MONITORING MOBILE APPLICATION ACTIVITIES FOR MALICIOUS TRAFFIC ON A MOBILE DEVICE

US 20130031599A1
Filed: 07/11/2012
Published: 01/31/2013
Est. Priority Date: 07/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring mobile application activities for malicious traffic on a mobile device, the method, comprising:

monitoring application activities of a mobile application on the mobile device;

detecting, from the application activities, suspicious activity;

blocking traffic from which the suspicious activity is detected;

further responsive to detecting that the traffic includes suspicious activity, logging a traffic pattern or sequence of events of the traffic and the mobile application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for monitoring mobile application activities for malicious traffic on a mobile device are disclosed. One embodiment of a method which can be implemented on a system includes, monitoring application activities of a mobile application on the mobile device, detecting, from the application activities, suspicious activity, and/or blocking traffic from which the suspicious activity is detected. One embodiment includes creating a policy based on the information aggregated from the multiple mobile devices and/or broadcasting the policy to other mobile devices of the suspicious activity detected from the multiple mobile devices.

154 Citations

30 Claims

1. A method of monitoring mobile application activities for malicious traffic on a mobile device, the method, comprising:
- monitoring application activities of a mobile application on the mobile device;
  
  detecting, from the application activities, suspicious activity;
  
  blocking traffic from which the suspicious activity is detected;
  
  further responsive to detecting that the traffic includes suspicious activity, logging a traffic pattern or sequence of events of the traffic and the mobile application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, further comprising, requesting verification of whether the traffic that is blocked is valid or not by generating a user dialogue in a user interface to prompt the user.
  - 3. The method of claim 1, further comprising, performing a verification process on the traffic;
    - blacklisting the traffic and the mobile application responsive to determining that the traffic is not valid.
  - 4. The method of claim 3, further comprising, white listing the traffic and the mobile application responsive to determining that the traffic is valid.
  - 5. The method of claim 1, further comprising, performing a verification process on the traffic;
    - responsive to determining that the traffic is not valid, reporting the mobile application or the traffic to a virus protection entity or a security entity.
  - 6. The method of claim 1, further comprising,detecting suspicious activity of mobile applications at multiple mobile devices;
    - aggregating information regarding the suspicious activity detected from multiple mobile device.
  - 7. The method of claim 6, further comprising, creating a policy based on the information aggregated from the multiple mobile devices.
  - 8. The method of claim 7, further comprising, broadcasting the policy to other mobile devices of the suspicious activity detected from the multiple mobile devices.
  - 9. The method of claim 1, wherein, the suspicious activity is detected from request destination of the traffic.
  - 10. The method of claim 1, wherein, the suspicious activity is detected using a security certificate of the traffic.
  - 11. The method of claim 1, wherein, the suspicious activity is detected from traffic which invokes billable activity.
  - 12. The method of claim 1, wherein, the suspicious activity is detected based on a port to or from which the traffic is directed.
  - 13. The method of claim 1, wherein, the suspicious activity is detected upon detection of URL stripping.
  - 14. The method of claim 1, wherein, the suspicious activity is detected when the traffic includes a non-secure request to a known secure site.
  - 15. The method of claim 1, wherein, the monitoring includes:
    - collecting information about a request or information about a response to the request initiated at the mobile device;
      
      using the information collected about the request or the response to identify or to detect malicious traffic.
  - 16. The method of claim 15, wherein, the information collected about the request or response received for the request initiated at the mobile device is further used to determine cacheability of the response;
    - wherein, the information includes request characteristics information associated with the request or response characteristics information associated with the response received for the request.
  - 17. The method of claim 16, wherein, the request characteristics information includes timing characteristics between the request and other requests initiated at the mobile device;
    - wherein, the timing characteristics include one or more of, time of day, frequency of occurrence of the requests, and time interval between the requests.
  - 18. The method of claim 15, wherein, in response to detecting or identifying malicious or potentially malicious traffic, generating a notification;
    - wherein, the notification prompts a user of the mobile device whether the user wishes to allow the malicious or potentially malicious traffic.
  - 19. The method of claim 15, further comprising, in response to detecting or identifying malicious or potentially malicious traffic, generating a notification;
    - wherein, the notification is delivered to an operating system of the mobile device or a network operator servicing the mobile device.
  - 20. The method of claim 15, wherein, the notification is delivered by an operating system of the mobile device;
    - wherein, the operating system is a mobile operating system.
  - 21. The method of claim 18, wherein, the notification is generating by an operating system of the mobile device;
    - wherein, the operating system is a mobile operating system.

22. A system for mobile network malware detection, the system, comprising:
- means for, monitoring application activities of a mobile application on the mobile device;
  
  means for, detecting, from the application activities, suspicious activity;
  
  means for, blocking traffic from which the suspicious activity is detected;
  
  means for, reporting the suspicious activity information to a virus protection entity or a security entity;
  
  means for, logging a traffic pattern or sequence of events of the traffic and the mobile application responsive to determining that the traffic includes the suspicious activity.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The system of claim 22, further comprising, means for, generating policy information for malicious mobile traffic using the suspicious activity information.
  - 24. The system of claim 23, wherein, the policy information includes an identification of the mobile application and firewall rules which prevent the mobile application from executing on the mobile device.
  - 25. The system of claim 23, wherein, the policy information includes an identification of the mobile application and firewall rules which prevent the mobile application from accessing the wireless network.
  - 26. The system of claim 23, wherein, the policy information includes an identification of the mobile application and firewall rules which prevent the mobile application from interacting with a user.
  - 27. The system of claim 23, wherein, the policy information includes an identification of the mobile application and firewall rules which prevent the mobile application from requesting a user for personal information.
  - 28. The system of claim 23, wherein, the policy information includes an identification of the mobile application and rules which automatically uninstalls the application.
  - 29. The system of claim 23, wherein, the policy information includes an identification of the mobile application and rules which automatically blocks future installations of the mobile application.
  - 30. The method of claim 22, further comprising, enabling a third party to define the policy information;
    - wherein, the third party is a mobile operating system, a mobile operator or wireless carrier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seven Networks LLC (SoftBank Group Corp.)
Original Assignee
Seven Networks Inc
Inventors
Luna, Michael, Bott, Ross

Granted Patent

US 8,984,581 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/60   Protecting data

G06F 2221/2135   Metering

G06F 3/0623   in relation to content

G06F 3/0653   Monitoring storage devices ...

G06F 3/0673   Single storage device

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

MONITORING MOBILE APPLICATION ACTIVITIES FOR MALICIOUS TRAFFIC ON A MOBILE DEVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

154 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

MONITORING MOBILE APPLICATION ACTIVITIES FOR MALICIOUS TRAFFIC ON A MOBILE DEVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others