Mobile application risk analysis

US 10,715,542 B1
Filed: 06/30/2016
Issued: 07/14/2020
Est. Priority Date: 08/14/2015
Status: Active Grant

First Claim

Patent Images

1. An electronic device comprising:

one or more processors;

a non-transitory computer-readable storage medium communicatively coupled to the one or more processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more processors, performs operations comprising;

receiving, via a first electrical signal, application data from an agent installed on a network device, wherein the application data includes usage information of one or more applications installed on the network device and configuration information of the network device.querying, via a second electrical signal, for a risk level of each of the one or more applications of the network device listed in the application data,responsive to a risk level of a first application of the one or more applications being unknown, (i) determining whether the first application includes a first embedded web browser, (ii) instructing virtual processing to be performed on an executable of the first application in a virtual machine that includes emulation of functionality of the first embedded web browser included in the first application, and (iii) determining the risk level of the first application based at least in part on the virtual processing, anddetermining a threat level for the network device based on one or more of;

(i) the risk level of at least the first application, (ii) usage information of the at least the first application, or (iii) configuration information of the network device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic device comprising one or more processors; a storage medium communicatively coupled to the one or more processors, the storage medium having stored thereon logic that, upon execution by the one or more processors, performs operations comprising: (1) receiving, via a first electrical signal, application data from a mobile agent installed on a mobile device, (2) querying, via a second electrical signal, a database for a risk level of each of one or more applications of the mobile device listed in the application data, and (3) determining a threat level for the mobile device based on one or more of: (i) the risk level of at least one of the one or more applications, (ii) usage information of the at least one of the one or more applications, or (iii) configuration information of the mobile device is shown.

743 Citations

51 Claims

1. An electronic device comprising:
- one or more processors;
  
  a non-transitory computer-readable storage medium communicatively coupled to the one or more processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more processors, performs operations comprising;
  
  receiving, via a first electrical signal, application data from an agent installed on a network device, wherein the application data includes usage information of one or more applications installed on the network device and configuration information of the network device.querying, via a second electrical signal, for a risk level of each of the one or more applications of the network device listed in the application data,responsive to a risk level of a first application of the one or more applications being unknown, (i) determining whether the first application includes a first embedded web browser, (ii) instructing virtual processing to be performed on an executable of the first application in a virtual machine that includes emulation of functionality of the first embedded web browser included in the first application, and (iii) determining the risk level of the first application based at least in part on the virtual processing, anddetermining a threat level for the network device based on one or more of;
  
  (i) the risk level of at least the first application, (ii) usage information of the at least the first application, or (iii) configuration information of the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The electronic device of claim 1, wherein the virtual processing is performed on a first server associated with cloud computing.
  - 3. The electronic device of claim 1, wherein the application data further includes one or more of:
    - (a) a derivative representation for each of the one or more applications, (b) usage information of at least one of the one or more applications, or (c) configuration information of the network device.
  - 4. The electronic device of claim 1, wherein the execution of the logic by the one or more processors performs operations further comprising:
    - instructing a second server to (i) analyze network traffic of the network device by performing virtual processing of the first application in a virtual machine of the second server , the virtual processing including emulation of a second embedded web browser, and (ii) determine a risk level of the network traffic based on results of the virtual processing; and
      
      receiving the risk level of the network traffic from the second server.
  - 5. The electronic device of claim 4, wherein the determination of the threat level for the network device is based on one or more of:
    - (i) a risk level of at least one of the one or more applications, (ii) usage information of at least one of the one or more applications, (iii) configuration information of the network device, or (iv) the risk level of the network traffic.
  - 6. The electronic device of claim 4, wherein the second embedded web browser is different from the first web browser.
  - 7. The electronic device of claim 1, wherein the execution of the logic by the one or more processors performs operations further comprising:
    - generating a first graphical user interface (GUI) that illustrates an overview of the risk level of at least the first application.
  - 8. The electronic device of claim 7, wherein the execution of the logic by the one or more processors performs operations further comprising:
    - generating a second GUI that illustrates an overview of one or more behaviors of one or applications, wherein the one or more behaviors contribute in determining the risk level of at least one of the one or more applications.
  - 9. The electronic device of claim 1, wherein a database including risk levels for each of the one or more applications of the network device listed in the application data, wherein the database is stored on a first server associated with cloud computing.
  - 10. The electronic device of claim 1, wherein the network device is an electronic device having capabilities of:
    - (i) connecting to a network, (ii) downloading at least the first application, and (iii) installing at least the first application.
  - 11. The electronic device of claim 10, wherein the electronic device is housed within a vehicular device that is configured to provide mobile capabilities.
  - 12. The electronic device of claim 1, wherein an unknown risk level indicates a risk level is unspecified in a database.
  - 13. The electronic device of claim 1, wherein the threat level is based on the risk level of the first application.
  - 14. The electronic device of claim 1, wherein the first electrical signal is either a text message or an electrical mail (email) message.

15. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a server, performs operations comprising:
- receiving application data from an agent installed on a network device, wherein the application data includes usage information of a first application and configuration information of the network device;
  
  querying for a risk level of the first application;
  
  responsive to a risk level of the first application being unknown, (i) determining whether the first application includes a first embedded web browser, (ii) instructing virtual processing to be performed on an executable of the first application in a virtual machine that includes emulation of functionality of the first embedded web browser included in the first application, and (iii) determining the risk level of the first application based on least in part on the virtual processing;
  
  and determining a threat level for the network device based on one or more of;
  
  (i) the risk level of at least the first application, (ii) usage information of at least the first application, or (iii) configuration information of the network device.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The storage medium of claim 15, wherein the virtual processing is performed on a second server associated with cloud computing.
  - 17. The storage medium of claim 15, wherein the first application data further includes, one or more of:
    - (a) a derivative representation for each of the one or more applications, (b) usage information of at least one of the one or more applications, or (c) configuration information of the network device.
  - 18. The storage medium of claim 15, wherein the logic, when executed by the one or more processors, performs operations further comprising:
    - instructing a third server to (i) analyze network traffic of the network device by performing virtual processing in a virtual machine of the third server of the first application, the virtual processing including emulation of an embedded web browser, and (ii) determine a risk level of the network traffic based on results of the virtual processing; and
      
      receiving the risk level of the network traffic from the third server.
  - 19. The storage medium of claim 18, wherein the determination of the threat level for the network device is based on one or more of:
    - (i) a risk level of at least one of the one or more applications, (ii) usage information of at least one of the one or more applications, (iii) configuration information of the network device, or (iv) the risk level of the network traffic.
  - 20. The storage medium of claim 18, wherein the second embedded web browser is different from the first web browser.
  - 21. The storage medium of claim 15, wherein the logic, when executed by the one or more processors, performs operations further comprising:
    - generating a first graphical user interface (GUI) that illustrates an overview of the risk level of at least the first application.
  - 22. The storage medium of claim 21, wherein the logic, when executed by the one or more processors, performs operations further comprising:
    - generating a second GUI that illustrates an overview of one or more behaviors of one or more applications, wherein the one or more behaviors contribute in determining the risk level of at least one of the one or more applications.
  - 23. The storage medium of claim 15, wherein the network device is an electronic device having a capability of connecting to a network, downloading and installing the one or more mobile applications.
  - 24. The storage medium of claim 23, wherein the electronic device is housed within a vehicular device that is configured to provide mobile capabilities.
  - 25. The storage medium of claim 15, wherein an unknown risk level indicates a risk level is unspecified in a database.
  - 26. The storage medium of claim 15, wherein the threat level is based on the risk level of the first application.

27. A system for determining a threat level of a network device having a software agent installed thereon configured to track and record usage data of one or more applications installed on the network device, the system comprising:
- a first server communicatively coupled to the software agent, the first server to (i) receive application data from the agent, (ii) query for a risk level of at least the first application, and (iii) determine a threat level for the network device based on one or more of;
  
  (a) a risk level of at least the first application, (b) usage information of at least the first application, or (c) configuration information of the network device;
  
  a second server communicatively coupled to the first server and associated with cloud computing, the second server to receive an instruction from the first server to, responsive to the first server determining the risk level of the first application is unknown, (i) determine whether the first application includes a first embedded web browser, (ii) perform virtual processing of the first application in a virtual machine of the second server to determine the risk level of the first application, wherein the virtual processing includes emulation of functionality of the first embedded web browser included with the first application, and (iii) transmit the risk level of the first application to the first server; and
  
  a third server communicatively coupled to the first server, the third server to receive an instruction from the first server to analyze network traffic of the network device by performing a virtual processing in a virtual machine of the third server of the one or more applications, the virtual processing including emulation of a second embedded web browser, (ii) determine a risk level of the network traffic based on results of the virtual processing, and (iii) transmit the risk level of the network traffic to the first server.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 28. The system of claim 27, wherein the virtual processing performed by the third server includes (i) launching at least the first application in the virtual machine of the third server, (ii) launching an emulator of the second embedded web browser in the virtual machine of the third server, and (iii) analyzing the network traffic passing through the emulator of the second embedded web browser for malicious or anomalous activity.
  - 29. The system of claim 27, wherein the second server also performs a static analysis on the first application and determines the risk level of the first application based on results of the static analysis and results of the virtual processing.
  - 30. The system of claim 27, wherein the determination of the threat level for the network device is based on one or more of:
    - (i) a risk level of at least one of the one or more applications, (ii) usage information of at least the first application, (iii) configuration information of the network device, or (iv) the risk level of the network traffic.
  - 31. The system of claim 27, wherein the first generates a first graphical user interface (GUI) that illustrates an overview of the risk level of at least the first application.
  - 32. The system of claim 27, wherein the network device is an electronic device having a capability of connecting to a network, downloading and installing the one or more mobile applications.
  - 33. The system of claim 27, wherein the electronic device is housed within a vehicular device that is configured to provide mobile capabilities.
  - 34. The system of claim 27, wherein the first server is a cloud-based server and the second server is deployed within a network.
  - 35. The system of claim 27, wherein an unknown risk level indicates a risk level is unspecified in a database.
  - 36. The system of claim 27, wherein the threat level is based on the risk level of the first application.
  - 37. The system of claim 27, wherein the second embedded web browser is different from the first web browser.

38. A computerized method comprising:
- receiving, via a first electrical signal, application data from an agent installed on a network device, wherein the application data includes usage information of one or more applications installed on the network device and configuration information of the network device,querying, via a second electrical signal, for a risk level of each of the one or more applications of the network device listed in the application data,responsive to a risk level of a first application of the one or more applications being unknown, (i) determining whether the first application includes a first embedded web browser, (ii) instructing virtual processing to be performed on an executable of the first application in a virtual machine that includes emulation of functionality of the first embedded web browser included in the first application, and (iii) determining the risk level of the first application based at least in part on the virtual processing, anddetermining a threat level for the network device based on one or more of;
  
  (i) the risk level of at least the first application, (ii) usage information of the at least the first application, or (iii) configuration information of the network device.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 39. The computerized method of claim 38, wherein the virtual processing is performed on a first server associated with cloud computing.
  - 40. The computerized method of claim 38, wherein the application data further includes one or more of:
    - (a) a derivative representation for each of the one or more applications, (b) usage information of at least one of the one or more applications, or (c) configuration information of the network device.
  - 41. The computerized method of claim 38, wherein the execution of the logic by the one or more processors performs operations further comprising:
    - instructing a second server to (i) analyze network traffic of the network device by performing virtual processing of the first application in a virtual machine of the second server, the virtual processing including emulation of a second embedded web browser, and (ii) determine a risk level of the network traffic based on results of the virtual processing; and
      
      receiving the risk level of the network traffic from the second server.
  - 42. The computerized method of claim 41, wherein the determination of the threat level for the network device is based on one or more of:
    - (i) a risk level of at least one of the one or more applications, (ii) usage information of at least one of the one or more applications, (iii) configuration information of the network device, or (iv) the risk level of the network traffic.
  - 43. The computerized method of claim 41, wherein the second embedded web browser is different from the first embedded web browser.
  - 44. The computerized method of claim 38, wherein the execution of the logic by the one or more processors performs operations further comprising:
    - generating a first graphical user interface (GUI) that illustrates an overview of the risk level of at least the first application.
  - 45. The computerized method of claim 44, wherein the execution of the logic by the one or more processors performs operations further comprising:
    - generating a second GUI that illustrates an overview of one or more behaviors of one or applications, wherein the one or more behaviors contribute in determining the risk level of at least one of the one or more applications.
  - 46. The computerized method of claim 38, wherein a database including risk levels for each of the one or more applications of the network device listed in the application data, wherein the database is stored on a first server associated with cloud computing.
  - 47. The computerized method of claim 38, wherein the network device is an electronic device having capabilities of:
    - (i) connecting to a network, (ii) downloading at least the first application, and (iii) installing at least the first application.
  - 48. The computerized method of claim 47, wherein the electronic device is housed within a vehicular device that is configured to provide mobile capabilities.
  - 49. The computerized method of claim 38, wherein an unknown risk level indicates a risk level is unspecified in a database.
  - 50. The computerized method of claim 38, wherein the threat level is based on the risk level of the first application.
  - 51. The computerized method of claim 38, wherein the first electrical signal is either a text message or an electrical mail (email) message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Wei, Wen, Zhang, Yulong
Primary Examiner(s)
Callahan, Paul E

Application Number

US15/199,900
Time in Patent Office

1,475 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 16/958   Organisation or management ...

G06F 3/0482   Interaction with lists of s...

G06F 3/0483   Interaction with page-struc...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04W 12/121   Wireless intrusion detectio...

Mobile application risk analysis

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

743 Citations

51 Claims

Specification

Use Cases

Quick Links

Others

Mobile application risk analysis

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

743 Citations

51 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others