Data Flow Based Behavioral Analysis on Mobile Devices
First Claim
Patent Images
1. A method of analyzing mobile device behaviors to identify a malicious software application, comprising:
- identifying in a processor a critical data resource that requires close monitoring;
identifying an intermediate resource associated with the critical data resource;
monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource;
identifying mobile device resources that are consumed or produced by the API calls;
identifying a pattern of API calls as being indicative of malicious activity by the software application;
generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources;
using the light-weight behavior signature to perform behavior analysis operations; and
determining whether the software application is malicious or benign based on the behavior analysis operations.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.
-
Citations
32 Claims
-
1. A method of analyzing mobile device behaviors to identify a malicious software application, comprising:
-
identifying in a processor a critical data resource that requires close monitoring; identifying an intermediate resource associated with the critical data resource; monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource; identifying mobile device resources that are consumed or produced by the API calls; identifying a pattern of API calls as being indicative of malicious activity by the software application; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is malicious or benign based on the behavior analysis operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A mobile computing device, comprising:
-
means for identifying a critical data resource that requires close monitoring; means for identifying an intermediate resource associated with the critical data resource; means for monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource; means for identifying mobile device resources that are consumed or produced by the API calls; means for identifying a pattern of API calls as being indicative of malicious activity by the software application; means for generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources; means for using the light-weight behavior signature to perform behavior analysis operations; and means for determining whether the software application is malicious or benign based on the behavior analysis operations. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A mobile computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; identifying a critical data resource that requires close monitoring; identifying an intermediate resource associated with the critical data resource; monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource; identifying mobile device resources that are consumed or produced by the API calls; identifying a pattern of API calls as being indicative of malicious activity by the software application; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is malicious or benign based on the behavior analysis operations. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
25. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations for analyzing mobile device behaviors to identify a malicious software application, the operations comprising:
-
identifying a critical data resource that requires close monitoring; identifying an intermediate resource associated with the critical data resource; monitoring API calls made by a software application when accessing the critical data resource and the intermediate resource; identifying mobile device resources that are consumed or produced by the API calls; identifying a pattern of API calls as being indicative of malicious activity by the software application; generating a light-weight behavior signature based on the identified pattern of API calls and the identified mobile device resources; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is malicious or benign based on the behavior analysis operations. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
Specification