Customized network traffic models to detect application anomalies
First Claim
Patent Images
1. A method of identifying anomalous application behavior of a computing device, comprising:
- detecting, by a processor of the computing device, network communication activity of an application on the computing device;
identifying, by the processor, one or more device states of the computing device;
identifying, by the processor, one or more categories of the application by;
analyzing one or more screenshots of a display generated by the application on the computing device; and
analyzing inputs received at a user interface of the computing device related to the application; and
correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device;
determining, by the processor, whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application; and
taking, by the processor, an action to modify the application behavior if it is determined that the application is behaving anomalously.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and devices of the various aspects enable identification of anomalous application behavior. A computing device processor may detect network communication activity of an application on the computing device. The processor may identify one or more device states of the computing device, and one or more categories of the application. The processor may determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.
-
Citations
24 Claims
-
1. A method of identifying anomalous application behavior of a computing device, comprising:
-
detecting, by a processor of the computing device, network communication activity of an application on the computing device; identifying, by the processor, one or more device states of the computing device; identifying, by the processor, one or more categories of the application by; analyzing one or more screenshots of a display generated by the application on the computing device; and analyzing inputs received at a user interface of the computing device related to the application; and correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device; determining, by the processor, whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application; and taking, by the processor, an action to modify the application behavior if it is determined that the application is behaving anomalously. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of determining a category of an application on a computing device, comprising:
-
obtaining, by a processor of the computing device, one or more screenshots of a display generated by the application on the computing device; generating, by the processor, a feature vector characterizing the obtained one or more screenshots of the display generated by the application on the computing device, wherein generating the feature vector comprises; analyzing inputs received at a user interface of the computing device related to the application; and correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device; determining, by the processor, whether the application is behaving anomalously by applying, by the processor, a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector; and taking, by the processor, an action to modify the application behavior if it is determined that the application is behaving anomalously. - View Dependent Claims (10, 11, 12)
-
-
13. A computing device, comprising:
-
an antenna; and a processor coupled to the antenna and configured with processor-executable instructions to; detect network communication activity, communicated via the antenna, of an application on the computing device; identify one or more device states of the computing device; identify one or more categories of the application by; analyzing one or more screenshots of a display generated by the application on the computing device; analyzing inputs received at a user interface of the computing device related to the application; and correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device; determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application; and take an action to modify the application behavior if it is determined that the application is behaving anomalously. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A computing device, comprising:
-
a display; and a processor coupled to the display and configured with processor-executable instructions to; obtain one or more screenshots of the display generated by an application on the computing device; generate a feature vector characterizing the obtained one or more screenshots of the display generated by the application on the computing device, wherein generating the feature vector by; analyzing inputs received at a user interface of the computing device related to the application; and correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device; determine whether the application is behaving anomalously by applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector; and take an action to modify the application behavior if it is determined that the application is behaving anomalously. - View Dependent Claims (22, 23, 24)
-
Specification