In-app behavior-based attack dectection
First Claim
1. A method comprising:
- capturing events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application;
generating, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data;
analyzing, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles;
generating, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and
initiating, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application.
1 Assignment
0 Petitions
Accused Products
Abstract
Architectures and techniques for in-app behavior detection. A behavior detection agent within an application running on a hardware computing device captures events within the application. The events are inputs received from one or more sources external to the application. The behavior detection agent generates an event stream from the captured events. The behavior detection agent analyzes the event stream for significant feature frequencies and associations corresponding to one or more attack profiles. The behavior detection agent initiates an attack response in response to finding one or more significant feature frequencies and associations. The attack response comprises at least changing an operational configuration of the application.
-
Citations
24 Claims
-
1. A method comprising:
-
capturing events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application; generating, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data; analyzing, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles; generating, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and initiating, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, are configurable to cause the one or more processors to:
-
capture events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application; generate, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data; analyze, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles; generate, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and initiate, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising one or more processors interconnected with one or more memory devices, wherein the one or more processors are configurable to:
-
capture events within an application running on a hardware computing device, wherein one or more of the events have corresponding inputs received from one or more sources external to the application; generate, with a behavior detection agent, an event stream from the captured events where each captured event has a corresponding feature vector, wherein the feature vectors are based on binary feature vectors of training data; analyze, with the behavior detection agent, the feature vectors of the event stream for feature frequencies and associations corresponding to one or more previously generated attack profiles; generate, from the analysis of the feature vectors of the event stream, at least one sub-optimal function having feature detection rules ranked according to satisfiability rates; and initiate, with the behavior detection agent, an attack response in response to finding one or more significant feature frequencies and associations based on the at least one sub-optimal function, wherein the attack response comprises at least changing an operational configuration of the application. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification