The first one verifies the status of the URL, including malicious, spam, or phishing, and hosting domain verification. If the web service is available on trusted domains, we will not block access to these domains by default to avoid generating False Positives. However, we can detect a single malicious URL or domain, and depending on whether it is a single or hosting URL, we will block only the URL or all domains. In a situation where the web page was cleaned after injection, we will automatically recheck and scan the URL to ensure we are not blocking legitimate websites. The second component is responsible for detecting network activities such as file transfer, port scanning, injection, brute force attacks, and more. In this scenario, false positives depend on the interpretation. During penetration tests, all detections can be recognized as false positives, but they are not as administrators need to be aware of any activity happening in their network.

Our detection capabilities not only detect but also generate events. These events can be correlated on the XDR level to provide deeper visibility into suspicious activities. Looking at the XDR incident we can adjust detection parameters based on the specific behavior. It is also one of the techniques we are using to reduce false positives.

Process monitoring technologies, such as Advanced Threat Control (ATC) or Anti Exploit, are important technology used in threat detection and mitigation. To effectively address false positives, these tools employ similar remediation actions as those used in malware protection. Whenever a process is detected, the first step is to check with a cloud-based database to determine if the process has been seen before. This is a crucial step in identifying false positives, as it allows the system to compare the process against known good files and determine if it is safe or malicious. Anomaly detection also plays a crucial role in False positive mitigation. This can help the system distinguish between normal and abnormal activity and prevent false alarms.

Minimizing any potential business impact is one of our top goals, so we exercise great care when modeling new heuristic detections for newly encountered threats. For releasing any new engine with heuristic algorithms, we subject it to rigorous testing in our controlled testing environment. This testing phase is critical in ensuring that the engine functions properly and effectively identify potential threats. After completing the testing phase, we release the engine to production in a special "beta mode". During this period, the engine operates in a monitoring-only mode where that generates telemetry but does not take any action. This allows us to observe the engine's performance and identify any potential issues such as false positives. All feedback collected during the beta mode is analyzed thoroughly, and any necessary adjustments are made to the engine. Once these adjustments have been made and verified, the heuristic engine is moved from “beta mode” to blocking actions. By using this approach, we can ensure that our heuristic algorithms are effective in identifying threats while minimizing false positives.

Additionally, we continuously monitor our telemetry and use the information gathered to create exception signatures that enable us to fine-tune our heuristics based on specific processes where they are triggered. This can involve either lowering the heuristic score, disabling the heuristic altogether, or applying other adjustments. For instance, through a simple signature update, we can choose to disable a specific heuristic for a specific process.  This allows us to adjust our heuristics based on the specific needs and characteristics of our customers' environments, ensuring that they receive the best possible protection while minimizing the risk of false positives.

For any type of machine learning algorithm, we are using different types of false positive verification. Firstly, we designed a special algorithm only for false positive reduction. Their main task is to verify how we are training our machine learning algorithms. Some of the concepts we are using were documented in the following publications:

Another approach to detecting malware is through hybridization. This approach involves the integration of different algorithms to detect both malware samples and clean files from the same data source. In this approach, specialized algorithms are used to identify malware. The clean files detection algorithms are then applied to the selected samples to identify clean files and patterns. The benefit of using a hybrid approach is that it improves the accuracy of malware detection by leveraging the strengths of different algorithms. It also provides a safeguard against false positives by incorporating specialized algorithms that can identify legitimate files that may have been wrongly classified as malicious. In cases where some samples have been inappropriately categorized as malicious, the use of specialized algorithms can recognize them as legitimate and prevent them from being blocked.

Other methods rely on voting algorithms. In this approach, a set of different algorithms are trained to identify specific families of threats. These algorithms work together collaboratively to generate a collective decision on a threat. The output of each algorithm is considered a vote, and the collective decision is made based on the number of votes received. However, before making the final decision, a threshold is set to ensure that false positives are minimized. If the number of votes received exceeds the threshold, the system identifies the presence of a threat, whereas if the number of votes falls below the threshold, the system considers the detection as a false positive. The advantage of using voting algorithms is that they can improve the overall accuracy of threat detection as different algorithms complement each other by identifying unique features of a threat. Additionally, the use of a threshold ensures that false positives are minimized, reducing the number of false alarms that could disrupt normal system operations.