Overview

• The model is live in the latest Kaspersky Unified Monitoring and Analysis Platform, providing detection within the SIEM pipeline.
• It can run in a correlation mode for faster alerting or process broader event collections for retrospective threat hunting.
• Detection relies on indirect metadata such as non‑standard paths, file renames, size or structure changes, digital signature integrity, and the calling process.
• Training used internal analysis data and anonymized Kaspersky Security Network telemetry with labels from Kaspersky’s file‑reputation databases.
• Kaspersky says early inaccuracies were addressed through iterative refinement, reports high accuracy today, and expects further gains as telemetry and KSN signals grow, with no independent validation cited.