10/9/2016
`
`A New Toy in the Avast Research Lab
`
`English
`
`Protecting over 400 million PCs, Macs, & Mobiles – more than any other antivirus.
`
`Ondrej Vlcek
`3 December 2012
`
`A New Toy in the Avast Research Lab
`The Avast Research Lab is where some of the Avast’s
`brightest brains create new ways of detecting
`malware.
`
`These are either features inside the product (such as FileRep and autosandboxing, including all of its recent
`development) as well as components that run on our backend – i.e. things that users don’t necessarily see but that
`are equally important for the overall quality of the product.
`
`In fact, working on the backend stu緋ꐈ takes up more of their time these days, as more and more intelligence in Avast
`is moving to the cloud and/or is being delivered in almost real time via the avast! streaming update technology.
`
`The Avast backend classi鬂尀ers use a number of techniques, but the two hot ones that the team has been working on
`hard recently are things that we call Malware Similarity Search and Evo-Gen.
`Avast Malware Similarity Search
`
`Malware Similarity Search is an important feature that allows us to pretty much instantly categorize a big amount of
`incoming samples. That is, for any 鬂尀le, it is able to say whether the 鬂尀le looks similar to an already seen malware 鬂尀le
`(or a whole cluster of malware 鬂尀les) as well as whether it’s similar to a known clean 鬂尀le (or a cluster of these). This
`may sound like an easy problem to solve, but in practice this is actually pretty di᭯cult. Of course, the secret sauce
`here is how you actually de鬂尀ne the metric (to be able to talk about similarity) and what all you take into account
`when representing a 鬂尀le. In Avast we take into account both static properties of the 鬂尀le as well as the outcome of a
`dynamic analysis (i.e. basically logs gathered during the execution of the 鬂尀le).
`
`Now, a technology like this is obviously very valuable as it allows us to make fast decisions about 鬂尀les that we have
`never seen before. For example, if a 鬂尀le is very similar to a cluster of known malware samples, and at the same time
`it is not similar to any clean 鬂尀les, we categorize it immediately as malware. Believe it or not, we’re seeing thousands
`of 鬂尀les like this every day.
`
`Avast Evo-Gen
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`1/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`10/9/2016
`Avast Evo-Gen
`
`A New Toy in the Avast Research Lab
`
`The second technology I mentioned, Evo-Gen, is somewhat similar but a bit subtler in nature. This is about 鬂尀nding as
`short and generic descriptions of large sets of malware samples as possible. Say you take a set of 1,000,000 malware
`samples (and 1,000,000 clean 鬂尀les) and give the algorithm the following task: 鬂尀nd as few, and as brief descriptions of
`as many samples in the malware set, without describing any 鬂尀le in the clean set. Evo-Gen is a genetic algorithm that
`we have developed just for that. It often happens to 鬂尀nd some real gems for us – e.g. a description of an apparently
`random set of tens of thousands of malware 鬂尀les scattered somewhat randomly across our virus sets. And the size
`of the description? 8 bytes.
`
`Now, if you think about this for a while, you will 鬂尀nd out that both of these algorithms have something in common. I
`mean, for both of them it’s necessary to have super-fast access to our vast sets of clean and malware 鬂尀les. Forget
`about sequential access (or any kind of processing of the 鬂尀les one by one). Even reading the samples o緋ꐈ the disks
`takes hours.
`The Real Breakthrough
`
`For this purpose, the team has developed another great piece of technology that we call MDE. It’s basically an in-
`memory database that works on top of indexed data and allows heavily parallel access.
`
`Traditionally, we have been running these things on classic server hardware. For the most part, we use standard Dell
`servers based on Intel Xeon CPUs. However, the performance has never been great and we always thought we
`should be doing better.
`
`The real breakthrough came when we started experimenting with the GPUs. For starters, modern GPUs (both from
`NVidia and AMD) are not limited to high-end graphics or gaming. The good thing about them is that they can be
`massively parallelized – while today’s high-end Intel CPUs contain 6, 8 or maybe 10 cores, the high-end gaming GPUs
`contain thousands of cores. True, each of them is not that powerful, but if you can unleash their potential with some
`good parallel algorithms, the resulting power is insane.
`
`So, with MDE, we’re now in the process of transitioning to a GPU-based “supercomputing” farm. 
`
`It’s not a rackmount server – but a workstation instead. A hell of a workstation, I should say though. With Intel i7
`E3820 4C 3.6GHz CPU and 32 GB DDR3 RAM, it’s not a bad start, but what’s really cool about the box is the 4 NVidia
`GPU-based graphics cards, each with 3 GB of RAM and connected to each other by a hose for external water cooling.
`The whole beast is powered by a 1,500W power supply but in case it’s not enough, we are ready to add one more.
`
`While we haven’t put these systems in production yet, we will likely do so soon. And I’m truly looking forward to that
`– as doing so will allow us to serve you, our users, even better. You never know - if this proves to be as useful as we
`think it will be, we may end up building something like the Titan one day…
`
`(Now, my job in the meantime will be to keep the gamers o緋ꐈ the server room :-)).
`
`Tweet
`
`Threat Research, Security News
`
`Share
`
`1
`
`Like 615 Share
`
`96
`
`RejZoR
`12/21/2012, 1:48:15 PM
`
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`2/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`A New Toy in the Avast Research Lab
`10/9/2016
`Is any of this already being used for malware processing or is still planned for avast! 8 release and it will be
`鬂尀red up then for all the new goodies that are probably coming with the v8 release?
`
`spywar
`12/22/2012, 6:08:52 PM
`
`Hi Vlk,
`
`Atm, if I correctly understand, AV analysts at avast! receive tons of samples everydays from Honeypots, and
`mainly from community IQ right ?
`
`And to classify them really fast, they use these amazing automated analysis systems, so only a few samples
`need to be manually processed.
`
`But do you plan something in v8 like : Any suspicious 鬂尀le that an avast protected pc sees is sent directly to
`these servers for automated analysis if it's classi鬂尀ed as malware you update DB from cloud, if not manual scan
`is done. Btw, I'm sure you guys are preparing well new stu緋ꐈs/improvements for v8.
`
`vlk
`12/29/2012, 3:14:41 PM
`
`@RejZoR Only in a limited mode. Most of the good stu緋ꐈ will be gradually deployed during Jan/Feb.
`
`@spywar This is, in a way, it works. But it's not complately real-time (i.e. there's still some delay). That is, if
`you're the 鬂尀rst person in the world who hits a completely new nasty virus (and the heuristics doesn't detect it,
`as well as the dynamic detection in the autosandbox) you will probably still get infected. But the rest of the
`170m+ avast community will bene鬂尀t from you getting infected.
`
`This is no di緋ꐈerent from biological viruses, by the way.
`
`More of the good stu緋ꐈ is coming in 2013 - we have a bunch of cool new things that will be rolling out in the 鬂尀rst
`half of the year. Stay tuned!
`
`joe
`11/24/2014, 12:26:00 PM
`
`So then why does Avast 鬂尀nd Evo-Gen as a 'threat?' ???
`
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`3/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`10/9/2016
`
`A New Toy in the Avast Research Lab
`
`RSS feed
`
`More blog topics
`
`Security News (1064)
`Tips (297)
`Threat Research (287)
`Mobile Security (277)
`Corporate News (91)
`SMB/Business (76)
`
`Tag Cloud
`
`March 2016 August 2016
`SMB/Business
`TipsMobile Security
`
`February 2016
`
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`4/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`10/9/2016
`
`A New Toy in the Avast Research Lab
`
`Security
`News
`
`January 2016
`
`Threat Research
`Corporate News
`September 2016
`October 2016
`
`July 2016
`
`June 2016
`
`
`Tweets
`Follow @avast_antivirus
`
`Avast Software 
`@avast_antivirus
`
` 
`
`All your #iMessage contacts belong to 
`Apple bit.ly/2dpgOgG via @IonutArghire 
`@SecurityWeek
`
` 
`
`3h
`
`Avast Software 
`@avast_antivirus
`
` 
`
`Facebook's Messenger Lite lights up old 
`#Android phones cnet.co/2dKFS5f via 
`@CNET
`
`Facebook's Messen…
`The social network's …
`cnet.com
`
` 
`
`Avast Software 
`@avast_antivirus
`
` 
`
`Sensitive FDA Systems at risk of 
`#cyberattacks bit.ly/2dpgXAP via 
`@EduardKovacs @SecurityWeek
`
` 
`
`6h
`
`9h
`
`Avast Software 
`@avast_antivirus
`
` 
`
`How hard is it to #hack the average 
`DVR? Sadly, not hard at all 
`bit.ly/2dsNMwH via @dangoodin001 
`@arstechnica
`
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`5/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`10/9/2016
`
`A New Toy in the Avast Research Lab
`
`Making a DVR join a DDoS botne…
`Successful compromises come "a …
`arstechnica.com
`
` 
`
`11h
`
`Avast Software 
`@avast_antivirus
`
` 
`
`Researchers ask federal court to unseal 
`years of #surveillance records 
`bit.ly/2dknNvb via @cfarivar 
`@arstechnica
`
`Researchers ask federal court t…
`Looking just for records that shoul…
`arstechnica.com
`
` 
`
`12h
`
`Blogroll
`
`AVAST on Facebook
`AVAST on YouTube
`Mobile Antivirus
`Support center
`Support forum
`www.avast.com
`
`Archives
`
`October 2016 (4)
`September 2016 (17)
`August 2016 (16)
`
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`6/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`A New Toy in the Avast Research Lab
`
`10/9/2016
`July 2016 (18)
`June 2016 (15)
`May 2016 (14)
`April 2016 (13)
`March 2016 (18)
`February 2016 (18)
`January 2016 (18)
`December 2015 (16)
`November 2015 (16)
`October 2015 (12)
`September 2015 (16)
`August 2015 (22)
`July 2015 (35)
`June 2015 (16)
`May 2015 (14)
`April 2015 (20)
`March 2015 (20)
`See All
`
`return to Avast support forum
`
`Avast on Twitter
`
`Avast on Facebook
`
`On the Avast blog, we strive to deliver consistent, actionable information to more than 230 million Avast customers and other readers
`about current threats and industry news, educating our readers on how they can keep their devices secured.
`
`Copyright © 1988 - 2016 AVAST Software s.r.o.
`
`https://blog.avast.com/2012/12/03/new­toy­research­lab/
`
`7/7
`
`Palo Alto Networks, Inc. - Exhibit 1091
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159