Methods and Systems of Generating Application-Specific Models for the Targeted Protection of Vital Applications

US 20150161024A1
Filed: 08/05/2014
Published: 06/11/2015
Est. Priority Date: 12/06/2013
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing a software application operating in a processor of a computing device, the method comprising:

monitoring in the processor activities of the software application by collecting behavior information from a log of actions stored in a memory of the computing device;

generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and

determining whether the generated behavior vector includes a distinguishing behavior identifying the software application as being from a known vendor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, and computing devices implementing the methods, improve the efficiency and performance of a comprehensive behavioral monitoring and analysis system that is configured to predict whether a software application is causing undesirable or performance depredating behavior. The behavioral monitoring and analysis system may be configured to quickly and efficiently classify certain software applications as being benign by generating a behavior vector that characterizes the activities of the software application, determining whether the generated behavior vector includes a distinguishing behavior or behavioral clue identifying the software application as a trusted software application, and classifying the software application as benign in response to determining that the generated behavior vector includes a distinguishing behavior identifying the software application as a trusted software application.

Citations

30 Claims

1. A method of analyzing a software application operating in a processor of a computing device, the method comprising:
- monitoring in the processor activities of the software application by collecting behavior information from a log of actions stored in a memory of the computing device;
  
  generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and
  
  determining whether the generated behavior vector includes a distinguishing behavior identifying the software application as being from a known vendor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying use of an unexpected device feature by the software application.
  - 3. The method of claim 1, wherein determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying unusual use of a device feature by the software application.
  - 4. The method of claim 1, further comprising:
    - authenticating the software application by classifying the software application as benign in response to determining that the generated behavior vector includes the distinguishing behavior.
  - 5. The method of claim 1, further comprising:
    - performing deep behavioral analysis operations by applying the generated behavior vector to a focused classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior; and
      
      applying the generated behavior vector to a classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior.
  - 6. The method of claim 5, further comprising:
    - receiving a full classifier model that includes a plurality of test conditions;
      
      identifying device features used by the software application;
      
      identifying test conditions in the plurality of test conditions that evaluate the identified device features; and
      
      generating an application-based classifier model that prioritizes the identified test conditions,wherein applying the generated behavior vector to the classifier model to determine whether the software application is non-benign comprises applying the generated behavior vector to the generated application-based classifier model.
  - 7. The method of claim 6, wherein:
    - generating the behavior vector based on the collected behavior information comprises using the collected behavior information to generate a feature vector; and
      
      applying the generated behavior vector to the generated application-based classifier model comprises;
      
      applying the generated feature vector to the application-based classifier model so as to evaluate each test condition included in the application-based classifier model;
      
      computing a weighted average of each result of evaluating test conditions in the application-based classifier model; and
      
      determining whether the behavior is non-benign based on the weighted average.
  - 8. The method of claim 6, wherein:
    - receiving the full classifier model that includes the plurality of test conditions comprises receiving a finite state machine that includes information that is suitable for conversion into a plurality of decision nodes that each evaluate one of the plurality of test conditions; and
      
      generating the application-based classifier model that prioritizes the identified test conditions comprises generating the application-based classifier model to include decision nodes that evaluate one of;
      
      a device feature that is relevant to the software application; and
      
      a device feature that is relevant to an application type of the software application.

9. A computing device, comprising:
- a memory; and
  
  a processor coupled to the memory, wherein the processor is configured with processor-executable instructions to perform operations comprising;
  
  monitoring activities of a software application by collecting behavior information from a log of actions stored in the memory;
  
  generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and
  
  determining whether the generated behavior vector includes a distinguishing behavior identifying the software application as being from a known vendor.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing device of claim 9, wherein the processor is configured with processor-executable instructions such that determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying use of an unexpected device feature by the software application.
  - 11. The computing device of claim 9, wherein the processor is configured with processor-executable instructions such that determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying unusual use of a device feature by the software application.
  - 12. The computing device of claim 9, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - authenticating the software application by classifying the software application as benign in response to determining that the generated behavior vector includes the distinguishing behavior.
  - 13. The computing device of claim 9, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - performing deep behavioral analysis operations by applying the generated behavior vector to a focused classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior; and
      
      applying the generated behavior vector to a classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior.
  - 14. The computing device of claim 13, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a full classifier model that includes a plurality of test conditions;
      
      identifying device features used by the software application;
      
      identifying test conditions in the plurality of test conditions that evaluate the identified device features; and
      
      generating an application-based classifier model that prioritizes the identified test conditions,wherein applying the generated behavior vector to the classifier model to determine whether the software application is non-benign comprises applying the generated behavior vector to the generated application-based classifier model.
  - 15. The computing device of claim 14, wherein the processor is configured with processor-executable instructions such that:
    - generating the behavior vector based on the collected behavior information comprises using the collected behavior information to generate a feature vector; and
      
      applying the generated behavior vector to the generated application-based classifier model comprises;
      
      applying the generated feature vector to the application-based classifier model so as to evaluate each test condition included in the application-based classifier model;
      
      computing a weighted average of each result of evaluating test conditions in the application-based classifier model; and
      
      determining whether the behavior is non-benign based on the weighted average.
  - 16. The computing device of claim 14, wherein the processor is configured with processor-executable instructions such that:
    - receiving the full classifier model that includes the plurality of test conditions comprises receiving a finite state machine that includes information that is suitable for conversion into a plurality of decision nodes that each evaluate one of the plurality of test conditions; and
      
      generating the application-based classifier model that prioritizes the identified test conditions comprises generating the application-based classifier model to include decision nodes that evaluate one of;
      
      a device feature that is relevant to the software application; and
      
      a device feature that is relevant to an application type of the software application.

17. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a computing device to perform operations for analyzing a software application operating in the processor, the operations comprising:
- monitoring activities of the software application by collecting behavior information from a log of actions stored in a memory of the computing device;
  
  generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and
  
  determining whether the generated behavior vector includes a distinguishing behavior identifying the software application as being from a known vendor.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying use of an unexpected device feature by the software application.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying unusual use of a device feature by the software application.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations comprising:
    - authenticating the software application by classifying the software application as benign in response to determining that the generated behavior vector includes the distinguishing behavior.
  - 21. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations comprising:
    - performing deep behavioral analysis operations by applying the generated behavior vector to a focused classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior; and
      
      applying the generated behavior vector to a classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior.
  - 22. The non-transitory computer readable storage medium of claim 21, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations comprising:
    - receiving a full classifier model that includes a plurality of test conditions;
      
      identifying device features used by the software application;
      
      identifying test conditions in the plurality of test conditions that evaluate the identified device features; and
      
      generating an application-based classifier model that prioritizes the identified test conditions,wherein applying the generated behavior vector to the classifier model to determine whether the software application is non-benign comprises applying the generated behavior vector to the generated application-based classifier model.
  - 23. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that:
    - generating the behavior vector based on the collected behavior information comprises using the collected behavior information to generate a feature vector; and
      
      applying the generated behavior vector to the generated application-based classifier model comprises;
      
      applying the generated feature vector to the application-based classifier model so as to evaluate each test condition included in the application-based classifier model;
      
      computing a weighted average of each result of evaluating test conditions in the application-based classifier model; and
      
      determining whether the behavior is non-benign based on the weighted average.
  - 24. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that:
    - receiving the full classifier model that includes the plurality of test conditions comprises receiving a finite state machine that includes information that is suitable for conversion into a plurality of decision nodes that each evaluate one of the plurality of test conditions; and
      
      generating the application-based classifier model that prioritizes the identified test conditions comprises generating the application-based classifier model to include decision nodes that evaluate one of;
      
      a device feature that is relevant to the software application; and
      
      a device feature that is relevant to an application type of the software application.

25. A computing device, comprising:
- means for monitoring activities of a software application by collecting behavior information from a log of actions stored in a memory of the computing device;
  
  means for generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and
  
  means for determining whether the generated behavior vector includes a distinguishing behavior identifying the software application as being from a known vendor.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The computing device of claim 25, wherein means for determining whether the generated behavior vector includes the distinguishing behavior comprises means for determining whether the generated behavior vector includes information identifying use of an unexpected device feature by the software application.
  - 27. The computing device of claim 25, wherein means for determining whether the generated behavior vector includes the distinguishing behavior comprises means for determining whether the generated behavior vector includes information identifying unusual use of a device feature by the software application.
  - 28. The computing device of claim 25, further comprising:
    - means for authenticating the software application by classifying the software application as benign in response to determining that the generated behavior vector includes the distinguishing behavior.
  - 29. The computing device of claim 25, further comprising:
    - means for performing deep behavioral analysis operations by applying the generated behavior vector to a focused classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior; and
      
      means for applying the generated behavior vector to a classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior.
  - 30. The computing device of claim 29, further comprising:
    - means for receiving a full classifier model that includes a plurality of test conditions;
      
      means for identifying device features used by the software application;
      
      means for identifying test conditions in the plurality of test conditions that evaluate the identified device features; and
      
      means for generating an application-based classifier model that prioritizes the identified test conditions,wherein means for applying the generated behavior vector to the classifier model to determine whether the software application is non-benign comprises means for applying the generated behavior vector to the generated application-based classifier model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
GUPTA, Rajarshi, BERGAN, Charles

Granted Patent

US 9,606,893 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/44   Program or device authentic...

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

G06N 5/043   Distributed expert systems;...

G16C 20/70   Machine learning, data mini...

H04L 63/14   for detecting or protecting...

Methods and Systems of Generating Application-Specific Models for the Targeted Protection of Vital Applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Systems of Generating Application-Specific Models for the Targeted Protection of Vital Applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links