Detecting unauthorized use of computing devices based on behavioral patterns
First Claim
1. A method for behavior-based malware detection on a device comprising:
- detecting one or more system calls in an application kernel of the device;
monitoring at least one user input event and at least one display event associated with said one or more system calls;
constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event;
observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event;
based on said one or more event pairs, extracting user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs;
storing said extracted user-behavior features in a user profile; and
detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.
266 Citations
21 Claims
-
1. A method for behavior-based malware detection on a device comprising:
-
detecting one or more system calls in an application kernel of the device; monitoring at least one user input event and at least one display event associated with said one or more system calls; constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event; observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event; based on said one or more event pairs, extracting user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs; storing said extracted user-behavior features in a user profile; and detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
a usage pattern detection subsystem comprising; an activity monitor component configured to; detect one or more system calls; and monitor at least one user input event and at least one output event associated with said one or more system calls; and a pattern generation component configured to; construct a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event; observe one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event; and based on said one or more event pairs, extract user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs; an unauthorized use testing sub-system configured to detect unauthorized use of the apparatus by detecting a deviation from said one or more acceptable user behavioral patterns; and a memory storing a user profile comprising said one or more acceptable user behavioral patterns. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. An apparatus for behavior-based malware detection on a device comprising:
-
means for detecting one or more system calls in an application kernel of the device; means for monitoring at least one user input event and at least one display event associated with said one or more system calls; means for constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event; means for observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event; means for extracting, based on said one or more event pairs, user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns transition information relating to said one or more event pairs; means for storing said extracted user-behavior features in a user profile; and means for detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A non-transitory program storage device readable by a machine, tangibly embodying a set of computer instructions executable by the machine to perform a method for behavior-based malware detection on a device, the method comprising:
-
detecting one or more system calls in an application kernel of the device; monitoring at least one user input event and at least one display event associated with said one or more system calls; constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event; observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event; based on said one or more event pairs, extracting user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs; storing said extracted user-behavior features in a user profile; and detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile. - View Dependent Claims (18, 19, 20, 21)
-
Specification