Malware detection

US 20100011029A1
Filed: 07/09/2009
Published: 01/14/2010
Est. Priority Date: 07/14/2008
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware in a mobile telecommunications device, the method comprising:

maintaining a database of legitimate applications and their respective expected behaviours;

identifying legitimate applications running on the device;

monitoring the behaviour of the device,comparing this monitored behaviour with that expected according to the database for those legitimate applications identified as running on the device; and

analyzing deviations from the expected behaviour of the device to identify the potential presence of malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to a first aspect of the present invention there is provided a method of detecting malware in a mobile telecommunications device 101. In the method, maintaining a database 109 of legitimate applications and their respective expected behaviours, identifying legitimate applications running on the device 101, monitoring the behaviour of the device 101, comparing this monitored behaviour with that expected according to the database 109 for those legitimate applications identified as running on the device 101, and analyzing deviations from the expected behaviour of the device 101 to identify the potential presence of malware.

Citations

15 Claims

1. A method of detecting malware in a mobile telecommunications device, the method comprising:
- maintaining a database of legitimate applications and their respective expected behaviours;
  
  identifying legitimate applications running on the device;
  
  monitoring the behaviour of the device,comparing this monitored behaviour with that expected according to the database for those legitimate applications identified as running on the device; and
  
  analyzing deviations from the expected behaviour of the device to identify the potential presence of malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as claimed in claim 1, wherein the step of maintaining the database of legitimate applications comprises:
    - periodically receiving the identities of new applications and their respective expected behaviours and adding these to the database.
  - 3. A method as claimed in claim 1., wherein the step of maintaining the database of legitimate applications comprises:
    - identifying new applications added to the device;
      
      sending a request for the expected behaviours of the new applications added to the device to a network based service provider;
      
      receiving the expected behaviours requested from the service provider; and
      
      adding the identities of the new applications and their expected behaviours to the database.
  - 4. A method as claimed in claim 1, wherein a monitored behaviour comprises the sending and receiving of data traffic via a network connection.
  - 5. A method as claimed in claim 4, wherein, in the event that said step of analyzing deviations identifies that data traffic is being uploaded to a website when no web browser is running on the device, identifying that behaviour as indicative of the presence of malware.
  - 6. A method as claimed in claim 4, wherein, in the event that said step of analyzing deviations identifies that data traffic is being uploaded to a website when a web browser is running on the device and no data has been downloaded to the device from that website, identifying that behaviour as indicative of the presence of malware.
  - 7. A method as claimed in claim 4, wherein, in the event that said step of analyzing deviations identifies that the contents of the data traffic sent from the device includes details of recent activity of the device, identifying that behaviour as indicative of the presence of malware.
  - 8. A method as claimed in claim 1, wherein a monitored behaviour comprises the sending and receiving of Short Message Service, SMS messages and Multimedia Messaging Service, MMS messages.
  - 9. A method as claimed in claim 8, wherein, in the event that said step of analyzing deviations identifies that SMS or MMS messages are sent immediately after the sending or receipt of SMS or MMS messages, identifying that behaviour as indicative of the presence of malware.
  - 10. A method as claimed in claim 8, wherein, in the event that said step of analyzing deviations identifies that SMS or MMS messages are sent during or immediately after a voice call made to or from the device or during or immediately after the running of an application, identifying that behaviour as indicative of the presence of malware.
  - 11. A method as claimed in claim 8, wherein, in the event that said step of analyzing deviations identifies that the contents of SMS and MMS messages sent from the device matches the contents of SMS and MMS messages previously received by or sent from the device, identifying that behaviour as indicative of the presence of malware.
  - 12. A method as claimed in claim 8, wherein, in the event that said step of analyzing deviations identifies that the contents of SMS and MMS messages sent from the device includes details of recent activity of the device, identifying that behaviour as indicative of the presence of malware.
  - 13. A recording medium storing computer interpretable instructions for causing a programmable computer to perform a method for detecting malware in a mobile telecommunications device, the method being according to claim 1.

14. A mobile telecommunications device comprising:
- a memory for storing a database of legitimate applications and their respective expected behaviours; and
  
  a processor for identifying legitimate applications running on the device, accessing the memory to obtain the expected behaviours of those legitimate applications identified as running on the device, monitoring the behaviour of the device, comparing the expected behaviour with the monitored behaviour, and for analyzing deviations in the monitored behaviour from the expected behaviour to identify the potential presence of malware.

15. A method of maintaining a database of legitimate applications and their respective expected behaviours in a plurality of mobile telecommunications devices, the method comprising:
- identifying at a network based service, new applications for running on the devices;
  
  analyzing these new applications to determine their respective expected behaviours; and
  
  sending the identities of the new applications and their respective expected behaviours to the devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F-Secure Oyj
Original Assignee
F-Secure Oyj
Inventors
Niemelä, Jarno

Granted Patent

US 8,844,038 B2
Time in Patent Office

Days
Field of Search
US Class Current

N/A
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

H04W 24/08   Testing, supervising or mon...

Malware detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links