Secure behavior analysis over trusted execution environment
First Claim
1. A method of observing mobile device behaviors in a mobile device over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns, the method comprising:
- observing a mobile device behavior in an observer module in a privileged-normal portion of a secure operating environment of the mobile device;
generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations;
sending the concise behavior vector across a secure protection boundary of the secure operating environment of the mobile device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and
determining whether the mobile device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.
180 Citations
32 Claims
-
1. A method of observing mobile device behaviors in a mobile device over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns, the method comprising:
-
observing a mobile device behavior in an observer module in a privileged-normal portion of a secure operating environment of the mobile device; generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations; sending the concise behavior vector across a secure protection boundary of the secure operating environment of the mobile device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and determining whether the mobile device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device, comprising a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising:
-
observing a computing device behavior in an observer module in a privileged-normal portion of a secure operating environment of the computing device; generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations; sending the concise behavior vector across a secure protection boundary of the secure operating environment of the computing device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and determining whether the computing device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computing device, comprising:
-
means for observing a computing device behavior in an observer module in a privileged-normal portion of a secure operating environment of the computing device; means for generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations; means for sending the concise behavior vector across a secure protection boundary of the secure operating environment of the computing device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and means for determining whether the computing device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to perform operations comprising:
-
observing a computing device behavior in an observer module in a privileged-normal portion of a secure operating environment of the computing device; generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations; sending the concise behavior vector across a secure protection boundary of the secure operating environment of the computing device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and determining whether the computing device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
Specification