Remote-Assisted Malware Detection

US 20130019306A1
Filed: 07/12/2011
Published: 01/17/2013
Est. Priority Date: 07/12/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malware on a mobile device, the method comprising:

detecting a page fault caused by a memory page on a guest domain of the mobile device;

recording the page fault in a page table on a host domain of the mobile device;

applying a rule to the page fault, the rule identifying one or more matching pages;

retrieving the one or more matching pages from the guest domain; and

transmitting the one or more matching pages along with the memory page to a remote server for analysis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed.

148 Citations

20 Claims

1. A method for detecting malware on a mobile device, the method comprising:
- detecting a page fault caused by a memory page on a guest domain of the mobile device;
  
  recording the page fault in a page table on a host domain of the mobile device;
  
  applying a rule to the page fault, the rule identifying one or more matching pages;
  
  retrieving the one or more matching pages from the guest domain; and
  
  transmitting the one or more matching pages along with the memory page to a remote server for analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the rule is a feedback rule, the method further comprising:
    - receiving the feedback rule from the remote server; and
      
      storing the feedback rule in a rule database on the host memory.
  - 3. The method of claim 2, further comprising halting the process in response to the feedback rule.
  - 4. The method of claim 1, wherein the rule is a pre-programmed rule.
  - 5. The method of claim 4, further comprising:
    - determining that the one or more matching pages includes a private datum; and
      
      removing the private datum from the one or more matching pages.
  - 6. The method of claim 1, wherein detecting the page fault further comprises detecting one of a modification of the memory page by a process and an execution of a process including the memory page.
  - 7. The method of claim 6, wherein recording the page fault further comprises:
    - tagging the page fault with a tag; and
      
      transmitting the tag along with the memory page to the remote server.
  - 8. The method of claim 7, wherein the tag includes one or more of a process ID, a process state, a category, and a page address.
  - 9. The method of claim 1, wherein the host domain is a hypervisor;
    - and wherein the guest domain is a virtual machine residing on the hypervisor.
  - 10. The method of claim 9, wherein the host domain includes a trusted virtual machine on the hypervisor, the trusted virtual machine including logic for transmitting the matching pages to the server.
  - 11. The method of claim 1, wherein the host domain is a kernel, and wherein the guest domain is a user space process residing on the kernel.
  - 12. The method of claim 1, further comprising determining a trusted remote server from a plurality of remote servers.
  - 13. The method of claim 12, wherein the trusted remote server is one of a personal server, a network-operated server, a third-party server, a cloud server, and a kiosk.
  - 14. The method of claim 1, further comprising:
    - determining that a network connection is unavailable to transmit the memory pages; and
      
      starting a local malware scan.
  - 15. The method of claim 1, further comprising adjusting one or more of a frequency of transmittal of the memory pages and a batch size of the page faults within the page table.

16. A mobile device, comprising:
- a processor;
  
  a memory in communication with the processor;
  
  a guest domain on the memory, the guest domain including at least a process and a memory page associated with the process; and
  
  a host domain on the memory, the host domain having a logic unit including instructions for;
  
  detecting a page fault caused by a memory page on the guest domain;
  
  recording the page fault in a page table on the host domain;
  
  applying a rule to the page fault, the rule identifying one or more matching pages;
  
  retrieving the one or more matching pages from the guest domain; and
  
  transmitting the one or more matching pages along with the memory page to a remote server for analysis.
- View Dependent Claims (17, 18)
- - 17. The mobile device, of claim 16, further comprising a transceiver for transmitting the memory pages to the remote server across a network.
  - 18. The mobile device of claim 17, wherein the host domain is a hypervisor;
    - and wherein the guest domain is a virtual machine residing on the hypervisor, the mobile device further comprising a trusted virtual machine on the hypervisor, the trusted virtual machine being enabled with a driver to operate the transceiver.

19. A system for detecting malware on a mobile device, the system comprising:
- a server in communication with a mobile device, the mobile device having a processor and a memory, the memory including a guest domain and a host domain, the guest domain including a process and a memory page associated with the process, the host domain having a logic unit including instructions for;
  
  detecting a page fault caused by a memory page on the guest domain;
  
  recording the page fault in a page table on the host domain;
  
  applying a rule to the page fault, the rule identifying one or more matching pages;
  
  retrieving the one or more matching pages from the guest domain; and
  
  transmitting the one or more matching pages along with the memory page to the server; and
  
  analysis logic on the remote server for;
  
  determining security properties of the received memory pages, generating a feedback rule, andtransmitting the feedback rule to the host domain on the mobile device.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the feedback rule includes one or more of a request for additional matching pages and an instruction to halt the process associated with the memory page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Lagar-Cavilla, Horacio Andres, Varshavsky, Alexander

Granted Patent

US 8,584,242 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Remote-Assisted Malware Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

148 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Remote-Assisted Malware Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links