System and method for detecting energy consumption anomalies and mobile malware variants
First Claim
1. A system for detecting malware applications residing on a mobile device powered by a battery, comprising:
- a data store that stores a plurality of known power signatures, each of the power signatures signifying a power consumption pattern of an application;
a power monitoring module, implemented as computer executable instructions executed by a computer processor, that measures power drawn from the battery, wherein the power monitoring module includesa current measurement device interposed between the battery and a load of the mobile device and operable to output a current proportional to a current drawn by the mobile device;
a capacitor coupled between the current measurement device and ground and configured to receive the current output by the current measurement device; and
a microcontroller configured to measure voltage stored by the capacitor;
a data analysis module, implemented as computer executable instructions executed by a computer processor, that receives power measures from the power monitor and extracts a power history signature from the power measures, the data analysis module compares the power history signature with a plurality of known power signatures and initiates a protective operation if the power history signature matches one or more of the known power signatures.
3 Assignments
0 Petitions
Accused Products
Abstract
A system is presented for detecting malware applications residing on a mobile device powered by a battery. The system includes a power monitoring module, a data analysis module and a data store that stores a plurality of known power signatures signifying a power consumption anomaly. The power monitoring module measures power drawn from the battery and the data analysis module extracts a power history signature from the power measures. The data analysis module then compares the power history signature with the plurality of known power signatures and initiates a protective operation if the power history signature is closely correlated to one or more of the known power signatures.
-
Citations
28 Claims
-
1. A system for detecting malware applications residing on a mobile device powered by a battery, comprising:
-
a data store that stores a plurality of known power signatures, each of the power signatures signifying a power consumption pattern of an application; a power monitoring module, implemented as computer executable instructions executed by a computer processor, that measures power drawn from the battery, wherein the power monitoring module includes a current measurement device interposed between the battery and a load of the mobile device and operable to output a current proportional to a current drawn by the mobile device; a capacitor coupled between the current measurement device and ground and configured to receive the current output by the current measurement device; and a microcontroller configured to measure voltage stored by the capacitor; a data analysis module, implemented as computer executable instructions executed by a computer processor, that receives power measures from the power monitor and extracts a power history signature from the power measures, the data analysis module compares the power history signature with a plurality of known power signatures and initiates a protective operation if the power history signature matches one or more of the known power signatures. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A mobile computing device powered by a battery, comprising:
-
a data store for storing a plurality of known power signatures, each of the power signatures signifying a power consumption pattern of an application; a power monitoring module that measures power drawn from the battery and generates a power consumption history indicating amounts of power drawn from the battery at various times, wherein the power monitoring module includes a current measurement device interposed between the battery and a load of the mobile computing device and operable to output a current proportional to a current drawn by the mobile computing device; a capacitor coupled between the current measurement device and ground and configured to receive the current output by the current measurement device; and a microcontroller configured to measure voltage stored by the capacitor; a data analysis module embodied as computer executable instructions in computer memory receives the power consumption history from the power monitoring module and extracts a power signature form the power measure, the data analysis module computes a similarity measure between the power signature and each of the plurality of known power signatures and initiates a protective operation when the similarity measure between the power signature and a known power signature corresponding to a malware application exceeds a threshold. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification