Data Flow Based Behavioral Analysis on Mobile Devices

US 20150082430A1
Filed: 09/18/2013
Published: 03/19/2015
Est. Priority Date: 09/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing mobile device behaviors to identify a malicious software application, comprising:

identifying in a processor a critical data resource that requires close monitoring;

identifying an intermediate resource associated with the critical data resource;

monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource;

identifying mobile device resources that are consumed or produced by the API calls;

identifying a pattern of API calls as being indicative of malicious activity by the software application;

generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources;

using the light-weight behavior signature to perform behavior analysis operations; and

determining whether the software application is malicious or benign based on the behavior analysis operations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.

197 Citations

32 Claims

1. A method of analyzing mobile device behaviors to identify a malicious software application, comprising:
- identifying in a processor a critical data resource that requires close monitoring;
  
  identifying an intermediate resource associated with the critical data resource;
  
  monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource;
  
  identifying mobile device resources that are consumed or produced by the API calls;
  
  identifying a pattern of API calls as being indicative of malicious activity by the software application;
  
  generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources;
  
  using the light-weight behavior signature to perform behavior analysis operations; and
  
  determining whether the software application is malicious or benign based on the behavior analysis operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein identifying mobile device resources that are consumed or produced by the API calls comprises identifying ghost resources produced by the API calls.
  - 3. The method of claim 1, wherein identifying the intermediate resource associated with the critical data resource comprises identifying a resource that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 4. The method of claim 1, further comprising:
    - observing mobile device behaviors over a period of time to recognize mobile device behaviors that are inconsistent with normal operation patterns,wherein using the light-weight behavior signature to perform behavior analysis operations comprises dynamically determining the mobile device behaviors that are to be observed based on information included in the light-weight behavior signature.
  - 5. The method of claim 1, wherein using the light-weight behavior signature to perform behavior analysis operations comprises:
    - identifying mobile device behaviors that require deeper analysis based on information included in the light-weight behavior signature.
  - 6. The method of claim 5, further comprising:
    - observing the determined mobile device behaviors in greater detail;
      
      generating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      using the generated behavior signature to perform deeper analysis of the observed mobile device behaviors.
  - 7. The method of claim 1, further comprising:
    - identifying two or more operations of the software application from the monitored API calls; and
      
      determining whether the identified two or more operations should be analyzed together as a single mobile device behavior.
  - 8. The method of claim 1, wherein using the light-weight behavior signature to perform behavior analysis operations comprises:
    - determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

9. A mobile computing device, comprising:
- means for identifying a critical data resource that requires close monitoring;
  
  means for identifying an intermediate resource associated with the critical data resource;
  
  means for monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource;
  
  means for identifying mobile device resources that are consumed or produced by the API calls;
  
  means for identifying a pattern of API calls as being indicative of malicious activity by the software application;
  
  means for generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources;
  
  means for using the light-weight behavior signature to perform behavior analysis operations; and
  
  means for determining whether the software application is malicious or benign based on the behavior analysis operations.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The mobile computing device of claim 9, wherein means for identifying mobile device resources that are consumed or produced by the API calls comprises means for identifying ghost resources produced by the API calls.
  - 11. The mobile computing device of claim 9, wherein means for identifying the intermediate resource associated with the critical data resource comprises means for identifying a resource that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 12. The mobile computing device of claim 9, further comprising:
    - means for observing mobile device behaviors over a period of time to recognize mobile device behaviors that are inconsistent with normal operation patterns,wherein means for using the light-weight behavior signature to perform behavior analysis operations comprises means for dynamically determining the mobile device behaviors that are to be observed based on information included in the light-weight behavior signature.
  - 13. The mobile computing device of claim 9, wherein means for using the light-weight behavior signature to perform behavior analysis operations comprises:
    - means for identifying mobile device behaviors that require deeper analysis based on information included in the light-weight behavior signature.
  - 14. The mobile computing device of claim 13, further comprising:
    - means for observing the determined mobile device behaviors in greater detail;
      
      means for generating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      means for using the generated behavior signature to perform deeper analysis of the observed mobile device behaviors.
  - 15. The mobile computing device of claim 9, further comprising:
    - means for identifying two or more operations of the software application from the monitored API calls; and
      
      means for determining whether the identified two or more operations should be analyzed together as a single mobile device behavior.
  - 16. The mobile computing device of claim 9, wherein means for using the light-weight behavior signature to perform behavior analysis operations comprises:
    - means for determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

17. A mobile computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  identifying a critical data resource that requires close monitoring;
  
  identifying an intermediate resource associated with the critical data resource;
  
  monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource;
  
  identifying mobile device resources that are consumed or produced by the API calls;
  
  identifying a pattern of API calls as being indicative of malicious activity by the software application;
  
  generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources;
  
  using the light-weight behavior signature to perform behavior analysis operations; and
  
  determining whether the software application is malicious or benign based on the behavior analysis operations.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The mobile computing device of claim 17, wherein the processor is configured with processor-executable instructions to perform operations such that identifying mobile device resources that are consumed or produced by the API calls comprises identifying ghost resources produced by the API calls.
  - 19. The mobile computing device of claim 17, wherein the processor is configured with processor-executable instructions to perform operations such that identifying the intermediate resource associated with the critical data resource comprises identifying a resource that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 20. The mobile computing device of claim 17, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - observing mobile device behaviors over a period of time to recognize mobile device behaviors that are inconsistent with normal operation patterns,wherein using the light-weight behavior signature to perform behavior analysis operations comprises dynamically determining the mobile device behaviors that are to be observed based on information included in the light-weight behavior signature.
  - 21. The mobile computing device of claim 17, wherein the processor is configured with processor-executable instructions to perform operations such that using the light-weight behavior signature to perform behavior analysis operations comprises:
    - identifying mobile device behaviors that require deeper analysis based on information included in the light-weight behavior signature.
  - 22. The mobile computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - observing the determined mobile device behaviors in greater detail;
      
      generating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      using the generated behavior signature to perform deeper analysis of the observed mobile device behaviors.
  - 23. The mobile computing device of claim 17, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - identifying two or more operations of the software application from the monitored API calls; and
      
      determining whether the identified two or more operations should be analyzed together as a single mobile device behavior.
  - 24. The mobile computing device of claim 17, wherein the processor is configured with processor-executable instructions to perform operations such that using the light-weight behavior signature to perform behavior analysis operations comprises:
    - determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

25. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations for analyzing mobile device behaviors to identify a malicious software application, the operations comprising:
- identifying a critical data resource that requires close monitoring;
  
  identifying an intermediate resource associated with the critical data resource;
  
  monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource;
  
  identifying mobile device resources that are consumed or produced by the API calls;
  
  identifying a pattern of API calls as being indicative of malicious activity by the software application;
  
  generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources;
  
  using the light-weight behavior signature to perform behavior analysis operations; and
  
  determining whether the software application is malicious or benign based on the behavior analysis operations.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The non-transitory computer readable storage medium of claim 25, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that identifying mobile device resources that are consumed or produced by the API calls comprises identifying ghost resources produced by the API calls.
  - 27. The non-transitory computer readable storage medium of claim 25, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that identifying the intermediate resource associated with the critical data resource comprises identifying a resource that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 28. The non-transitory computer readable storage medium of claim 25, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations further comprising:
    - observing mobile device behaviors over a period of time to recognize mobile device behaviors that are inconsistent with normal operation patterns,wherein using the light-weight behavior signature to perform behavior analysis operations comprises dynamically determining the mobile device behaviors that are to be observed based on information included in the light-weight behavior signature.
  - 29. The non-transitory computer readable storage medium of claim 25, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that using the light-weight behavior signature to perform behavior analysis operations comprises:
    - identifying mobile device behaviors that require deeper analysis based on information included in the light-weight behavior signature.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations further comprising:
    - observing the determined mobile device behaviors in greater detail;
      
      generating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      using the generated behavior signature to perform deeper analysis of the observed mobile device behaviors.
  - 31. The non-transitory computer readable storage medium of claim 25, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations further comprising:
    - identifying two or more operations of the software application from the monitored API calls; and
      
      determining whether the identified two or more operations should be analyzed together as a single mobile device behavior.
  - 32. The non-transitory computer readable storage medium of claim 25, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that using the light-weight behavior signature to perform behavior analysis operations comprises:
    - determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Sridhara, Vinay, Gathala, Sudha Anil Kumar, Gupta, Rajarshi

Granted Patent

US 9,607,146 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/566 Dynamic detection, i.e. det...

Data Flow Based Behavioral Analysis on Mobile Devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

197 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Data Flow Based Behavioral Analysis on Mobile Devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links