Runtime risk detection based on user, application, and system action sequence correlation

DC CAFC

US 8,850,517 B2
Filed: 01/15/2013
Issued: 09/30/2014
Est. Priority Date: 01/15/2013
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for assessing runtime risk for an application program that executes on a device, comprising:

storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence;

storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules;

identifying, using at least one assessment policy, a runtime risk for an application program that executes on a device, wherein the identified runtime risk indicates a risk or threat of the identified action sequence of the application; and

identifying, by a runtime monitor including a processing device, a behavior score for the application program that executes on the device based on the identified runtime risk, whereinthe action sequence is a sequence of at least two performed actions, andeach performed action is at least one of;

a user action, an application action, and a system action.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

3 Petitions

Accused Products

Abstract

A method for assessing runtime risk for an application or device includes: storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence; storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules; identifying, using at least one assessment policy, a runtime risk for an application or device, wherein the identified runtime risk identifies and predicts a specific type of threat; and identifying, by a processing device, a behavior score for the application or device based on the identified runtime risk, wherein the action sequence is a sequence of at least two performed actions, and each performed action is at least one of: a user action, an application action, and a system action.

Citations

24 Claims

1. A method for assessing runtime risk for an application program that executes on a device, comprising:
- storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence;
  
  storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules;
  
  identifying, using at least one assessment policy, a runtime risk for an application program that executes on a device, wherein the identified runtime risk indicates a risk or threat of the identified action sequence of the application; and
  
  identifying, by a runtime monitor including a processing device, a behavior score for the application program that executes on the device based on the identified runtime risk, whereinthe action sequence is a sequence of at least two performed actions, andeach performed action is at least one of;
  
  a user action, an application action, and a system action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the user action is any form of explicit input from a user of a computing system.
  - 3. The method of claim 1, wherein the application action is any activity performed by the application initiated programmatically by a task in execution of a computing system.
  - 4. The method of claim 1, wherein the system action is any operation performed by a computing system on behalf of, or as a consequence of, a user action or application action that changes the state of the computing system.
  - 5. The method of claim 1, wherein a first action of the at least two performed actions is performed at a first time, and the second action of the at least two performed actions is performed at a second time.
  - 6. The method of claim 5, whereinthe first action is a user action,the second action is a system action, andthe second time occurs after the first time.
  - 7. The method of claim 5, whereinthe first action is a user action,the second action is an application action, andthe second time occurs after the first time.
  - 8. The method of claim 5, whereinthe first action is an application action,the second action is a system action, andthe second time occurs after the first time.
  - 9. The method of claim 1, whereinthe action sequence includes three performed actions,a first action of the three performed actions is a user action,a second action of the three performed actions is an application action,a third action of the three performed actions is a system action,the second action is performed temporally after the first action, andthe third action is performed temporally after the second action.
  - 10. The method of claim 1, wherein the runtime risk is identified based on matching rules and probabilistic weights and scores of performed actions on the device.
  - 11. The method of claim 1, wherein the runtime risk is identified based on time proximity of the at least two performed actions of the action sequence and natural affinity inferred between the at least two performed actions.
  - 12. The method of claim 1, further comprising:
    - assessing, by the processing device, that the at least two performed actions of the action sequence describe a forensic chain of events based on a plurality of factors,wherein the plurality of factors includes at least one of;
      
      ordered sequences, unordered sequences, proximity analysis, outliers, probabilistic weights and scores, and probable action inferences based on an application'"'"'s competency.

13. A system for assessing runtime risk for an application program that executes on a device, comprising:
- a rules database storing a plurality of rules, wherein each rule identifies an action sequence;
  
  a policy database storing a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules; and
  
  a runtime monitor including a processing deviceidentifying, using at least one assessment policy, a runtime risk for an application program that executes on a device, wherein the identified runtime risk indicates a risk or threat of the identified action sequence of the application, andidentifying a behavior score for the application program that executes on the device based on the identified runtime risk, whereinthe action sequence is a sequence of at least two performed actions, andeach performed action is at least one of;
  
  a user action, an application action, and a system action.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the user action is any form of explicit input from a user of a computing system.
  - 15. The system of claim 13, wherein the application action is any activity performed by the application initiated programmatically by a task in execution of a computing system.
  - 16. The system of claim 13, wherein the system action is any operation performed by a computing system on behalf of, or as a consequence of, a user action or application action that changes the state of the computing system.
  - 17. The system of claim 13, wherein a first action of the at least two performed actions is performed at a first time, and the second action of the at least two performed actions is performed at a second time.
  - 18. The system of claim 17, whereinthe first action is a user action,the second action is a system action, andthe second time occurs after the first time.
  - 19. The system of claim 17, whereinthe first action is a user action,the second action is an application action, andthe second time occurs after the first time.
  - 20. The system of claim 17, whereinthe first action is an application action,the second action is a system action, andthe second time occurs after the first time.
  - 21. The system of claim 13, whereinthe action sequence includes three performed actions,a first action of the three performed actions is a user action,a second action of the three performed actions is an application action,a third action of the three performed actions is a system action,the second action is performed temporally after the first action, andthe third action is performed temporally after the second action.
  - 22. The system of claim 13, wherein the runtime risk is identified based on matching rules and probabilistic weights and scores of performed actions on the device.
  - 23. The system of claim 13, wherein the runtime risk is identified based on time proximity of the at least two performed actions of the action sequence and natural affinity inferred between the at least two performed actions.
  - 24. The system of claim 13, whereinthe processing device assesses that the at least two performed actions of the action sequence describe a forensic chain of events based on a plurality of factors, andthe plurality of factors includes at least one of:
    - ordered sequences, unordered sequences, proximity analysis, outliers, probabilistic weights and scores, and probable action inferences based on an application'"'"'s competency.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Taasera Licensing LLC (Quest Patent Research Corporation)
Original Assignee
Taasera, Inc. (Full Circle Investments, Inc.)
Inventors
Kumar, Srinivas
Primary Examiner(s)
Patel, Haresh N

Application Number

US13/741,878
Publication Number

US 20140201806A1
Time in Patent Office

623 Days
Field of Search

726 1- 10, 709/223
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Runtime risk detection based on user, application, and system action sequence correlation

First Claim

3 Assignments

Litigations

3 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Runtime risk detection based on user, application, and system action sequence correlation

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

3 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links