Application-level anomaly detection

US 9,141,792 B2
Filed: 09/18/2013
Issued: 09/22/2015
Est. Priority Date: 11/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;

comparing the one or more activities performed by the application with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies in the application, wherein comparing further comprises using an anomaly detection method to determine whether information produced by the anomaly detection method meets criteria in the policy configuration file, wherein a comparison detects presence of the one or more anomalies in response to the information meeting the criteria; and

in response to the comparison detecting presence of one or more anomalies, storing one or more indications comprising the presence and characteristics of the one or more anomalies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example includes intercepting one or more activities performed by an application on a computing device. The intercepting uses an instrumentation layer separating the application from an operating system on the computing device. The one or more activities are compared with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies. In response to the comparison detecting presence of one or more anomalies, indication(s) of the one or more anomalies are stored. Another example includes receiving indication(s) of anomaly(ies) experienced by an application on computing device(s) and analyzing the indication(s) of the anomaly(ies) to determine whether corrective action(s) should be issued. Responsive to a determination corrective action(s) should be issued based on the analyzing, the corrective action(s) are issued to the computing device(s). Methods, program products, and apparatus are disclosed.

62 Citations

View as Search Results

19 Claims

1. A method, comprising:
- intercepting one or more activities performed by an application on a computing device, the intercepting using an instrumentation layer separating the application from an operating system on the computing device;
  
  comparing the one or more activities performed by the application with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies in the application, wherein comparing further comprises using an anomaly detection method to determine whether information produced by the anomaly detection method meets criteria in the policy configuration file, wherein a comparison detects presence of the one or more anomalies in response to the information meeting the criteria; and
  
  in response to the comparison detecting presence of one or more anomalies, storing one or more indications comprising the presence and characteristics of the one or more anomalies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the policy configuration file is separate from a process that performs the comparing and storing.
  - 3. The method of claim 2, further comprising receiving the policy configuration file or an update to the policy configuration file using a network.
  - 4. The method of claim 2, wherein the policy configuration file is one of a text file, a JavaScript object notation input file, or an extensible markup file.
  - 5. The method of claim 1, wherein intercepting further comprises intercepting all activities performed by the application by using the instrumentation layer.
  - 6. The method of claim 1, further comprising in response to being in a first mode, sending the stored one or more indications of the anomalies over a network toward a server.
  - 7. The method of claim 6, further comprising in response to being in a second mode, performing the following:
    - analyzing the one or more indications of the one or more anomalies to determine whether one or more corrective actions should be implemented; and
      
      responsive to a determination one or more corrective actions should be implemented based on the analyzing, implementing the one or more corrective actions.
  - 8. The method of claim 7, further comprising updating a model used to determine whether the one or more anomalies occurs based on the policy configuration file.
  - 9. The method of claim 8, wherein the model comprises an event-condition-action model, wherein events, conditions, and actions are described by the policy configuration file.
  - 10. The method of claim 7, wherein the first mode is a connected mode and the second mode is a disconnected mode.
  - 11. The method of claim 10, wherein the connected mode is entered in response to the computing device being able to connect to the server and wherein the disconnected mode is entered in response to the computing device not being able to connect to the server.
  - 12. The method of claim 1, wherein the one or more anomalies comprise one or more of a privileged control access on the operating system, a difference in a wireless service provider as compared to one or more allowed wireless service providers, a difference in WiFi network as compared to one or more allowed WiFi networks, an unallowed location as compared to one or more allowed locations, an attempt to reach a forbidden domain, an attempt to use an unauthorized data storage repository, an inconsistent time of use of the computing device as compared to previous uses of the computing device, unauthorized or inconsistent usage of the application, and problems in the application.
  - 13. The method of claim 1, wherein the one or more anomalies comprise a problem in the application.
  - 14. The method of claim 13, wherein the one or more indications comprise data about a sequence of inputs created by a user using the application and one or more indications of a problem caused by the sequence of inputs.
  - 15. The method of claim 13, wherein the one or more indications comprise data about a window created by the application and presented on a display of the computing device and data about the window.
  - 16. The method of claim 1, wherein the computing device is a mobile computing device.

17. A method, comprising:
- receiving one or more indications of presence and characteristics of one or more anomalies experienced by an application on one or more computing devices, wherein the one or more indications of one or more activities are determined by the one or more computing devices intercepting the one or more activities using an instrumentation layer separating the application from an operating system on the one or more computing devices, and wherein a presence of the one or more anomalies comprise being detected in response to the information produced by an anomaly detection method meets criteria in a policy configuration file;
  
  analyzing the one or more indications of the one or more anomalies in the application to determine whether one or more corrective actions concerning the application should be issued; and
  
  responsive to a determination one or more corrective actions should be issued based on the analyzing, issuing the one or more corrective actions to the one or more computing devices.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein at least the analyzing is performed using a policy configuration file that is a same policy configuration file as on the one or more computing devices.
  - 19. The method of claim 17, wherein the one or more anomalies comprise one or more of a privileged control access on the operating system, a difference in a wireless service provider as compared to one or more allowed wireless service providers, a difference in WiFi network as compared to one or more allowed WiFi networks, an unallowed location as compared to one or more allowed locations, an attempt to reach a forbidden domain, an attempt to use an unauthorized data storage repository, an inconsistent time of use of the computing device as compared to previous uses of the computing device, unauthorized or inconsistent usage of the application, and problems in the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baluda, Mauro, Castro, Paul C., Pistoia, Marco, Ponzo, John J.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
KHAN, SHER A

Application Number

US14/030,337
Publication Number

US 20140137246A1
Time in Patent Office

734 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/568   eliminating virus, restorin...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2115   Third party

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04W 12/08   Access security

Application-level anomaly detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Application-level anomaly detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links