On-Line Behavioral Analysis Engine in Mobile Device with Multiple Analyzer Model Providers

US 20140053261A1
Filed: 07/09/2013
Published: 02/20/2014
Est. Priority Date: 08/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring mobile device behaviors in a mobile device, comprising:

receiving in a mobile device processor a behavior model from an application download service, the received behavior model identifying factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious;

installing the received behavior model in the mobile device in conjunction with an existing behavior analyzer engine installed in the mobile device; and

using the installed behavior model to monitor one or more mobile device behaviors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and devices for generating data models in a client-cloud communication system may include applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors. Such vectors may be analyzed to identify factors in the first family of classifier models that have the highest probability of enabling a mobile device to better determine whether a mobile device behavior is malicious or benign. Based on this analysis, a second family of classifier models may be generated that identify significantly fewer factors and data points as being relevant for enabling the mobile device to better determine whether the mobile device behavior is malicious or benign based on the determined factors. A mobile device classifier module based on the second family of classifier models may be generated and made available for download by mobile devices, including devices contributing behavior vectors.

353 Citations

48 Claims

1. A method for monitoring mobile device behaviors in a mobile device, comprising:
- receiving in a mobile device processor a behavior model from an application download service, the received behavior model identifying factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious;
  
  installing the received behavior model in the mobile device in conjunction with an existing behavior analyzer engine installed in the mobile device; and
  
  using the installed behavior model to monitor one or more mobile device behaviors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein receiving the behavior model comprises receiving a software application that identifies factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious.
  - 3. The method of claim 1, wherein receiving the behavior model comprises receiving an a file selected from the group comprising XML, JSON, YAML and HTML/XHTML that identifies factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious.
  - 4. The method of claim 1, wherein receiving the behavior model comprises receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 5. The method of claim 1, further comprising:
    - replacing an existing behavior model with the received behavior model; and
      
      linking the received behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received behavior model.
  - 6. The method of claim 1, further comprising:
    - updating an existing behavior model with information included in the received behavior model; and
      
      linking the updated behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated behavior model.
  - 7. The method of claim 1, further comprising:
    - receiving a plurality of behavior models from a plurality of public networks; and
      
      updating at least one existing behavior model with information included in one or more of the received plurality of behavior models.
  - 8. The method of claim 1, wherein receiving the behavior model from the application download service comprises receiving the behavior model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 9. The method of claim 1, wherein receiving the behavior model from the application download service comprises:
    - accessing and authenticating an online app store by the mobile device processor;
      
      downloading a menu of behavior models available for download or update from the online app store;
      
      receiving in the mobile device processor a user selection input;
      
      requesting download or update of a user-selected behavior model from the online app store; and
      
      receiving the requested user-selected behavior model in a download buffer of the mobile device.
  - 10. The method of claim 1, wherein installing the received behavior model in the mobile device in conjunction with the existing behavior analyzer engine installed in the mobile device comprises:
    - validating the received behavior model;
      
      installing the validated behavior model in a memory of the mobile device; and
      
      registering the installed behavior model with an observer module of the mobile device.
  - 11. The method of claim 1, wherein using the installed behavior model to monitor one or more mobile device behaviors comprises:
    - observing mobile device behaviors over a period of time;
      
      identifying mobile device behaviors that are inconsistent with normal mobile device operations based on observing mobile device behaviors over the period of time;
      
      generating a behavior vector based on mobile device behaviors that are identified as inconsistent with the normal mobile device operations; and
      
      comparing the generated behavior vector to the installed behavior model to determine whether the identified mobile device behaviors are benign, suspicious, or malicious.
  - 12. The method of claim 11, further comprising:
    - receiving a new behavior model that identifies additional factors and data points as being relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious;
      
      updating the installed behavior model with information included in the new behavior model in response to determining that an identified mobile device behavior is suspicious; and
      
      comparing the generated behavior vector to the updated behavior model to better determine whether the identified suspicious mobile device behavior is benign or malicious.

13. A mobile computing device comprising:
- a mobile device processor;
  
  means for receiving a behavior model from an application download service, the received behavior model identifying factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious;
  
  means for installing the received behavior model in conjunction with an existing behavior analyzer engine; and
  
  means for using the installed behavior model to monitor one or more mobile device behaviors.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The mobile computing device of claim 13, wherein means for receiving the behavior model comprises means for receiving a software application that identifies factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious.
  - 15. The mobile computing device of claim 13, wherein means for receiving the behavior model comprises means for receiving an XML file that identifies factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious.
  - 16. The mobile computing device of claim 13, wherein means for receiving the behavior model comprises means for receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 17. The mobile computing device of claim 13, further comprising:
    - means for replacing an existing behavior model with the received behavior model; and
      
      means for linking the received behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received behavior model.
  - 18. The mobile computing device of claim 13, further comprising:
    - means for updating an existing behavior model with information included in the received behavior model; and
      
      means for linking the updated behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated behavior model.
  - 19. The mobile computing device of claim 13, further comprising:
    - means for receiving a plurality of behavior models from a plurality of public networks; and
      
      means for updating at least one existing behavior model with information included in one or more of the received plurality of behavior models.
  - 20. The mobile computing device of claim 13, wherein means for receiving the behavior model from the application download service comprises means for receiving the behavior model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 21. The mobile computing device of claim 13, wherein means for receiving the behavior model from the application download service comprises:
    - means for accessing and authenticating an online app store by the mobile device processor;
      
      means for downloading a menu of behavior models available for download or update from the online app store;
      
      means for receiving in the mobile device processor a user selection input;
      
      means for requesting download or update of a user-selected behavior model from the online app store; and
      
      means for receiving the requested user-selected behavior model in a download buffer.
  - 22. The mobile computing device of claim 13, wherein means for installing the received behavior model in conjunction with the existing behavior analyzer engine comprises:
    - means for validating the received behavior model;
      
      means for installing the validated behavior model in memory; and
      
      means for registering the installed behavior model with an observer module.
  - 23. The mobile computing device of claim 13, wherein means for using the installed behavior model to monitor one or more mobile device behaviors comprises:
    - means for observing mobile device behaviors over a period of time;
      
      means for identifying mobile device behaviors that are inconsistent with normal mobile device operations based on observing mobile device behaviors over the period of time;
      
      means for generating a behavior vector based on mobile device behaviors that are identified as inconsistent with the normal mobile device operations; and
      
      means for comparing the generated behavior vector to the installed behavior model to determine whether the identified mobile device behaviors are benign, suspicious, or malicious.
  - 24. The mobile computing device of claim 23, further comprising:
    - means for receiving a new behavior model that identifies additional factors and data points as being relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious;
      
      means for updating the installed behavior model with information included in the new behavior model in response to determining that an identified mobile device behavior is suspicious; and
      
      means for comparing the generated behavior vector to the updated behavior model to better determine whether the identified suspicious mobile device behavior is benign or malicious.

25. A mobile computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  receiving a behavior model from an application download service, the received behavior model identifying factors and data points most relevant to enabling the processor to better determine whether a mobile device behavior is benign or malicious;
  
  installing the received behavior model in conjunction with an existing behavior analyzer engine; and
  
  using the installed behavior model to monitor one or more mobile device behaviors.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the behavior model comprises receiving a software application that identifies factors and data points most relevant to enabling the processor to better determine whether a mobile device behavior is benign or malicious.
  - 27. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the behavior model comprises receiving an XML file that identifies factors and data points most relevant to enabling the processor to better determine whether a mobile device behavior is benign or malicious.
  - 28. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the behavior model comprises receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 29. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - replacing an existing behavior model with the received behavior model; and
      
      linking the received behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received behavior model.
  - 30. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - updating an existing behavior model with information included in the received behavior model; and
      
      linking the updated behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated behavior model.
  - 31. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a plurality of behavior models from a plurality of public networks; and
      
      updating at least one existing behavior model with information included in one or more of the received plurality of behavior models.
  - 32. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the behavior model from the application download service comprises receiving the behavior model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 33. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the behavior model from the application download service comprises:
    - accessing and authenticating an online app store;
      
      downloading a menu of behavior models available for download or update from the online app store;
      
      receiving a user selection input;
      
      requesting download or update of a user-selected behavior model from the online app store; and
      
      receiving the requested user-selected behavior model in a download buffer.
  - 34. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that installing the received behavior model in conjunction with the existing behavior analyzer engine comprises:
    - validating the received behavior model;
      
      installing the validated behavior model in memory; and
      
      registering the installed behavior model with an observer module.
  - 35. The mobile computing device of claim 25, wherein the processor is configured with processor-executable instructions to perform operations such that using the installed behavior model to monitor one or more mobile device behaviors comprises:
    - observing mobile device behaviors over a period of time;
      
      identifying mobile device behaviors that are inconsistent with normal mobile device operations based on observing mobile device behaviors over the period of time;
      
      generating a behavior vector based on identified mobile device behaviors that are identified as inconsistent with the normal mobile device operations; and
      
      comparing the generated behavior vector to the installed behavior model to determine whether the identified mobile device behaviors are benign, suspicious, or malicious.
  - 36. The mobile computing device of claim 35, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a new behavior model that identifies additional factors and data points as being relevant to enabling the processor to better determine whether a behavior is benign or malicious;
      
      updating the installed behavior model with information included in the new behavior model when it is determined that an identified mobile device behavior is suspicious; and
      
      comparing the generated behavior vector to the updated behavior model to better determine whether the identified suspicious mobile device behavior is benign or malicious.

37. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations comprising:
- receiving a behavior model from an application download service, the received behavior model identifying factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious;
  
  installing the received behavior model in conjunction with an existing behavior analyzer engine; and
  
  using the installed behavior model to monitor one or more mobile device behaviors.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 38. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the behavior model comprises receiving a software application that identifies factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious.
  - 39. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the behavior model comprises receiving an XML file that identifies factors and data points most relevant to enabling the mobile device processor to better determine whether a mobile device behavior is benign or malicious.
  - 40. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the behavior model comprises receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 41. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - replacing an existing behavior model with the received behavior model; and
      
      linking the received behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received behavior model.
  - 42. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - updating an existing behavior model with information included in the received behavior model; and
      
      linking the updated behavior model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated behavior model.
  - 43. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - receiving a plurality of behavior models from a plurality of public networks; and
      
      updating at least one existing behavior model with information included in one or more of the received plurality of behavior models.
  - 44. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the behavior model from the application download service comprises receiving the behavior model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 45. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the behavior model from the application download service comprises:
    - accessing and authenticating an online app store;
      
      downloading a menu of behavior models available for download or update from the online app store;
      
      receiving a user selection input;
      
      requesting download or update of a user-selected behavior model from the online app store; and
      
      receiving the requested user-selected behavior model in a download buffer.
  - 46. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that installing the received behavior model in conjunction with the existing behavior analyzer engine comprises:
    - validating the received behavior model;
      
      installing the validated behavior model in memory; and
      
      registering the installed behavior model with an observer module.
  - 47. The non-transitory computer readable storage medium of claim 37, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that using the installed behavior model to monitor one or more mobile device behaviors comprises:
    - observing mobile device behaviors over a period of time;
      
      identifying mobile device behaviors that are inconsistent with normal mobile device operations based on observing mobile device behaviors over the period of time;
      
      generating a behavior vector based on mobile device behaviors that are identified as inconsistent with the normal mobile device operations; and
      
      comparing the generated behavior vector to the installed behavior model to determine whether the identified mobile device behaviors are benign, suspicious, or malicious.
  - 48. The non-transitory computer readable storage medium of claim 47, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - receiving a new behavior model that identifies additional factors and data points as being relevant to enabling the mobile device processor to better determine whether a behavior is benign or malicious;
      
      updating the installed behavior model with information included in the new behavior model in response to determining that an identified mobile device behavior is suspicious; and
      
      comparing the generated behavior vector to the updated behavior model to better determine whether the identified suspicious mobile device behavior is benign or malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
GUPTA, Rajarshi, Bapst, Mark, Reshadi, Mohammad H, Kumar, Samir

Granted Patent

US 9,747,440 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 11/3013   where the computing system ...

G06F 11/3409   for performance assessment

G06F 11/3447   Performance evaluation by m...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 21/316   by observing the pattern of...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 2201/865   Monitoring of software

G06F 8/61   Installation

G06F 8/65   Updates security arrangemen...

G06N 5/043   Distributed expert systems;...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

On-Line Behavioral Analysis Engine in Mobile Device with Multiple Analyzer Model Providers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

353 Citations

48 Claims

Specification

Use Cases

Quick Links

Others

On-Line Behavioral Analysis Engine in Mobile Device with Multiple Analyzer Model Providers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

353 Citations

48 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others