Determining Model Protection Level On-Device based on Malware Detection in Similar Devices

US 20160232353A1
Filed: 02/09/2015
Published: 08/11/2016
Est. Priority Date: 02/09/2015
Status: Active Application

First Claim

Patent Images

1. A method of analyzing behaviors in a computing device, comprising:

performing, in a processor of the computing device, a first type of analysis operations to determine whether there is an increased security risk, the first type of analysis operations including monitoring the computing device for an indication of the increased security risk or a previous occurrence of risk; and

performing a second type of analysis operations in response to determining that there is the increased security risk, wherein the second type of analysis operations are more computationally-intensive than the first type of analysis operations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and devices for identifying, classifying, modeling, and responding to mobile device behaviors may include using lightweight processes to monitor and analyze various conditions and device behaviors to detect an instance of a non-benign behavior, increasing a level of security or scrutiny to identify other instances of non-benign behavior, and notifying select computing devices of the increased security risk so that they may also increase their security/scrutiny levels. For example, a computing device may be configured to perform a first type of analysis operations (e.g., lightweight analysis operations) to determine whether there is an increased security risk, and perform a second type of analysis operations (e.g., robust analysis operations) in response to determining that there is an increased security risk to determine whether there are additional security risks that are different from the security risk detected via the performance of the first type of analysis operations.

153 Citations

30 Claims

1. A method of analyzing behaviors in a computing device, comprising:
- performing, in a processor of the computing device, a first type of analysis operations to determine whether there is an increased security risk, the first type of analysis operations including monitoring the computing device for an indication of the increased security risk or a previous occurrence of risk; and
  
  performing a second type of analysis operations in response to determining that there is the increased security risk, wherein the second type of analysis operations are more computationally-intensive than the first type of analysis operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein:
    - performing the first type of analysis operations comprises performing lightweight analysis operations; and
      
      performing the second type of analysis operations comprises performing robust analysis operations.
  - 3. The method of claim 2, wherein performing robust analysis operations comprises identifying another security risk that is different than the increased security risk detected via lightweight analysis operations.
  - 4. The method of claim 2, wherein performing lightweight analysis operations comprises:
    - monitoring device behaviors to collect behavior information;
      
      generating a behavior vector data structure based on the collected behavior information;
      
      applying the behavior vector data structure to a lean classifier model to obtain a determination of whether a first device behavior is non-benign; and
      
      determining that there is the increased security risk in response to determining that the first device behavior is non-benign.
  - 5. The method of claim 2, wherein performing robust analysis operations comprises performing a full scan of the computing device.
  - 6. The method of claim 2, wherein performing robust analysis operations comprises applying a behavior vector data structure to a full classifier model to obtain a determination of whether another security risk is present in the computing device.
  - 7. The method of claim 2, wherein performing robust analysis operations comprises:
    - monitoring additional device behaviors to collect additional behavior information;
      
      generating a plurality of behavior vector data structures based on the collected additional behavior information; and
      
      applying each of the plurality of behavior vector data structures to a classifier model.
  - 8. The method of claim 2, wherein performing robust analysis operations in response to determining that there is the increased security risk comprises performing robust analysis operations for a dynamically determined time period.
  - 9. The method of claim 8, further comprising dynamically determining the time period based on a distance between the computing device and a second computing device.
  - 10. The method of claim 1, wherein monitoring the computing device for the indication of the increased security risk or the previous occurrence of risk comprises:
    - monitoring the computing device for a notification message from another computing device indicating the increased security risk.
  - 11. The method of claim 1, wherein monitoring the computing device for the indication of the increased security risk or the previous occurrence of risk comprises:
    - monitoring one or more of an internal computation, a file, a functional behavior, and a data access request.
  - 12. The method of claim 1, wherein monitoring the computing device for the indication of the increased security risk or the previous occurrence of risk comprises:
    - monitoring the computing device to identify a data pattern associated with non-benign actions.
  - 13. The method of claim 1, further comprising:
    - generating a notification message that includes risk information in response to determining that there is the increased security risk; and
      
      sending the notification message to one or more computing devices.
  - 14. The method of claim 1, wherein monitoring the computing device for the indication of the increased security risk or the previous occurrence of risk comprises:
    - monitoring the computing device for common consequences of malware infection.
  - 15. The method of claim 14, wherein monitoring the computing device for common consequences of malware infection comprises performing one of:
    - monitoring a number of premium SMS message sent in a period of time;
      
      monitoring increases in traffic to sites associated with malicious behavior;
      
      monitoring a number of address book contacts communicated in the period of time;
      
      monitoring a number of password modifications in the period of time; and
      
      monitoring changes to device configuration.
  - 16. The method of claim 1, further comprising:
    - receiving a notification message from another computing device that includes risk information; and
      
      determining that there is the increased security risk based on the risk information included in the received notification message.
  - 17. The method of claim 16, wherein determining that there is the increased security risk based on the risk information included in the received notification message comprises determining that there is the increased security risk based at least in part on a distance between the another computing device sending the received notification message, wherein the distance comprises one or more of a physical distance, a time difference between a detected security risk and the received notification message, a network separation distance, a number of times the computing device has been rebooted, a number of times a software application has been updated, differences between software versions, and make/model/version/feature/hardware differences between the transmitting and receiving computing devices.

18. A computing device, comprising:
- means for performing a first type of analysis operations to determine whether there is an increased security risk, the first type of analysis operations including monitoring the computing device for an indication of the increased security risk or a previous occurrence of risk; and
  
  means for performing a second type of analysis operations in response to determining that there is the increased security risk, wherein the second type of analysis operations are more computationally-intensive than the first type of analysis operations.
- View Dependent Claims (19, 20)
- - 19. The computing device of claim 18, wherein:
    - means for performing the first type of analysis operations comprises means for performing lightweight analysis operations; and
      
      means for performing the second type of analysis operations comprises means for performing robust analysis operations.
  - 20. The computing device of claim 19, wherein means for performing robust analysis operations comprises means for identifying another security risk that is different than the increased security risk detected via lightweight analysis operations.

21. A computing device, comprising:
- a processor configured with processor-executable software instructions to perform operations comprising;
  
  performing a first type of analysis operations to determine whether there is an increased security risk, the first type of analysis operations including monitoring the computing device for an indication of the increased security risk or a previous occurrence of risk; and
  
  performing a second type of analysis operations in response to determining that there is the increased security risk, wherein the second type of analysis operations are more computationally-intensive than the first type of analysis operations.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The computing device of claim 21, wherein the processor is configured with processor-executable software instructions to perform operations further comprising:
    - receiving a notification message from another computing device that includes risk information; and
      
      determining that there is the increased security risk based on the risk information included in the received notification message and a distance between the computing device and the another computing device sending the received notification message.
  - 23. The computing device of claim 21, wherein the processor is configured with processor-executable software instructions to perform operations such that:
    - performing the first type of analysis operations comprises performing lightweight analysis operations; and
      
      performing the second type of analysis operations comprises performing robust analysis operations.
  - 24. The computing device of claim 23, wherein the processor is configured with processor-executable software instructions to perform operations such that performing robust analysis operations comprises identifying another security risk that is different than the increased security risk detected via lightweight analysis operations.
  - 25. The computing device of claim 23, wherein the processor is configured with processor-executable software instructions to perform operations such that performing lightweight analysis operations comprises:
    - monitoring device behaviors to collect behavior information;
      
      generating a behavior vector data structure based on the collected behavior information;
      
      applying the behavior vector data structure to a lean classifier model to obtain a determination of whether a first device behavior is non-benign; and
      
      determining that there is the increased security risk in response to determining that the first device behavior is non-benign.
  - 26. The computing device of claim 23, wherein the processor is configured with processor-executable software instructions to perform operations such that performing robust analysis operations comprises:
    - monitoring additional device behaviors to collect additional behavior information;
      
      generating a plurality of behavior vector data structures based on the collected additional behavior information; and
      
      applying each of the plurality of behavior vector data structures to a classifier model.

27. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a computing device to perform operations comprising:
- performing a first type of analysis operations to determine whether there is an increased security risk, the first type of analysis operations including monitoring the computing device for an indication of the increased security risk or a previous occurrence of risk; and
  
  performing a second type of analysis operations in response to determining that there is the increased security risk, wherein the second type of analysis operations are more computationally-intensive than the first type of analysis operations.
- View Dependent Claims (28, 29, 30)
- - 28. The non-transitory computer readable storage medium of claim 27, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising:
    - receiving a notification message from another computing device that includes risk information; and
      
      determining that there is the increased security risk based on the risk information included in the received notification message and a distance to the another computing device sending the received notification message.
  - 29. The non-transitory computer readable storage medium of claim 27, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that:
    - performing the first type of analysis operations comprises performing lightweight analysis operations; and
      
      performing the second type of analysis operations comprises performing robust analysis operations.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that performing robust analysis operations comprises identifying another security risk that is different than the increased security risk detected via lightweight analysis operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Jakobsson, Bjorn Marcus, Gupta, Rajarshi, Sridhara, Vinay

Application Number

US14/616,794
Publication Number

US 20160232353A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

Determining Model Protection Level On-Device based on Malware Detection in Similar Devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

153 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Determining Model Protection Level On-Device based on Malware Detection in Similar Devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

153 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links