Detecting unauthorized use of computing devices based on behavioral patterns

US 8,595,834 B2
Filed: 02/04/2008
Issued: 11/26/2013
Est. Priority Date: 02/04/2008
Status: Active Grant

First Claim

Patent Images

1. A method for behavior-based malware detection on a device comprising:

detecting one or more system calls in an application kernel of the device;

monitoring at least one user input event and at least one display event associated with said one or more system calls;

constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event;

observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event;

based on said one or more event pairs, extracting user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs;

storing said extracted user-behavior features in a user profile; and

detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.

266 Citations

21 Claims

1. A method for behavior-based malware detection on a device comprising:
- detecting one or more system calls in an application kernel of the device;
  
  monitoring at least one user input event and at least one display event associated with said one or more system calls;
  
  constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event;
  
  observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event;
  
  based on said one or more event pairs, extracting user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs;
  
  storing said extracted user-behavior features in a user profile; and
  
  detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein:
    - said at least one user input event influences said one or more system calls;
      
      said at least one display event reflects display changes based on said one or more system calls;
      
      said one or more acceptable user behavioral patterns further comprise unique patterns of user inputs and outputs based on said at least one user input event and said at least one display event;
      
      said transition information relating to said one or more event pairs comprises a sequence of process state transitions relating to said one or more event pairs;
      
      said one or more acceptable user behavioral patterns includes information about an amount of time between said one or more user input events.
  - 3. The method of claim 1, wherein said one or more acceptable user behavioral patterns includes information about a duration of each user input event.
  - 4. The method of claim 1, wherein:
    - detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile comprises comparing a current pattern of usage to said one or more acceptable user behavioral patterns, and preventing a system call when said current pattern of usage does not match any of said one or more acceptable user behavioral patterns with a predefined tolerance; and
      
      the predefined tolerance is stored in the user profile.
  - 5. The method of claim 1, wherein the method is performed in real-time as kernel level events are attempted to be executed.

6. An apparatus comprising:
- a usage pattern detection subsystem comprising;
  
  an activity monitor component configured to;
  
  detect one or more system calls; and
  
  monitor at least one user input event and at least one output event associated with said one or more system calls; and
  
  a pattern generation component configured to;
  
  construct a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event;
  
  observe one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event; and
  
  based on said one or more event pairs, extract user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs;
  
  an unauthorized use testing sub-system configured to detect unauthorized use of the apparatus by detecting a deviation from said one or more acceptable user behavioral patterns; and
  
  a memory storing a user profile comprising said one or more acceptable user behavioral patterns.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus of claim 6, wherein:
    - said at least one user input event influences said one or more system calls;
      
      said at least one display event reflects display changes based on said one or more system calls;
      
      said one or more acceptable user behavioral patterns further comprise unique patterns of user inputs and outputs based on said at least one user input event and said at least one display event;
      
      said transition information relating to said one or more event pairs comprises a sequence of process state transitions relating to said one or more event pairs;
      
      detecting a deviation from said one or more acceptable user behavioral patterns comprises comparing a current pattern of usage to said one or more acceptable user behavioral patterns, and issuing an indication of unauthorized use when said current pattern of usage does not match any of said one or more acceptable user behavioral patterns with a predefined tolerance; and
      
      the apparatus is a mobile phone.
  - 8. The apparatus of claim 7, wherein said one or more system calls are kernel level system calls.
  - 9. The apparatus of claim 7, wherein the indication of unauthorized use causes the apparatus to prevent one or more system support provider components to be used by an application program issuing a system call.
  - 10. The apparatus of claim 7, wherein the indication of unauthorized use causes the apparatus to issue a warning and/or error message.
  - 11. The apparatus of claim 7, wherein the indication of unauthorized use causes the apparatus to perform diagnostics.

12. An apparatus for behavior-based malware detection on a device comprising:
- means for detecting one or more system calls in an application kernel of the device;
  
  means for monitoring at least one user input event and at least one display event associated with said one or more system calls;
  
  means for constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event;
  
  means for observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event;
  
  means for extracting, based on said one or more event pairs, user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns transition information relating to said one or more event pairs;
  
  means for storing said extracted user-behavior features in a user profile; and
  
  means for detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, wherein:
    - said at least one user input event influences said one or more system calls;
      
      said at least one display event reflects display changes based on said one or more system calls;
      
      said one or more acceptable user behavioral patterns further comprise unique patterns of user inputs and outputs based on said at least one user input event and said at least one display event;
      
      said transition information relating to said one or more event pairs comprises a sequence of process state transitions relating to said one or more event pairs; and
      
      detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile comprises comparing a current pattern of usage to said one or more acceptable user behavioral patterns, and preventing a system call when said current pattern of usage does not match any of said one or more acceptable user behavioral patterns with a predefined tolerance.
  - 14. The apparatus of claim 12, wherein a user input event represents user input received from a touchscreen display.
  - 15. The apparatus of claim 12, wherein a user input event represents user input received from a keypad.
  - 16. The apparatus of claim 12, wherein the user profile further comprises normal user activities.

17. A non-transitory program storage device readable by a machine, tangibly embodying a set of computer instructions executable by the machine to perform a method for behavior-based malware detection on a device, the method comprising:
- detecting one or more system calls in an application kernel of the device;
  
  monitoring at least one user input event and at least one display event associated with said one or more system calls;
  
  constructing a behavior graph based on said one or more system calls, said at least one user input event, and said at least one display event;
  
  observing one or more event pairs in the behavior graph, wherein each event pair comprises a user input event that is correlated with a display event;
  
  based on said one or more event pairs, extracting user-behavior features from the behavior graph, wherein said user-behavior features comprise one or more acceptable user behavioral patterns and transition information relating to said one or more event pairs;
  
  storing said extracted user-behavior features in a user profile; and
  
  detecting unauthorized use of the device by detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory program storage device of claim 17, wherein:
    - said at least one user input event influences said one or more system calls;
      
      said at least one display event reflects display changes based on said one or more system calls;
      
      said one or more acceptable user behavioral patterns further comprise unique patterns of user inputs and outputs based on said at least one user input event and said at least one display event;
      
      said transition information relating to said one or more event pairs comprises a sequence of process state transitions relating to said one or more event pairs;
      
      detecting a deviation from said one or more acceptable user behavioral patterns stored in the user profile comprises comparing a current pattern of usage to said one or more acceptable user behavioral patterns, and preventing a system call when said current pattern of usage does not match any of said one or more acceptable user behavioral patterns with a predefined tolerance; and
      
      said one or more acceptable user behavioral patterns stored in the user profile are dynamically adjusted based on applications used.
  - 19. The non-transitory program storage device of claim 17, wherein said user-behavior features are used to determine whether to prevent system call from being executed.
  - 20. The non-transitory program storage device of claim 17, wherein the user profile is hashed.
  - 21. The non-transitory program storage device of claim 17, wherein the extracting is performed by a Hidden Markov Model learning engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Xie, Liang, Zhang, Xinwen, Seifert, Jean-Pierre, Aciicmez, Onur, Latifi, Afshin
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Lagor, Alexander

Application Number

US12/025,678
Publication Number

US 20090199296A1
Time in Patent Office

2,122 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Detecting unauthorized use of computing devices based on behavioral patterns

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

266 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting unauthorized use of computing devices based on behavioral patterns

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

266 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links