System and method for managing malware protection on mobile devices

US 20070240220A1
Filed: 04/06/2007
Published: 10/11/2007
Est. Priority Date: 04/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of developing a feature data store that describes one or more applications and is adapted for use in the detection of malware in a target application on a limited access platform, said method comprising:

creating one or more feature sets, each feature set comprising a plurality of feature elements for a select application of the one or more applications, each said feature element defining a non-executable portion of said select application;

characterizing each feature set for a respective select application as either malware-infected or malware-free; and

defining a rule for said one or more feature sets, said rule adapted to determine a match to one or more of said feature sets, such that when said rule is applied to a feature set of the target application, said match indicates whether said feature set of the target application matches at least one of said feature sets and said match further indicates whether said target application is malware-infected or malware-free.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malware on a limited access mobile platform in a mobile network. The system and method uses one or more feature sets that describe various non-executable portions of malware-infected and malware-free applications, and compares a application on the limited access mobile platform to the features sets. A match of the features in a suspect application to one of the feature sets provides an indication as to whether the suspect application is malware-infected or malware-free.

Citations

30 Claims

1. A method of developing a feature data store that describes one or more applications and is adapted for use in the detection of malware in a target application on a limited access platform, said method comprising:
- creating one or more feature sets, each feature set comprising a plurality of feature elements for a select application of the one or more applications, each said feature element defining a non-executable portion of said select application;
  
  characterizing each feature set for a respective select application as either malware-infected or malware-free; and
  
  defining a rule for said one or more feature sets, said rule adapted to determine a match to one or more of said feature sets, such that when said rule is applied to a feature set of the target application, said match indicates whether said feature set of the target application matches at least one of said feature sets and said match further indicates whether said target application is malware-infected or malware-free.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said defining defines a rule for each feature set of said one or more feature sets, each said rule adapted to determine a match to one of said each feature set.
  - 3. The method of claim 1, wherein each of said feature elements is selected from a group consisting of:
    - an application name, an application size, an application vendor, an application version, an application description, a uniform resource locator of a source of an application, a secure one-way hash of a binary representation of the application, and a cyclic redundancy check of a binary representation of an application.
  - 4. The method of claim 3, wherein said secure one-way hash is an SHA-1 hash.
  - 5. The method of claim 1, wherein said rule contains a wildcard.
  - 6. The method of claim 1, wherein said rule comprises one or more weights, each said weight assigned to a feature element of said features sets.
  - 7. The method of claim 1, further comprising providing said feature data store to the limited access platform using a device independent secure management protocol.
  - 8. The method of claim 1, wherein said the limited access platform is a mobile device having an operating system restricting functionality of said target application.
  - 9. The method of claim 1, wherein said rule is selected from the group consisting of:
    - a rule for a feature set having said plurality of feature elements, and a rule for a feature set having a subset of said plurality of feature elements.
  - 10. The method of claim 1, further comprising:
    - extracting a feature set from a non-executable portion of a target application on a limited access platform; and
      
      applying said rule to said feature set of the target application to determine whether said target application is malware-infected or malware-free.

11. A method of detecting malware in a target application on a limited access platform, said method comprising:
- selecting a feature data store that describes one or more applications, said feature data store having;
  
  one or more feature sets, each feature set having a plurality of feature elements for a select application of said one or more applications, each said feature element defining a non-executable portion of said select application, and each feature set characterizing said select application as either malware-infected or malware-free, anda rule for said one or more feature sets, said rule adapted to determine a match to at least one of said feature sets;
  
  extracting a feature set from a non-executable portion of the target application; and
  
  applying said rule to said feature set of the target application to determine whether said target application is malware-infected or malware-free.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein said feature data store has a rule for each feature set of said one or more feature sets, each said rule adapted to determine a match to one of said each feature set.
  - 13. The method of claim 11, further comprising prompting a user to perform an action relating to said target application.
  - 14. The method of claim 11, further comprising reporting said target application to an operational support system if said target application is malware-infected.
  - 15. The method of claim 11, further comprising receiving said feature data store using a device independent secure management protocol.
  - 16. The method of claim 11, wherein said the limited access platform is a mobile device having an operating system restricting functionality of said target application.
  - 17. The method of claim 11, wherein said rule is selected from the group consisting of:
    - a rule for a feature set having said plurality of feature elements, and a rule for a feature set having a subset of said plurality of feature elements.

18. A limited access platform for detecting malware, said limited access platform comprising:
- a feature data store for describing one or more applications, said feature data store comprising;
  
  one or more feature sets, each feature set comprising a plurality of feature elements for a select application of said one or more applications, each said feature element defining a non-executable portion of said select application, andeach feature set characterizing said select application as either malware-infected or malware-free, anda rule for said one or more feature sets, said rule adapted to determine a match to at least one of said feature sets;
  
  a means for applying said rule to a feature set of a target application on the limited access platform to determine a match comparison of said target application against said feature data store; and
  
  a means for determining whether said target application is malware-infected or malware-free by the application of said rule.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. The limited access platform of claim 18, wherein said feature data store has a rule for each feature set of said one or more feature sets, each said rule adapted to determine a match to one of said each feature set, such that when said rule is applied to a feature set of the target application, said match indicates whether said feature set of the target application matches one of said each feature set and said match further indicates whether said target application contains malware.
  - 20. The method of claim 18, wherein the limited access platform receives said feature data store using a device independent secure management protocol.
  - 21. The limited access platform of claim 18, wherein the limited access platform is a mobile device having an operating system restricting functionality of said target application.
  - 22. The limited access platform of claim 18, wherein each of said feature elements is selected of from a group consisting of:
    - an application name, an application size, an application vendor, an application version, an application description, a uniform resource locator of a source of an application, a secure one-way hash of a binary representation of the application, and a cyclic redundancy check of a binary representation of an application.
  - 23. The limited access platform of claim 22, wherein said secure one-way hash is an SHA-1 hash.
  - 24. The limited access platform of claim 18, wherein said rule contains a wildcard.
  - 25. The limited access platform of claim 18, wherein said rule comprises one or more weights, each said weight assigned to a feature element of said feature sets.
  - 26. The limited access platform of claim 18, further comprising a means for receiving said feature data store on the limited access platform from an operational support system.
  - 27. The limited access platform of claim 18, further comprising a means for reporting said target application to an operational support system if said target application is malware-infected.
  - 28. The limited access platform of claim 18, further comprising a means for preventing said target application from executing on the limited access platform if said means for determining determines said target application is malware-infected.
  - 29. The limited access platform of claim 28, wherein said means for preventing is a prompt to a user to perform an action regarding to said target application.
  - 30. The limited access platform of claim 18, wherein said match comparison is equal to or greater than 90%.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Tuvell, George, Lee, Charles

Granted Patent

US 9,064,115 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 16/245   Query processing

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

System and method for managing malware protection on mobile devices

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing malware protection on mobile devices

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links