Remote-Assisted Malware Detection
First Claim
1. A method for detecting malware on a mobile device, the method comprising:
- detecting a page fault caused by a memory page on a guest domain of the mobile device;
recording the page fault in a page table on a host domain of the mobile device;
applying a rule to the page fault, the rule identifying one or more matching pages;
retrieving the one or more matching pages from the guest domain; and
transmitting the one or more matching pages along with the memory page to a remote server for analysis.
1 Assignment
0 Petitions
Accused Products
Abstract
Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed.
148 Citations
20 Claims
-
1. A method for detecting malware on a mobile device, the method comprising:
-
detecting a page fault caused by a memory page on a guest domain of the mobile device; recording the page fault in a page table on a host domain of the mobile device; applying a rule to the page fault, the rule identifying one or more matching pages; retrieving the one or more matching pages from the guest domain; and transmitting the one or more matching pages along with the memory page to a remote server for analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A mobile device, comprising:
-
a processor; a memory in communication with the processor; a guest domain on the memory, the guest domain including at least a process and a memory page associated with the process; and a host domain on the memory, the host domain having a logic unit including instructions for; detecting a page fault caused by a memory page on the guest domain; recording the page fault in a page table on the host domain; applying a rule to the page fault, the rule identifying one or more matching pages; retrieving the one or more matching pages from the guest domain; and transmitting the one or more matching pages along with the memory page to a remote server for analysis. - View Dependent Claims (17, 18)
-
-
19. A system for detecting malware on a mobile device, the system comprising:
-
a server in communication with a mobile device, the mobile device having a processor and a memory, the memory including a guest domain and a host domain, the guest domain including a process and a memory page associated with the process, the host domain having a logic unit including instructions for; detecting a page fault caused by a memory page on the guest domain; recording the page fault in a page table on the host domain; applying a rule to the page fault, the rule identifying one or more matching pages; retrieving the one or more matching pages from the guest domain; and transmitting the one or more matching pages along with the memory page to the server; and analysis logic on the remote server for; determining security properties of the received memory pages, generating a feedback rule, and transmitting the feedback rule to the host domain on the mobile device. - View Dependent Claims (20)
-
Specification