Customized network traffic models to detect application anomalies

US 10,021,123 B2
Filed: 06/29/2015
Issued: 07/10/2018
Est. Priority Date: 06/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method of identifying anomalous application behavior of a computing device, comprising:

detecting, by a processor of the computing device, network communication activity of an application on the computing device;

identifying, by the processor, one or more device states of the computing device;

identifying, by the processor, one or more categories of the application by;

analyzing one or more screenshots of a display generated by the application on the computing device; and

analyzing inputs received at a user interface of the computing device related to the application; and

correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device;

determining, by the processor, whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application; and

taking, by the processor, an action to modify the application behavior if it is determined that the application is behaving anomalously.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and devices of the various aspects enable identification of anomalous application behavior. A computing device processor may detect network communication activity of an application on the computing device. The processor may identify one or more device states of the computing device, and one or more categories of the application. The processor may determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

22 Citations

View as Search Results

24 Claims

1. A method of identifying anomalous application behavior of a computing device, comprising:
- detecting, by a processor of the computing device, network communication activity of an application on the computing device;
  
  identifying, by the processor, one or more device states of the computing device;
  
  identifying, by the processor, one or more categories of the application by;
  
  analyzing one or more screenshots of a display generated by the application on the computing device; and
  
  analyzing inputs received at a user interface of the computing device related to the application; and
  
  correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device;
  
  determining, by the processor, whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application; and
  
  taking, by the processor, an action to modify the application behavior if it is determined that the application is behaving anomalously.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the network communication activity comprises one or more of a network traffic pattern of the network communication activity, a quantity of information sent by the application, a quantity of information received by the application, a quantity of destinations to which information is sent by the application, a quantity of sources from which information is received by the application, a type of information sent or received by the application, a data protocol used by the application, and a port traffic mapping related to the network communication activity of the application.
  - 3. The method of claim 1, wherein the one or more device states comprise one or more of a coarse motion classifier, a device position, and a device network communication state.
  - 4. The method of claim 1, wherein determining whether the application is behaving anomalously based on the correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application comprises:
    - generating a behavior vector based on the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application;
      
      applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector; and
      
      determining whether the application is behaving anomalously based on a result of applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector.
  - 5. The method of claim 1, further comprising taking an action to limit an application behavior in response to determining that the application is behaving anomalously.
  - 6. The method of claim 1, wherein analyzing one or more screenshots of the display generated by the application on the computing device comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on a plurality of screenshots of the display generated by the application on the computing device.
  - 7. The method of claim 6, wherein analyzing one or more screenshots of the display generated by the application on the computing device comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 8. The method of claim 1, wherein identifying one or more categories of the application comprises:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

9. A method of determining a category of an application on a computing device, comprising:
- obtaining, by a processor of the computing device, one or more screenshots of a display generated by the application on the computing device;
  
  generating, by the processor, a feature vector characterizing the obtained one or more screenshots of the display generated by the application on the computing device, wherein generating the feature vector comprises;
  
  analyzing inputs received at a user interface of the computing device related to the application; and
  
  correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device;
  
  determining, by the processor, whether the application is behaving anomalously by applying, by the processor, a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector; and
  
  taking, by the processor, an action to modify the application behavior if it is determined that the application is behaving anomalously.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein applying the classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on the generated feature vector.
  - 11. The method of claim 10, wherein applying the classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 12. The method of claim 9, wherein generating a feature vector comprises:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

13. A computing device, comprising:
- an antenna; and
  
  a processor coupled to the antenna and configured with processor-executable instructions to;
  
  detect network communication activity, communicated via the antenna, of an application on the computing device;
  
  identify one or more device states of the computing device;
  
  identify one or more categories of the application by;
  
  analyzing one or more screenshots of a display generated by the application on the computing device;
  
  analyzing inputs received at a user interface of the computing device related to the application; and
  
  correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device;
  
  determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one ormore device states of the computing device, and the identified one or more categories of the application; and
  
  take an action to modify the application behavior if it is determined that the application is behaving anomalously.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computing device of claim 13, wherein the network communication activity comprises one or more of a network traffic pattern of the network communication activity, a quantity of information sent by the application, a quantity of information received by the application, a quantity of destinations to which information is sent by the application, a quantity of sources from which information is received by the application, a type of information sent or received by the application, a data protocol used by the application, or a port traffic mapping related to the network communication activity of the application.
  - 15. The computing device of claim 13, wherein the one or more device states comprise one or more of a coarse motion classifier, a device position, and a device network communication state.
  - 16. The computing device of claim 13, wherein the processor is further configured with processor-executable instructions to determine whether the application is behaving anomalously based on the correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application by:
    - generating a behavior vector based on the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application;
      
      applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector; and
      
      determining whether the application is behaving anomalously based on a result of applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector.
  - 17. The computing device of claim 13, wherein the processor is further configured with processor-executable instructions to take an action to limit an application behavior in response to determining that the application is behaving anomalously.
  - 18. The computing device of claim 13, wherein the processor is further configured with processor-executable instructions to analyze one or more screenshots of the display generated by the application on the computing device by determining whether the application is an image-based application, a text-based application, or a meta-application based on a plurality of screenshots of the display generated by the application on the computing device.
  - 19. The computing device of claim 13, wherein the processor is further configured with processor-executable instructions to analyze one or more screenshots of the display generated by the application on the computing device by determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 20. The computing device of claim 13, wherein the processor is configured with processor-executable instructions to identify one or more categories of the application by:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

21. A computing device, comprising:
- a display; and
  
  a processor coupled to the display and configured with processor-executable instructions to;
  
  obtain one or more screenshots of the display generated by an application on the computing device;
  
  generate a feature vector characterizing the obtained one or more screenshots of the display generated by the application on the computing device, wherein generating the feature vector by;
  
  analyzing inputs received at a user interface of the computing device related to the application; and
  
  correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device;
  
  determine whether the application is behaving anomalously by applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector; and
  
  take an action to modify the application behavior if it is determined that the application is behaving anomalously.
- View Dependent Claims (22, 23, 24)
- - 22. The computing device of claim 21, wherein the processor is further configured with processor-executable instructions to apply the classifier model to the feature vector by determining whether the application is an image-based application, a text-based application, or a meta-application based on the generated feature vector.
  - 23. The computing device of claim 22, wherein the processor is further configured with processor-executable instructions to apply the classifier model to the feature vector by determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 24. The computing device of claim 21, wherein the processor is further configured with processor-executable instructions to generate a feature vector by:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Das, Saumitra Mohan, Mahmoudi, Mona, Sridhara, Vinay, Gupta, Rajarshi, Chen, Yin
Primary Examiner(s)
Poltorak, Peter

Application Number

US14/753,666
Publication Number

US 20160381057A1
Time in Patent Office

1,107 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/0631   using root cause analysis; ...

H04L 43/0817   by checking functioning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Customized network traffic models to detect application anomalies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Customized network traffic models to detect application anomalies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links