Architecture for Client-Cloud Behavior Analyzer
First Claim
1. A method of generating data models in a client-cloud communication system, comprising:
- applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors;
determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign;
generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and
generating a mobile device classifier module based on the second family of classifier models.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems and devices for generating data models in a client-cloud communication system may include applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors. Such vectors may be analyzed to identify factors in the first family of classifier models that have the highest probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign. Based on this analysis, a a second family of classifier models may be generated that identify significantly fewer factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign based on the determined factors. A mobile device classifier module based on the second family of classifier models may be generated and made available for download by mobile devices, including devices contributing behavior vectors.
103 Citations
30 Claims
-
1. A method of generating data models in a client-cloud communication system, comprising:
-
applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors; determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign; generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and generating a mobile device classifier module based on the second family of classifier models. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A server in a client-cloud communication system, comprising:
-
means for applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors; means for determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign; means for generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and means for generating a mobile device classifier module based on the second family of classifier models. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A server in a client-cloud communication system, comprising:
a processor configured with processor-executable instructions to perform operations comprising; applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors; determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign; generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and generating a mobile device classifier module based on the second family of classifier models. - View Dependent Claims (12, 13, 14, 15)
-
16. A non-transitory computer readable storage medium having stored thereon server-executable software instructions configured to cause a server processor to perform operations for generating data models in a client-cloud communication system, the operations comprising:
-
applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors; determining which factors in the first family of classifier models have a high probably of enabling a mobile device to conclusively determine whether a mobile device behavior is malicious or benign; generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; generating a mobile device classifier module based on the second family of classifier models. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A client-cloud communication system, comprising:
-
a mobile device comprising a device processor; and a server comprising a server processor configured with server-executable instructions to perform operations comprising; applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors; determining which factors in the first family of classifier models have a high probably of enabling the mobile device to conclusively determine whether a mobile device behavior is malicious or benign; and transmitting the first family of classifier models and the determined factors to the mobile device, wherein the device processor is configured with processor-executable instructions to perform operations comprising; generating, based on the determined factors, a second family of classifier models that identify a reduced number of factors and data points as being relevant for enabling the mobile device to conclusively determine whether the mobile device behavior is malicious or benign; and generating a mobile device classifier module based on the second family of classifier models.
-
-
22. A method of evaluating a mobile device behavior in stages, comprising:
-
monitoring mobile device behaviors to generate observations; applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious; monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.
-
-
23. A mobile device, comprising:
-
means for monitoring a mobile device behavior to generate observations; means for applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious; means for monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and means for applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.
-
-
24. A mobile device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; monitoring a mobile device behavior to generate observations; applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious; monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.
-
25. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor to perform operations for evaluating a mobile device behavior in stages, the operations comprising:
-
monitoring mobile device behaviors to generate observations; applying the observations to an initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious; monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; and applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign.
-
-
26. A method, comprising:
-
receiving observation information from a plurality of mobile devices; updating a global model of behavior classification in a server of a cloud network based on the observation information received from the plurality of mobile devices; performing machine learning operations to generate a first family of classifiers based on the global model; determining whether there are enough changes to the generated first family of classifiers to warrant generating new models; determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers; generating a second family of classifiers based on the best features; determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models; generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and sending the generated additional classifier models to the mobile device processor.
-
-
27. A server, comprising:
-
means for receiving observation information from a plurality of mobile devices; means for updating a global model of behavior classification based on the observation information received from the plurality of mobile devices; means for performing machine learning operations to generate a first family of classifiers based on the global model; means for determining whether there are enough changes to the generated first family of classifiers to warrant generating new models; means for determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers; means for generating a second family of classifiers based on the best features; means for determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models; means for generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and means for sending generated additional classifier models to the mobile device processor.
-
-
28. A server, comprising:
a processor configured with processor-executable instructions to perform operations comprising; receiving observation information from a plurality of mobile devices; updating a global model of behavior classification based on the observation information received from the plurality of mobile devices; performing machine learning operations to generate a first family of classifiers based on the global model; determining whether there are enough changes to the generated first family of classifiers to warrant generating new models; determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers; generating a second family of classifiers based on the best features; determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models; generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and sending the generated additional classifier models to the mobile device processor.
-
29. A non-transitory computer readable storage medium having stored thereon server-executable software instructions configured to cause a server processor to perform operations comprising:
-
receiving observation information from a plurality of mobile devices; updating a global model of behavior classification in a server of a cloud network based on the observation information received from the plurality of mobile devices; performing machine learning operations to generate a first family of classifiers based on the global model; determining whether there are enough changes to the generated first family of classifiers to warrant generating new models; determining which features in the generated first family of classifiers are best features for enabling a mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers; generating a second family of classifiers based on the best features; determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models; generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and sending the generated additional classifier models to the mobile device processor.
-
-
30. A client-cloud communication system, comprising:
-
a mobile device comprising a mobile device processor; and a server comprising a server processor, wherein the server processor is configured with server-executable instructions to perform operations comprising; receiving observation information from a plurality of mobile devices; updating a global model of behavior classification based on the observation information received from the plurality of mobile devices; performing machine learning operations to generate a first family of classifiers based on the global model; determining whether there are enough changes to the generated first family of classifiers to warrant generating new models; determining which features in the generated first family of classifiers are best features for enabling the mobile device processor to conclusively determine whether a mobile device behavior is malicious or benign when it is determined that there are enough changes to the first family of classifiers; generating a second family of classifiers based on the best features; determining whether there are enough changes to the generated second family of classifiers to warrant generating additional new models; generating additional classifier models when it is determined that there are enough changes to the second family of classifiers; and sending the generated additional classifier models to the mobile device processor as an initial reduced feature set model, and wherein the mobile device processor is configured with processor-executable instructions to perform operations comprising; receiving the initial reduced feature set model from the server; monitoring mobile device behaviors to generate observations; applying the observations to the initial reduced feature set model to determine whether the mobile device behavior is performance-degrading, benign, or suspicious; monitoring additional or different mobile device behaviors to generate refined observations when it is determined that the mobile device behavior is suspicious; applying the refined observations to a subsequent reduced feature set model to determine whether the mobile device behavior is performance-degrading, performance-degrading or benign; and sending the refined observations and a result of applying the refined observations to the server as observation information.
-
Specification