Architecture for Client-Cloud Behavior Analyzer

US 20130304677A1
Filed: 02/25/2013
Published: 11/14/2013
Est. Priority Date: 05/14/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method of generating data models in a client-cloud communication system, comprising:

applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;

determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign;

generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and

generating a mobile device classifier module based on the second family of classifier models.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and devices for generating data models in a client-cloud communication system may include applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors. Such vectors may be analyzed to identify factors in the first family of classifier models that have the highest probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign. Based on this analysis, a a second family of classifier models may be generated that identify significantly fewer factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign based on the determined factors. A mobile device classifier module based on the second family of classifier models may be generated and made available for download by mobile devices, including devices contributing behavior vectors.

103 Citations

View as Search Results

30 Claims

1. A method of generating data models in a client-cloud communication system, comprising:
- applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
  
  determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign;
  
  generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and
  
  generating a mobile device classifier module based on the second family of classifier models.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors comprises:
    - generating the first family of classifier models in a deep classifier in a server of a cloud network.
  - 3. The method of claim 1, wherein generating a second family of classifier models comprises:
    - generating the second family of classifier models in a lean classifier in a network server.
  - 4. The method of claim 1, wherein generating a second family of classifier models comprises:
    - generating the second family of classifier models in a lean classifier in the mobile device.
  - 5. The method of claim 1, wherein generating a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign comprises:
    - generating the second family of classifier models by applying the determined factors to the cloud corpus of behavior vectors.

6. A server in a client-cloud communication system, comprising:
- means for applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
  
  means for determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign;
  
  means for generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and
  
  means for generating a mobile device classifier module based on the second family of classifier models.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The server of claim 6, wherein means for applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors comprises:
    - means for generating the first family of classifier models in a deep classifier.
  - 8. The server of claim 6, wherein means for generating a second family of classifier models comprises:
    - means for generating the second family of classifier models in a lean classifier.
  - 9. The server of claim 6, wherein means for generating a second family of classifier models and comprises:
    - means for transmitting the first family of classifier models and the determined factors to the mobile device.
  - 10. The server of claim 6, wherein means for generating a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign comprises:
    - means for generating the second family of classifier models by applying the determined factors to the cloud corpus of behavior vectors.

11. A server in a client-cloud communication system, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
  
  determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign;
  
  generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and
  
  generating a mobile device classifier module based on the second family of classifier models.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The server of claim 11, wherein the processor is configured with processor-executable instructions such that applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors comprises:
    - generating the first family of classifier models in a deep classifier.
  - 13. The server of claim 11, wherein the processor is configured with processor-executable instructions such that generating a second family of classifier models comprises:
    - generating the second family of classifier models in a lean classifier.
  - 14. The server of claim 11, wherein the processor is configured with processor-executable instructions such that generating a second family of classifier models comprises:
    - transmitting the first family of classifier models and the determined factors to the mobile device.
  - 15. The server of claim 11, wherein the processor is configured with processor-executable instructions such that generating a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign comprises:
    - generating the second family of classifier models by applying the determined factors to the cloud corpus of behavior vectors.

16. A non-transitory computer readable storage medium having stored thereon server-executable software instructions configured to cause a server processor to perform operations for generating data models in a client-cloud communication system, the operations comprising:
- applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
  
  determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign;
  
  generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign;
  
  generating a mobile device classifier module based on the second family of classifier models.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the stored server-executable software instructions are configured to cause the server processor to perform operations such that applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors comprises:
    - generating the first family of classifier models in a deep classifier in a server of a cloud network.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the stored server-executable software instructions are configured to cause the server processor to perform operations such that generating a second family of classifier models comprises:
    - generating the second family of classifier models in a lean classifier in a network server.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein the stored server-executable software instructions are configured to cause the server processor to perform operations such that generating a second family of classifier models comprises:
    - transmitting the first family of classifier models and the determined factors to the mobile device.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein the stored server-executable software instructions are configured to cause the server processor to perform operations such that generating a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign comprises:
    - generating the second family of classifier models by applying the determined factors to the cloud corpus of behavior vectors.

21. A client-cloud communication system, comprising:
- a mobile device comprising a device processor; and
  
  a server comprising a server processor configured with server-executable instructions to perform operations comprising;
  
  applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
  
  determining which factors in the first family of classifier models have a high probably of enabling the mobile device to conclusively determine whether a mobile device behavior is malicious or benign; and
  
  transmitting the first family of classifier models and the determined factors to the mobile device,wherein the device processor is configured with processor-executable instructions to perform operations comprising;
  
  generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and
  
  generating a mobile device classifier module based on the second family of classifier models.

22. A method of evaluating a mobile device behavior in stages, comprising:
- monitoring mobile device behaviors to generate observations;
  
  applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious;
  
  monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and
  
  applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.

23. A mobile device, comprising:
- means for monitoring a mobile device behavior to generate observations;
  
  means for applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious;
  
  means for monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and
  
  means for applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.

24. A mobile device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  monitoring a mobile device behavior to generate observations;
  
  applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious;
  
  monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and
  
  applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.

25. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor to perform operations for evaluating a mobile device behavior in stages, the operations comprising:
- monitoring mobile device behaviors to generate observations;
  
  applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious;
  
  monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and
  
  applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.

26. A method, comprising:
- receiving observation information from a plurality of mobile devices;
  
  updating a global model of behavior classification in a server of a cloud network based on the observation information received from the plurality of mobile devices;
  
  performing machine learning operations to generate a first family of classifiers based on the global model;
  
  determining whether there are enough changes to the generated first family of classifiers to warrant generating new models;
  
  determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers;
  
  generating a second family of classifiers based on the best features;
  
  determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models;
  
  generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and
  
  sending the generated additional classifier models to the mobile device processor.

27. A server, comprising:
- means for receiving observation information from a plurality of mobile devices;
  
  means for updating a global model of behavior classification based on the observation information received from the plurality of mobile devices;
  
  means for performing machine learning operations to generate a first family of classifiers based on the global model;
  
  means for determining whether there are enough changes to the generated first family of classifiers to warrant generating new models;
  
  means for determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers;
  
  means for generating a second family of classifiers based on the best features;
  
  means for determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models;
  
  means for generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and
  
  means for sending generated additional classifier models to the mobile device processor.

28. A server, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  receiving observation information from a plurality of mobile devices;
  
  updating a global model of behavior classification based on the observation information received from the plurality of mobile devices;
  
  performing machine learning operations to generate a first family of classifiers based on the global model;
  
  determining whether there are enough changes to the generated first family of classifiers to warrant generating new models;
  
  determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers;
  
  generating a second family of classifiers based on the best features;
  
  determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models;
  
  generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and
  
  sending the generated additional classifier models to the mobile device processor.

29. A non-transitory computer readable storage medium having stored thereon server-executable software instructions configured to cause a server processor to perform operations comprising:
- receiving observation information from a plurality of mobile devices;
  
  updating a global model of behavior classification in a server of a cloud network based on the observation information received from the plurality of mobile devices;
  
  performing machine learning operations to generate a first family of classifiers based on the global model;
  
  determining whether there are enough changes to the generated first family of classifiers to warrant generating new models;
  
  determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers;
  
  generating a second family of classifiers based on the best features;
  
  determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models;
  
  generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and
  
  sending the generated additional classifier models to the mobile device processor.

30. A client-cloud communication system, comprising:
- a mobile device comprising a mobile device processor; and
  
  a server comprising a server processor,wherein the server processor is configured with server-executable instructions to perform operations comprising;
  
  receiving observation information from a plurality of mobile devices;
  
  updating a global model of behavior classification based on the observation information received from the plurality of mobile devices;
  
  performing machine learning operations to generate a first family of classifiers based on the global model;
  
  determining whether there are enough changes to the generated first family of classifiers to warrant generating new models;
  
  determining which features in the generated first family of classifiers are best features for enabling the mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers;
  
  generating a second family of classifiers based on the best features;
  
  determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models;
  
  generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and
  
  sending the generated additional classifier models to the mobile device processor as an initial reduced feature set model, andwherein the mobile device processor is configured with processor-executable instructions to perform operations comprising;
  
  receiving the initial reduced feature set model from the server;
  
  monitoring mobile device behaviors to generate observations;
  
  applying the observations to the initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious;
  
  monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious;
  
  applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign; and
  
  sending the refined observations and a result of applying the refined observations to the server as observation information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gupta, Rajarshi, Gathala, Anil, Wei, Xuetao, Srishara, Vinay

Application Number

US13/776,414
Publication Number

US 20130304677A1
Time in Patent Office

Days
Field of Search
US Class Current

706/12
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06N 20/00   Machine learning

G06N 5/043   Distributed expert systems;...

H04W 12/128   Anti-malware arrangements, ...

H04W 12/37   Managing security policies ...

Architecture for Client-Cloud Behavior Analyzer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Architecture for Client-Cloud Behavior Analyzer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others