Lightweight data-flow tracker for realtime behavioral analysis using control flow
First Claim
1. A method of tracking data flows in a mobile device, comprising:
- identifying a data source component that inputs data into a software application configured for executing on a processing core of the mobile device;
identifying a data sink component that consumes data output from the software application;
using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource;
monitoring application programming interface (API) calls made by the software application when accessing the critical data resource;
associating the probability value of the critical data resource with one or more of the API calls;
identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls;
generating a light-weight behavior signature based on the identified pattern of API calls;
using the light-weight behavior signature to perform behavior analysis operations; and
determining whether the software application is non-benign based on the behavior analysis operations.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and devices for detecting performance-degrading behaviors include identifying a data source component that inputs data into an application executing on a mobile device, and identifying a data sink component that consumes data output from the application. Using a measured runtime control-flow parameter, a likelihood that the data source component is a critical data resource may be determined. Using the probability value, a behavior model that identifies a mobile device feature associated with the critical data resource may be updated and used to determine whether the software application is malicious. Measured runtime control-flow parameters may include a program execution distance between data source and sink components based on heuristics. Determining program execution distances between data sources and sinks may include computing call graph distances by comparing a source call stack length and a sink call stack length, or by counting method invocations or functional calls between data sources and sinks.
79 Citations
26 Claims
-
1. A method of tracking data flows in a mobile device, comprising:
-
identifying a data source component that inputs data into a software application configured for executing on a processing core of the mobile device; identifying a data sink component that consumes data output from the software application; using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource; monitoring application programming interface (API) calls made by the software application when accessing the critical data resource; associating the probability value of the critical data resource with one or more of the API calls; identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls; generating a light-weight behavior signature based on the identified pattern of API calls; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is non-benign based on the behavior analysis operations. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A mobile computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; identifying a data source component that inputs data into a software application; identifying a data sink component that consumes data output from the software application; using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource; monitoring application programming interface (API) calls made by the software application when accessing the critical data resource; associating the probability value of the critical data resource with one or more of the API calls; identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls; generating a light-weight behavior signature based on the identified pattern of API calls; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is non-benign based on the behavior analysis operations. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a mobile device to perform operations for tracking data flows in the mobile device, the operations comprising:
-
identifying a data source component that inputs data into a software application; identifying a data sink component that consumes data output from the software application; using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource; monitoring application programming interface (API) calls made by the software application when accessing the critical data resource; associating the probability value of the critical data resource with one or more of the API calls; identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls; generating a light-weight behavior signature based on the identified pattern of API calls; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is non-benign based on the behavior analysis operations. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A mobile computing device, comprising:
-
means for identifying a data source component that inputs data into a software application configured for executing on a processing core; means for identifying a data sink component that consumes data output from the software application; means for using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource; means for monitoring application programming interface (API) calls made by the software application when accessing the critical data resource; means for associating the probability value of the critical data resource with one or more of the API calls; means for identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls; means for generating a light-weight behavior signature based on the identified pattern of API calls; means for using the light-weight behavior signature to perform behavior analysis operations; and means for determining whether the software application is non-benign based on the behavior analysis operations. - View Dependent Claims (23, 24, 25, 26)
-
Specification