Runtime risk detection based on user, application, and system action sequence correlation
DC CAFCFirst Claim
1. A method for assessing runtime risk for an application program that executes on a device, comprising:
- storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence;
storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules;
identifying, using at least one assessment policy, a runtime risk for an application program that executes on a device, wherein the identified runtime risk indicates a risk or threat of the identified action sequence of the application; and
identifying, by a runtime monitor including a processing device, a behavior score for the application program that executes on the device based on the identified runtime risk, whereinthe action sequence is a sequence of at least two performed actions, andeach performed action is at least one of;
a user action, an application action, and a system action.
3 Assignments
Litigations
3 Petitions
Accused Products
Abstract
A method for assessing runtime risk for an application or device includes: storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence; storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules; identifying, using at least one assessment policy, a runtime risk for an application or device, wherein the identified runtime risk identifies and predicts a specific type of threat; and identifying, by a processing device, a behavior score for the application or device based on the identified runtime risk, wherein the action sequence is a sequence of at least two performed actions, and each performed action is at least one of: a user action, an application action, and a system action.
-
Citations
24 Claims
-
1. A method for assessing runtime risk for an application program that executes on a device, comprising:
-
storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence; storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules; identifying, using at least one assessment policy, a runtime risk for an application program that executes on a device, wherein the identified runtime risk indicates a risk or threat of the identified action sequence of the application; and identifying, by a runtime monitor including a processing device, a behavior score for the application program that executes on the device based on the identified runtime risk, wherein the action sequence is a sequence of at least two performed actions, and each performed action is at least one of;
a user action, an application action, and a system action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for assessing runtime risk for an application program that executes on a device, comprising:
-
a rules database storing a plurality of rules, wherein each rule identifies an action sequence; a policy database storing a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules; and a runtime monitor including a processing device identifying, using at least one assessment policy, a runtime risk for an application program that executes on a device, wherein the identified runtime risk indicates a risk or threat of the identified action sequence of the application, and identifying a behavior score for the application program that executes on the device based on the identified runtime risk, wherein the action sequence is a sequence of at least two performed actions, and each performed action is at least one of;
a user action, an application action, and a system action. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification