Adaptive Observation of Behavioral Features on a Mobile Device
First Claim
1. A method for observing mobile device behaviors over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns, the method comprising:
- dynamically selecting for observation one or more mobile device behaviors from the group mobile device operations, mobile device events, data network activity, system resource usage, mobile device state, inter-process communications, driver statistics, hardware component status, hardware counters, actions or operations of software applications;
software downloads, changes to device or component settings, conditions and events at an application level, conditions and events at the radio level, and conditions and events at a sensor level; and
adaptively observing the mobile device behaviors to identify a suspicious mobile device behavior from a limited set of observations.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.
-
Citations
120 Claims
-
1. A method for observing mobile device behaviors over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns, the method comprising:
-
dynamically selecting for observation one or more mobile device behaviors from the group mobile device operations, mobile device events, data network activity, system resource usage, mobile device state, inter-process communications, driver statistics, hardware component status, hardware counters, actions or operations of software applications;
software downloads, changes to device or component settings, conditions and events at an application level, conditions and events at the radio level, and conditions and events at a sensor level; andadaptively observing the mobile device behaviors to identify a suspicious mobile device behavior from a limited set of observations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computing device, comprising a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising:
-
dynamically selecting for observation one or more mobile device behaviors from the group mobile device operations, mobile device events, data network activity, system resource usage, mobile device state, inter-process communications, driver statistics, hardware component status, hardware counters, actions or operations of software applications;
software downloads, changes to device or component settings, conditions and events at an application level, conditions and events at the radio level, and conditions and events at a sensor level; andadaptively observing the mobile device behaviors to identify a suspicious mobile device behavior from a limited set of observations. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
-
-
57. A computing device, comprising:
-
means for dynamically selecting for observation one or more mobile device behaviors from the group mobile device operations, mobile device events, data network activity, system resource usage, mobile device state, inter-process communications, driver statistics, hardware component status, hardware counters, actions or operations of software applications;
software downloads, changes to device or component settings, conditions and events at an application level, conditions and events at the radio level, and conditions and events at a sensor level; andmeans for adaptively observing the mobile device behaviors to identify a suspicious mobile device behavior from a limited set of observations. - View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84)
-
-
85. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor to perform operations comprising:
-
dynamically selecting for observation one or more mobile device behaviors from the group mobile device operations, mobile device events, data network activity, system resource usage, mobile device state, inter-process communications, driver statistics, hardware component status, hardware counters, actions or operations of software applications;
software downloads, changes to device or component settings, conditions and events at an application level, conditions and events at the radio level, and conditions and events at a sensor level;
at a sensor level; andadaptively observing the mobile device behaviors to identify a suspicious mobile device behavior from a limited set of observations. - View Dependent Claims (86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112)
-
-
113. A method of improving performance on a mobile device, comprising:
-
performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations; identifying suspicious behavior from the coarse observations; dynamically determining the mobile device behaviors that require further observation in greater detail; dynamically determining a level of detail required for the further observation; performing finer observations based on the determined level of detail required for the further observation; and identifying suspicious behavior from the finer observations. - View Dependent Claims (114)
-
-
115. A computing device, comprising a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising:
-
performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations; identifying suspicious behavior from the coarse observations; dynamically determining the mobile device behaviors that require further observation in greater detail; dynamically determining a level of detail required for the further observation; performing finer observations based on the determined level of detail required for the further observation; and identifying suspicious behavior from the finer observations. - View Dependent Claims (116)
-
-
117. A computing device, comprising:
-
means for performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations; means for identifying suspicious behavior from the coarse observations; means for dynamically determining the mobile device behaviors that require further observation in greater detail; means for dynamically determining a level of detail required for the further observation; means for performing finer observations based on the determined level of detail required for the further observation; and means for identifying suspicious behavior from the finer observations. - View Dependent Claims (118)
-
-
119. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions to cause a processor to perform operations comprising:
-
performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations; identifying suspicious behavior from the coarse observations; dynamically determining the mobile device behaviors that require further observation in greater detail; dynamically determining a level of detail required for the further observation; performing finer observations based on the determined level of detail required for the further observation; and identifying suspicious behavior from the finer observations. - View Dependent Claims (120)
-
Specification