System and method for detecting energy consumption anomalies and mobile malware variants

US 8,332,945 B2
Filed: 06/04/2010
Issued: 12/11/2012
Est. Priority Date: 06/05/2009
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malware applications residing on a mobile device powered by a battery, comprising:

a data store that stores a plurality of known power signatures, each of the power signatures signifying a power consumption pattern of an application;

a power monitoring module, implemented as computer executable instructions executed by a computer processor, that measures power drawn from the battery, wherein the power monitoring module includesa current measurement device interposed between the battery and a load of the mobile device and operable to output a current proportional to a current drawn by the mobile device;

a capacitor coupled between the current measurement device and ground and configured to receive the current output by the current measurement device; and

a microcontroller configured to measure voltage stored by the capacitor;

a data analysis module, implemented as computer executable instructions executed by a computer processor, that receives power measures from the power monitor and extracts a power history signature from the power measures, the data analysis module compares the power history signature with a plurality of known power signatures and initiates a protective operation if the power history signature matches one or more of the known power signatures.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is presented for detecting malware applications residing on a mobile device powered by a battery. The system includes a power monitoring module, a data analysis module and a data store that stores a plurality of known power signatures signifying a power consumption anomaly. The power monitoring module measures power drawn from the battery and the data analysis module extracts a power history signature from the power measures. The data analysis module then compares the power history signature with the plurality of known power signatures and initiates a protective operation if the power history signature is closely correlated to one or more of the known power signatures.

Citations

28 Claims

1. A system for detecting malware applications residing on a mobile device powered by a battery, comprising:
- a data store that stores a plurality of known power signatures, each of the power signatures signifying a power consumption pattern of an application;
  
  a power monitoring module, implemented as computer executable instructions executed by a computer processor, that measures power drawn from the battery, wherein the power monitoring module includesa current measurement device interposed between the battery and a load of the mobile device and operable to output a current proportional to a current drawn by the mobile device;
  
  a capacitor coupled between the current measurement device and ground and configured to receive the current output by the current measurement device; and
  
  a microcontroller configured to measure voltage stored by the capacitor;
  
  a data analysis module, implemented as computer executable instructions executed by a computer processor, that receives power measures from the power monitor and extracts a power history signature from the power measures, the data analysis module compares the power history signature with a plurality of known power signatures and initiates a protective operation if the power history signature matches one or more of the known power signatures.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1 wherein the power monitoring module measure voltage and current drawn from the battery and calculates power by integrating product of the current and the voltage sampled over a period of time.
  - 3. The system of claim 2 wherein the power monitoring module samples at random time intervals.
  - 4. The system of claim 1 wherein the data analysis module filters power measurements using a moving average filter.
  - 5. The system of claim 1 wherein the data analysis module compresses power measurements using a compression algorithm.
  - 6. The system of claim 1 wherein the data analysis module computes a similarity measure between the power history signature and plurality of known power signatures.
  - 7. The system of claim 6 wherein the data analysis module computes a chi-square distance between the power history signature and each of the plurality of known power signatures.
  - 8. The system of claim 7 wherein the data analysis module initiates a protective operation when the chi-square distance is less than a threshold.
  - 9. The system of claim 6 wherein the data analysis module initiates a protective operation when the similarity measure for given known power signature is less than a threshold and the given known power signature is labeled as malicious, where each of the plurality of known power signatures is labeled as legitimate or malicious.
  - 10. The system of claim 9 wherein the data analysis module updates the data store with the power history signature when the similarity measure for given known power signature is less than a threshold and the given known power signature is labeled as malicious, where each of the plurality of known power signatures is labeled as legitimate or malicious.
  - 11. The system of claim 1 wherein the power monitoring module compiles a history of power consumption by the mobile device over a period of time.
  - 12. The system of claim 11 further comprises a usage monitor associated with the power monitoring module that monitors an amount of power being used by the mobile device and compiles the power consumption history when the amount of power used, in relation to an amount of expected power usage, exceeds a predetermined threshold.
  - 13. The system of claim 12 wherein the usage monitor determines an operating state of the mobile device and compares the amount of power used to an amount of expected power usage associated with the current operating state of the mobile device, where the mobile device operates in a plurality of operating states having different amounts of expected power usage.
  - 14. The system of claim 11 wherein a usage monitor associated with the power monitoring module that monitors an amount of power being used by the mobile device and compiles the power consumption history whenever a context switch occurs in an operating system executing on the mobile device.
  - 15. The system of claim 1 wherein the power monitoring module further includes a transistor coupled in parallel with the capacitor, where the microcontroller controls the transistor to discharge the capacitor between voltage measurements.
  - 16. The system of claim 1 wherein a protective operation includes at least one of removing the malware application, quarantining the malware application, generating an alert to an operating system of the device, or generating an alert to a user of the device.
  - 17. The system of claim 1 wherein the data analysis module resides on a server remote from the mobile device and the power monitoring module resides on the mobile device and transmits the power measures over a communication link to the data analysis module.
  - 18. The system of claim 1 wherein the data store resides on a server.

19. A mobile computing device powered by a battery, comprising:
- a data store for storing a plurality of known power signatures, each of the power signatures signifying a power consumption pattern of an application;
  
  a power monitoring module that measures power drawn from the battery and generates a power consumption history indicating amounts of power drawn from the battery at various times, wherein the power monitoring module includesa current measurement device interposed between the battery and a load of the mobile computing device and operable to output a current proportional to a current drawn by the mobile computing device;
  
  a capacitor coupled between the current measurement device and ground and configured to receive the current output by the current measurement device; and
  
  a microcontroller configured to measure voltage stored by the capacitor;
  
  a data analysis module embodied as computer executable instructions in computer memory receives the power consumption history from the power monitoring module and extracts a power signature form the power measure,the data analysis module computes a similarity measure between the power signature and each of the plurality of known power signatures and initiates a protective operation when the similarity measure between the power signature and a known power signature corresponding to a malware application exceeds a threshold.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The device of claim 19 wherein the power monitoring module measures a power drawn from the battery by measuring a voltage outputted by the battery and a current generated by the battery.
  - 21. The device of claim 19 further comprising a usage monitor associated with the power monitoring module that monitors an amount of power being used by the mobile device and that signals to the power monitoring module to generate the power consumption history when the amount of power used, in relation to an expected amount of power usage, exceeds a predetermined threshold.
  - 22. The device of claim 19 further comprising a noise filter associated with the data analysis module that filters high-frequency noise from the power consumption history.
  - 23. The device of claim 19 further comprising a data compression module associated with the data analysis module that reduces the size of the power consumption history using a compression algorithm.
  - 24. The device of claim 19 wherein a protective operation includes at least one of removing the malware application, quarantining the malware application, generating an alert to an operating system of the device, or generating an alert to a user of the device.
  - 25. The device of claim 19 wherein the data analysis module measures a chi-square distance between the power signature and the known power signatures.
  - 26. The device of claim 25 wherein the data analysis module determines a match between the power signature and a closest known power signature when the chi square distance is less than a predetermined threshold.
  - 27. The device of claim 26 wherein the data analysis module determines a non-match between the power signature and the closest known power signature when the chi square distance is greater than a predetermined threshold.
  - 28. The system of claim 19 wherein the power monitoring module further includes a transistor coupled in parallel with the capacitor, where the microcontroller controls the transistor to discharge the capacitor between voltage measurements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
Kim, Hahnsang, Shin, Kang G.
Primary Examiner(s)
Laforgia, Christian

Application Number

US12/793,929
Publication Number

US 20100313270A1
Time in Patent Office

921 Days
Field of Search

726 22- 25, 713/188, 713/340
US Class Current

726/24
CPC Class Codes

G06F 1/28   Supervision thereof, e.g. d...

G06F 21/552   involving long-term monitor...

G06F 21/81   by operating on the power s...

H04L 63/1425   Traffic logging, e.g. anoma...

H04M 1/24   Arrangements for testing

H04W 12/125   Protection against power ex...

H04W 12/128   Anti-malware arrangements, ...

H04W 52/0264   by selectively disabling so...

Y02D 30/70   in wireless communication n...

System and method for detecting energy consumption anomalies and mobile malware variants

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting energy consumption anomalies and mobile malware variants

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links