Method and system for performing behavioral analysis operations in a mobile device based on application state

US 9,147,072 B2
Filed: 10/28/2013
Issued: 09/29/2015
Est. Priority Date: 10/28/2013
Status: Active Grant

First Claim

Patent Images

1. A method of observing mobile device behaviors in a mobile device to recognize mobile device behaviors that are benign, the method comprising:

monitoring in a processor of the mobile device an activity of a software application or process to collect behavior information;

using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers;

determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign;

generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and

using the generated behavior vector information structure to determine whether the activity is benign.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and devices use operating system execution states while monitoring applications executing on a mobile device to perform comprehensive behavioral monitoring and analysis include configuring a mobile device to monitor an activity of a software application, generate a shadow feature value that identifies an operating system execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device may also be configured to intelligently determine whether the operating system execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the operating system execution states of the software applications for which such determinations are relevant.

Citations

9 Claims

1. A method of observing mobile device behaviors in a mobile device to recognize mobile device behaviors that are benign, the method comprising:
- monitoring in a processor of the mobile device an activity of a software application or process to collect behavior information;
  
  using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers;
  
  determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign;
  
  generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and
  
  using the generated behavior vector information structure to determine whether the activity is benign.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein using the generated behavior vector information structure to determine whether the activity is benign comprises:
    - applying the behavior vector information structure to a classifier model to generate an analysis result; and
      
      classifying the activity as benign based on the generated analysis result.
  - 3. The method of claim 2, further comprising:
    - updating the classifier model based on the collected behavior information.

4. A mobile computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  monitoring an activity of a software application or process to collect behavior information;
  
  using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers;
  
  determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign;
  
  generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and
  
  using the generated behavior vector information structure to determine whether the activity is benign.
- View Dependent Claims (5, 6)
- - 5. The mobile computing device of claim 4, wherein the processor is configured with processor-executable instructions to perform operations such that using the generated behavior vector information structure to determine whether the activity is benign comprises:
    - applying the behavior vector information structure to a classifier model to generate an analysis result; and
      
      classifying the activity as benign based on the generated analysis result.
  - 6. The mobile computing device of claim 5, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - updating the classifier model based on the collected behavior information.

7. A non-transitory processor readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations comprising:
- monitoring an activity of a software application or process to collect behavior information;
  
  using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers;
  
  determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign;
  
  generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and
  
  using the generated behavior vector information structure to determine whether the activity is benign.
- View Dependent Claims (8, 9)
- - 8. The non-transitory processor readable storage medium of claim 7, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that using the generated behavior vector information structure to determine whether the activity is benign comprises:
    - applying the behavior vector information structure to a classifier model to generate an analysis result; and
      
      classifying the activity as benign based on the generated analysis result.
  - 9. The non-transitory processor readable storage medium of claim 8, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - updating the classifier model based on the collected behavior information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Fawaz, Kassem, Sridhara, Vinay, Gupta, Rajarshi, Christodorescu, Mihai
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
Naghdali, Khalil

Application Number

US14/064,437
Publication Number

US 20150121524A1
Time in Patent Office

701 Days
Field of Search

726/22, 726/23
US Class Current

1/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/566 Dynamic detection, i.e. det...

Method and system for performing behavioral analysis operations in a mobile device based on application state

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for performing behavioral analysis operations in a mobile device based on application state

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links