Method and system for performing behavioral analysis operations in a mobile device based on application state
First Claim
1. A method of observing mobile device behaviors in a mobile device to recognize mobile device behaviors that are benign, the method comprising:
- monitoring in a processor of the mobile device an activity of a software application or process to collect behavior information;
using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers;
determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign;
generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and
using the generated behavior vector information structure to determine whether the activity is benign.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems and devices use operating system execution states while monitoring applications executing on a mobile device to perform comprehensive behavioral monitoring and analysis include configuring a mobile device to monitor an activity of a software application, generate a shadow feature value that identifies an operating system execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device may also be configured to intelligently determine whether the operating system execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the operating system execution states of the software applications for which such determinations are relevant.
-
Citations
9 Claims
-
1. A method of observing mobile device behaviors in a mobile device to recognize mobile device behaviors that are benign, the method comprising:
-
monitoring in a processor of the mobile device an activity of a software application or process to collect behavior information; using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers; determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign; generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and using the generated behavior vector information structure to determine whether the activity is benign. - View Dependent Claims (2, 3)
-
-
4. A mobile computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; monitoring an activity of a software application or process to collect behavior information; using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers; determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign; generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and using the generated behavior vector information structure to determine whether the activity is benign. - View Dependent Claims (5, 6)
-
7. A non-transitory processor readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations comprising:
-
monitoring an activity of a software application or process to collect behavior information; using the collected behavior information to generate a behavior vector information structure that characterizes the monitored activity via a plurality of numbers; determining whether an operating system execution state of the software application or process is relevant to determining whether the monitored activity is benign; generating a shadow feature value that identifies the operating system execution state of the software application or process during which the activity was monitored and including the generated shadow feature value in the generated behavior vector information structure in response to determining that the operating system execution state is relevant to determining whether the monitored activity is benign; and using the generated behavior vector information structure to determine whether the activity is benign. - View Dependent Claims (8, 9)
-
Specification