Malware detection system and method for limited access mobile platforms
First Claim
Patent Images
1. A method of defining rules for detecting malware in a target application on a limited access platform, the method comprising:
- extracting feature elements from non-executable portions of a plurality of applications without extracting feature elements from executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, wherein the executable portions comprise portions of the applications outside of the file headers, and wherein one or more of the plurality of applications are known to be malware-infected;
forming one or more feature sets for the plurality of applications such that each of the feature sets includes one or more of the feature elements extracted from the non-executable portions of the applications;
characterizing each of the feature sets as either malware-infected or malware-free based on whether the applications from which the feature elements of the feature set were extracted are malware-infected;
defining, by a computing device, one or more rules that each specify a respective combination of the feature elements that are characteristic of the feature sets characterized as malware-infected and that are not characteristic of the feature sets characterized as malware-free, wherein when applied to a non-executable portion comprising a file header of a target application, the rules identify the target application as malware-infected when the target application has a feature set including the combination of feature elements specified by the respective rule; and
providing the rules to a mobile device comprising a limited access platform.
15 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting malware on a limited access mobile platform in a mobile network. The system and method uses one or more feature sets that describe various non-executable portions of malware-infected and malware-free applications, and compares a application on the limited access mobile platform to the features sets. A match of the features in a suspect application to one of the feature sets provides an indication as to whether the suspect application is malware-infected or malware-free.
-
Citations
29 Claims
-
1. A method of defining rules for detecting malware in a target application on a limited access platform, the method comprising:
-
extracting feature elements from non-executable portions of a plurality of applications without extracting feature elements from executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, wherein the executable portions comprise portions of the applications outside of the file headers, and wherein one or more of the plurality of applications are known to be malware-infected; forming one or more feature sets for the plurality of applications such that each of the feature sets includes one or more of the feature elements extracted from the non-executable portions of the applications; characterizing each of the feature sets as either malware-infected or malware-free based on whether the applications from which the feature elements of the feature set were extracted are malware-infected; defining, by a computing device, one or more rules that each specify a respective combination of the feature elements that are characteristic of the feature sets characterized as malware-infected and that are not characteristic of the feature sets characterized as malware-free, wherein when applied to a non-executable portion comprising a file header of a target application, the rules identify the target application as malware-infected when the target application has a feature set including the combination of feature elements specified by the respective rule; and providing the rules to a mobile device comprising a limited access platform. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of detecting malware in a target application on a limited access platform comprising a mobile device, the method comprising:
-
obtaining a plurality of rules that each identify a respective combination of feature elements extracted from non-executable portions of a plurality of applications without identifying feature elements of executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, and wherein the executable portions comprise portions of the applications outside of the headers; extracting a feature set from a non-executable portion of the target application without extracting feature elements from an executable portion of the target application, wherein the non-executable portion of the target application comprises a file header of the target application, and wherein the executable portion comprises a portion of the target application outside of the file header of the target application; and applying, by the mobile device, one or more of the plurality of rules to the feature set of the target application to determine a match comparison of the extracted feature set to the rules; and determining that the target application is malware-infected when application of at least one of the plurality of rules to the extracted feature set results in a match. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A limited access platform for detecting malware, the limited access platform comprising:
-
a feature data store comprising a plurality of rules that each identify a respective combination of feature elements extracted from non-executable portions of a plurality of applications and that do not identify feature elements of executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, and wherein the executable portions comprise portions of the applications outside of the file headers; means for extracting a feature set from a non-executable portion of a target application without extracting feature elements from an executable portion of the target application, wherein the non-executable portion of the target application comprises a file header of the target application, and wherein the executable portion comprises a portion of the target application outside of the file header of the target application; means for applying one or more of the plurality of rules to the extracted feature set of the target application on the limited access platform to determine a match comparison of the extracted feature set to the rules; and means for determining that the target application is malware-infected application of at least one of the plurality of rules to the extracted feature set results in a match. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor to:
-
extract feature elements from non-executable portions of a plurality of applications without extracting feature elements from executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, wherein the executable portions comprise portions of the applications outside of the file headers, and, wherein one or more of the plurality of applications are known to be malware-infected; form one or more feature sets for the plurality of applications such that each of the feature sets includes one or more of the feature elements extracted from the applications; characterize each of the feature sets as either malware-infected or malware-free based on whether the applications from which the feature elements of the feature set were extracted are malware-infected; and defining, by a computing device, define one or more rules that each specify a respective combination of the feature elements that are characteristic of the feature sets characterized as malware-infected and that are not characteristic of the feature sets characterized as malware-free, wherein when applied to a non-executable portion comprising a file header of a target application, the rules identify the target application as malware-infected when the target application has a feature set including the combination of feature elements specified by the respective rule; and provide the rules to a mobile device comprising a limited access platform.
-
-
29. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor of a mobile device to:
-
obtain a plurality of rules that each identify a respective combination of feature elements extracted from non-executable portions of a plurality of applications without identifying feature elements of executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, and wherein the executable portions comprise portions of the applications outside of the file headers; extract a feature set from a non-executable portion of a target application without extracting feature elements from an executable portion of the target application, wherein the non-executable portion of the target application comprises a file header of the target application, and wherein the executable portion comprises a portion of the target application outside of the file header of the target application; apply one or more of the plurality of rules to the feature set of the target application to determine a match comparison of the extracted feature set to the rules; and determine that the target application is malware-infected when application of at least one of the plurality of rules to the extracted feature set results in a match.
-
Specification