THREAT LEVEL ASSESSMENT OF APPLICATIONS
First Claim
1. A computer-implemented method to handle installation and assess a threat level of a new application, the method comprising:
- identifying an application being installed on a computing device;
performing static analysis on the identified application;
determining a threat level to assign to the application based on the static analysis and detected behavior of the application;
displaying the determined threat level to a user through a user interface; and
upon determining that installation of the application is safe, installing the application on the computing device,wherein the preceding steps are performed by at least one processor.
2 Assignments
0 Petitions
Accused Products
Abstract
An application safety system is described herein that provides a scoring system of how dangerous an application is based on behavioral inspection of the application. Upon detecting installation of an application or first execution of the application, the application safety system performs static analysis before the new application is executed by the operating system. The system allows the user to approve running the application after displaying information about what the application does. Next, the system performs dynamic analysis as the application runs and alerts the user to any potentially harmful behavior. Over time, the system determines when the application may be acting in a manner that is out of character and informs the user. The system also allows users to restrict behavior that a particular application can perform.
73 Citations
20 Claims
-
1. A computer-implemented method to handle installation and assess a threat level of a new application, the method comprising:
-
identifying an application being installed on a computing device; performing static analysis on the identified application; determining a threat level to assign to the application based on the static analysis and detected behavior of the application; displaying the determined threat level to a user through a user interface; and upon determining that installation of the application is safe, installing the application on the computing device, wherein the preceding steps are performed by at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer system for threat level assessment of applications, the system comprising:
-
a processor and memory configured to execute software instructions embodied within the following components; an application identification component that identifies an application to analyze and for which to generate a threat assessment; a static analysis component that statically analyzes an application binary or other application code to determine how the application interacts with external resources; a dynamic analysis component that dynamically analyzes a running application to gather additional information related to the application'"'"'s behavior that is difficult to determine with static analysis; a threat assessment component that determines a threat assessment level to associate with the application based on static and/or dynamic analysis performed on the application; a baseline behavior component that determines a baseline behavior of the application that indicates a summary of actions that the application has taken in the past; an application behavior data store that stores information describing normal application behavior; an application-monitoring component that monitors the application each time the application is run to identify behavior that differs from the determined baseline behavior; and a user interface component that provides an interface for displaying the threat level to the user and receiving input from the user. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A computer-readable storage medium comprising instructions for controlling a computer system to monitor a running application and identify any harmful behavior, wherein the instructions, upon execution, cause a processor to perform actions comprising:
-
identifying an application being executed on a computing device; performing dynamic analysis on the identified application, wherein dynamic analysis accesses one or more application binary modules loaded in memory and determines what actions are performed by the binary code stored in the module; determining a threat level to assign to the application based on the dynamic analysis and detected behavior of the application; determining whether the threat level has changed from a previously determined threat level; upon determining that the threat level has changed, displaying the determined threat level to the user through a user interface; and receiving an indication from the user of whether to continue running the application. - View Dependent Claims (20)
-
Specification