THREAT LEVEL ASSESSMENT OF APPLICATIONS

US 20120317645A1
Filed: 06/13/2011
Published: 12/13/2012
Est. Priority Date: 06/13/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to handle installation and assess a threat level of a new application, the method comprising:

identifying an application being installed on a computing device;

performing static analysis on the identified application;

determining a threat level to assign to the application based on the static analysis and detected behavior of the application;

displaying the determined threat level to a user through a user interface; and

upon determining that installation of the application is safe, installing the application on the computing device,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application safety system is described herein that provides a scoring system of how dangerous an application is based on behavioral inspection of the application. Upon detecting installation of an application or first execution of the application, the application safety system performs static analysis before the new application is executed by the operating system. The system allows the user to approve running the application after displaying information about what the application does. Next, the system performs dynamic analysis as the application runs and alerts the user to any potentially harmful behavior. Over time, the system determines when the application may be acting in a manner that is out of character and informs the user. The system also allows users to restrict behavior that a particular application can perform.

73 Citations

View as Search Results

20 Claims

1. A computer-implemented method to handle installation and assess a threat level of a new application, the method comprising:
- identifying an application being installed on a computing device;
  
  performing static analysis on the identified application;
  
  determining a threat level to assign to the application based on the static analysis and detected behavior of the application;
  
  displaying the determined threat level to a user through a user interface; and
  
  upon determining that installation of the application is safe, installing the application on the computing device,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein identifying the application comprises receiving a notification from an operating system running on the computing device that the application is being installed.
  - 3. The method of claim 1 wherein identifying the application comprises determining metadata describing the application including a source of the application.
  - 4. The method of claim 1 wherein performing static analysis comprises accessing one or more application binary modules and determining what actions are performed by the binary code stored in each module.
  - 5. The method of claim 1 wherein performing static analysis comprises identifying actions that are potentially harmful to the computing device or a user.
  - 6. The method of claim 1 wherein determining the threat level comprises determining a numerical or visual score indicating whether the application performs suspicious activity.
  - 7. The method of claim 1 wherein determining the threat level comprises determining one or more categories of behavior performed by the application, as detected during static analysis.
  - 8. The method of claim 1 wherein displaying the determined threat level comprises taking automatic action to allow or deny the application installation and displaying the action taken to the user.
  - 9. The method of claim 1 wherein displaying the determined threat level comprises requesting that the user indicate whether to continue installing the application.
  - 10. The method of claim 1 wherein determining that installation of the application is safe comprises receiving, after displaying the threat level to the user, the user'"'"'s response to an inquiry requesting the user'"'"'s approval to install the application.
  - 11. The method of claim 1 further comprising, upon determining that installation of the application is not safe, denying installation of the application on the computing device.
  - 12. The method of claim 1 wherein installing the application comprises installing the application to a dedicated location for further analysis upon executing the application.
  - 13. The method of claim 1 further comprising storing the results of static analysis for use during subsequent analysis of the application'"'"'s behavior.

14. A computer system for threat level assessment of applications, the system comprising:
- a processor and memory configured to execute software instructions embodied within the following components;
  
  an application identification component that identifies an application to analyze and for which to generate a threat assessment;
  
  a static analysis component that statically analyzes an application binary or other application code to determine how the application interacts with external resources;
  
  a dynamic analysis component that dynamically analyzes a running application to gather additional information related to the application'"'"'s behavior that is difficult to determine with static analysis;
  
  a threat assessment component that determines a threat assessment level to associate with the application based on static and/or dynamic analysis performed on the application;
  
  a baseline behavior component that determines a baseline behavior of the application that indicates a summary of actions that the application has taken in the past;
  
  an application behavior data store that stores information describing normal application behavior;
  
  an application-monitoring component that monitors the application each time the application is run to identify behavior that differs from the determined baseline behavior; and
  
  a user interface component that provides an interface for displaying the threat level to the user and receiving input from the user.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14 wherein the application identification component compares the application with a list of previously analyzed applications to determine what type of analysis to perform on the application.
  - 16. The system of claim 14 wherein the static and dynamic analysis components provide information to the threat assessment component for reporting one or more detected issues to the user.
  - 17. The system of claim 14 wherein the dynamic analysis component enforces one or more restrictions placed on the application by the user.
  - 18. The system of claim 14 wherein the application behavior data store is shared among multiple users and provides aggregated data describing how the application behaves normally from which to detect behavior that would be out of the ordinary for the application.

19. A computer-readable storage medium comprising instructions for controlling a computer system to monitor a running application and identify any harmful behavior, wherein the instructions, upon execution, cause a processor to perform actions comprising:
- identifying an application being executed on a computing device;
  
  performing dynamic analysis on the identified application, wherein dynamic analysis accesses one or more application binary modules loaded in memory and determines what actions are performed by the binary code stored in the module;
  
  determining a threat level to assign to the application based on the dynamic analysis and detected behavior of the application;
  
  determining whether the threat level has changed from a previously determined threat level;
  
  upon determining that the threat level has changed, displaying the determined threat level to the user through a user interface; and
  
  receiving an indication from the user of whether to continue running the application.
- View Dependent Claims (20)
- - 20. The medium of claim 19 further comprising, during dynamic analysis, accessing prior static analysis results and incorporating the results into the dynamic analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Fortier, Dominique

Granted Patent

US 9,158,919 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

G06F 21/566 Dynamic detection, i.e. det...

THREAT LEVEL ASSESSMENT OF APPLICATIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

THREAT LEVEL ASSESSMENT OF APPLICATIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links