DETECTING UNAUTHORIZED USE OF COMPUTING DEVICES BASED ON BEHAVIORAL PATTERNS
First Claim
1. A computing system which effectively provides a support system that can support one or more application programs on said computing system, wherein said computing system is adapted for and/or capable of:
- obtaining current pattern usage data indicating the current use of one or more system support provider components of said support system effectively provided by said computing system, wherein each of said system support provider components provides one or more services and/or resources that can be effectively requested and used by one or more application programs operating on said computing system;
obtaining acceptable behavioral pattern data for said one or more system support provider components of said support system, wherein said acceptable behavioral pattern data effectively defines an acceptable pattern of use for using said one or more system support provider components of said support system; and
determining, based on said acceptable pattern of use of said one or more system support provider components which is effectively defined by said acceptable behavioral pattern data, whether said current use of said one or more system support provider components is unauthorized.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.
507 Citations
29 Claims
-
1. A computing system which effectively provides a support system that can support one or more application programs on said computing system, wherein said computing system is adapted for and/or capable of:
-
obtaining current pattern usage data indicating the current use of one or more system support provider components of said support system effectively provided by said computing system, wherein each of said system support provider components provides one or more services and/or resources that can be effectively requested and used by one or more application programs operating on said computing system; obtaining acceptable behavioral pattern data for said one or more system support provider components of said support system, wherein said acceptable behavioral pattern data effectively defines an acceptable pattern of use for using said one or more system support provider components of said support system; and determining, based on said acceptable pattern of use of said one or more system support provider components which is effectively defined by said acceptable behavioral pattern data, whether said current use of said one or more system support provider components is unauthorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A mobile computing device, wherein said mobile computing device is adapted for and/or capable of:
-
detecting that a first system call has been made to one of a plurality of designated system calls of an operating system when said operating system is operating on said mobile computing device, wherein said operating system includes a plurality of system calls that effectively provide one or more resources and/or services to one or more application programs that can call said plurality of system calls in order to request said one or more resources and/or services from said operating system; capturing information regarding said first system call as first system call information when said detecting detects that said first system call has been made; detecting that a second system call that has been made to one of said plurality of designated system calls; capturing information regarding said second system call as second system call information when said detecting detects that said second system call has been made; converting said first and second system call information into system call pattern data representation, wherein said system call pattern data representation is in a form that allows extraction of one or more call patterns for calling said system calls based on one or more pattern extraction techniques; extracting one or more call patterns from said system call pattern data representation based on said one or more pattern extraction techniques; and storing said one or more call patterns as an acceptable system call profile for calling said first and/or second system calls, thereby allowing detection of unauthorized use of said computing device by detecting a deviation from said acceptable system call pattern for calling said first and/or second system calls. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for generating acceptable behavioral pattern data that can be used to detect unauthorized use of a mobile computing device, said method comprising:
-
capturing information regarding said first system call as first system call information when said detecting detects that said first system call has been made; detecting that a second system call that has been made to one of said plurality of designated system calls; capturing information regarding said second system call as second system call information when said detecting detects that said second system call has been made; converting said first and second system call information into system call pattern data representation, wherein said system call pattern data representation is in a form that allows extraction of one or more call patterns for calling said system calls based on one or more pattern extraction techniques; extracting one or more call patterns from said system call pattern data representation based on said one or more pattern extraction techniques; and storing said one or more call patterns as an acceptable system call profile for calling said first and/or second system calls, thereby allowing detection of unauthorized use of said computing device by detecting a deviation from said acceptable system call pattern for calling said first and/or second system calls.
-
-
25. A Method for detecting unauthorized use of a mobile computing device which effectively provides an operating system including a plurality of system calls that effectively provide one or more resources and/or services to one or more application programs that can call said of system calls in order to request said one or more resources and/or services, said method comprising
detecting that a first system call has been made to one of said plurality of designated system calls; -
obtaining an acceptable system call usage profile when said detecting detects that said third system call has been made, wherein said acceptable usage profile effectively defines an acceptable call pattern for calling a corresponding one of said plurality of system calls which has been called by said first system call; obtaining a first current system call pattern indicating a current call pattern used to make said first system call to said corresponding one of said plurality of designated system calls; comparing said first current system call pattern to said acceptable system call usage profile; (a) determining based on said comparing whether said first current system call pattern is within an acceptable range effectively defined by said acceptable system call usage profile; (b) determining that said first system call is an unauthorized system call when said determining (a) determines that said first current system call pattern is not within said acceptable range; generate an unauthorized use indication indicating that said third system call is unauthorized when said determining (b) determines that said first system call is an unauthorized system call.
-
-
26. A method of determining an acceptable pattern of use for a computing system which effectively provides a support system for supporting one or more application programs, wherein said acceptable pattern of use can be used to detect unauthorized use of said computing system, said method comprising:
-
monitoring a plurality of system support provider components of a support system operating on said computing system when said computing system is being used, wherein each of said system support provider components support provide one or more services and/or resources and can be effectively requested and used by one or more application programs operating on said computing system; and generating, based on said monitoring a plurality of system support provider components, acceptable usage pattern data which effectively defines an acceptable pattern for using said plurality of system support provider components, thereby allowing detection of unauthorized use of said computing system by detecting a deviation from said acceptable pattern of use for using said plurality of system support provider components.
-
-
27. A method for detecting unauthorized use of a computing system which effectively provides a support system for supporting one or more application programs, said method comprising:
-
obtaining current pattern usage data indicating the current use of one or more of said plurality of system support provider components of said support system, wherein each of said system support provider components provide one or more services and/or resources that can be effectively requested and used by one or more application programs operating on said computing device; obtaining acceptable behavioral pattern data for said one or more system support provider components of said system support, wherein said acceptable behavioral pattern data effectively defines an acceptable pattern for using said one or more system support provider components of said support system; and determining, based on said acceptable usage pattern effectively defined by acceptable behavioral pattern data, whether said current use of said one or more system support provider components is unauthorized.
-
-
28. A computer readable medium including computer program code for detecting unauthorized use of a computing system which effectively provides a support system for supporting one or more application programs, wherein said computer readable includes:
-
computer program code for obtaining current pattern usage data indicating the current use of one or more of said plurality of system support provider components of said support system, wherein each of said system support provider components provide one or more services and/or resources that can be effectively requested and used by one or more application programs operating on said computing device; computer program code for obtaining acceptable behavioral pattern data for said one or more system support provider components of said support system, wherein said acceptable behavioral pattern data effectively defines an acceptable pattern for using said one or more system support provider components of said support system; and computer program code for determining, based on said acceptable usage pattern effectively defined by acceptable behavioral pattern data, whether said current use of said one or more system support provider components is unauthorized.
-
-
29. A computer readable medium including computer program code for determining an acceptable pattern of use for a computing system which effectively provides a support system for supporting one or more application programs, wherein said acceptable pattern of use can be used to detect unauthorized use of said computing system, wherein said computer readable medium includes:
-
computer program code for monitoring a plurality of system support provider components of a support system operating on said computing system when said computing system is being used, wherein each of said system support provider components support provide one or more services and/or resources and can be effectively requested and used by one or more application programs operating on said computing system; and computer program code for generating, based on said monitoring a plurality of system support provider components, acceptable usage pattern data which effectively defines an acceptable pattern for using said plurality of system support provider components, thereby allowing detection of unauthorized use of said computing system by detecting a deviation from said acceptable pattern of use for using said plurality of system support provider components.
-
Specification