Application-level anomaly detection

US 8,931,101 B2
Filed: 11/14/2012
Issued: 01/06/2015
Est. Priority Date: 11/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

one or more memories comprising computer-readable code; and

one or more processors, configured in response to executing the computer-readable code to cause the computing device to perform;

intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;

comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies;

in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies;

in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;

in response to being in a second mode;

analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and

responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and

updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example includes intercepting one or more activities performed by an application on a computing device. The intercepting uses an instrumentation layer separating the application from an operating system on the computing device. The one or more activities are compared with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies. In response to the comparison detecting presence of one or more anomalies, indication(s) of the one or more anomalies are stored. Another example includes receiving indication(s) of anomaly(ies) experienced by an application on computing device(s) and analyzing the indication(s) of the anomaly(ies) to determine whether corrective action(s) should be issued. Responsive to a determination corrective action(s) should be issued based on the analyzing, the corrective action(s) are issued to the computing device(s). Methods, program products, and apparatus are disclosed.

33 Citations

View as Search Results

22 Claims

1. A computing device comprising:
- one or more memories comprising computer-readable code; and
  
  one or more processors, configured in response to executing the computer-readable code to cause the computing device to perform;
  
  intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;
  
  comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies;
  
  in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies;
  
  in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
  
  in response to being in a second mode;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
  
  responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
  
  updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computing device of claim 1, wherein the policy configuration file is separate from a process that performs the comparing and storing.
  - 3. The computing device of claim 2, wherein the one or more processors are further configured in response to executing the computer-readable code to cause the computing device to perform:
    - receiving the policy configuration file or an update to the policy configuration file using a network.
  - 4. The computing device of claim 2, wherein the policy configuration file is one of a text file, a JavaScript object notation input file, or an extensible markup file.
  - 5. The computing device of claim 1, wherein intercepting further comprises intercepting all activities performed by the application by using the instrumentation layer.
  - 6. The computing device of claim 1, wherein the model comprises an event-condition-action model, wherein events, conditions, and actions are described by the policy configuration file.
  - 7. The computing device of claim 1, wherein the first mode is a connected mode and the second mode is a disconnected mode.
  - 8. The computing device of claim 7, wherein the connected mode is entered in response to the computing device being able to connect to the server and wherein the disconnected mode is entered in response to the computing device not being able to connect to the server.
  - 9. The computing device of claim 1, wherein comparing further comprises using an anomaly detection method to determine whether information produced by the anomaly detection method meets criteria in the policy configuration file, wherein a comparison detects presence of the one or more anomalies in response to the information meeting the criteria.
  - 10. The computing device of claim 1, wherein the one or more anomalies comprise one or more of a privileged control access on the operating system, a difference in a wireless service provider as compared to one or more allowed wireless service providers, a difference in WiFi network as compared to one or more allowed WiFi networks, an unallowed location as compared to one or more allowed locations, an attempt to reach a forbidden domain, an attempt to use an unauthorized data storage repository, an inconsistent time of use of the computing device as compared to previous uses of the computing device, unauthorized or inconsistent usage of the application, and problems in the application.
  - 11. The computing device of claim 1, wherein the one or more anomalies comprise a problem in the application.
  - 12. The computing device of claim 11, wherein the one or more indications comprise data about a sequence of inputs created by a user using the application and one or more indications of a problem caused by the sequence of inputs.
  - 13. The computing device of claim 11, wherein the one or more indications comprise data about a window created by the application and presented on a display of the computing device and data about the window.
  - 14. The computing device of claim 1, wherein the computing device is a mobile computing device.

15. A computing device comprising:
- one or more memories comprising computer-readable code; and
  
  one or more processors, configured in response to executing the computer-readable code to cause the computing device to perform;
  
  receiving one or more indications of one or more anomalies experienced by an application on one or more computing devices;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be issued, wherein at least the analyzing is performed using a policy configuration file;
  
  responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices;
  
  in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
  
  in response to being in a second mode;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
  
  responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
  
  updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
- View Dependent Claims (16, 17, 18)
- - 16. The computing device of claim 15, wherein the one or more indications of one or more activities are determined by the one or more computing devices intercepting the one or more activities using an instrumentation layer separating the application from an operating system on the one or more computing devices.
  - 17. The computing device of claim 15, wherein the policy configuration file is a same policy configuration file as on the one or more computing devices.
  - 18. The computing device of claim 15, wherein the one or more anomalies comprise one or more of a privileged control access on the operating system, a difference in a wireless service provider as compared to one or more allowed wireless service providers, a difference in WiFi network as compared to one or more allowed WiFi networks, an unallowed location as compared to one or more allowed locations, an attempt to reach a forbidden domain, an attempt to use an unauthorized data storage repository, an inconsistent time of use of the computing device as compared to previous uses of the computing device, unauthorized or inconsistent usage of the application, and problems in the application.

19. A computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code executable by a computing system to cause the computing system to perform:
- intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;
  
  comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies;
  
  in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies;
  
  in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
  
  in response to being in a second mode;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
  
  responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
  
  updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.

20. A computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code executable by a computing system to cause the computing system to perform:
- receiving one or more indications of one or more anomalies experienced by an application on one or more computing devices;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be issued, wherein at least the analyzing is performed using a policy configuration file;
  
  responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices;
  
  in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
  
  in response to being in a second mode;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
  
  responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
  
  updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.

21. A method, comprising:
- intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;
  
  comparing the one or more activities with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies;
  
  in response to the comparison detecting presence of one or more anomalies, storing one or more indications of the one or more anomalies;
  
  in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
  
  in response to being in a second mode;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
  
  responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
  
  updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.

22. A method, comprising:
- receiving one or more indications of one or more anomalies experienced by an application on one or more computing devices;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be issued, wherein at least the analyzing is performed using a policy configuration file;
  
  responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices;
  
  in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server;
  
  in response to being in a second mode;
  
  analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
  
  responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions; and
  
  updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baluda, Mauro, Castro, Paul C., Pistoia, Marco, Ponzo, John J.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
KHAN, SHER A

Application Number

US13/676,438
Publication Number

US 20140137239A1
Time in Patent Office

783 Days
Field of Search

380/1, 713/1, 726/1, 726 22- 25, 726/3
US Class Current

726/24
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/568   eliminating virus, restorin...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2115   Third party

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04W 12/08   Access security

Application-level anomaly detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Application-level anomaly detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links