Secure behavior analysis over trusted execution environment

US 9,319,897 B2
Filed: 06/27/2013
Issued: 04/19/2016
Est. Priority Date: 08/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method of observing mobile device behaviors in a mobile device over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns, the method comprising:

observing a mobile device behavior in an observer module in a privileged-normal portion of a secure operating environment of the mobile device;

generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations;

sending the concise behavior vector across a secure protection boundary of the secure operating environment of the mobile device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and

determining whether the mobile device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

180 Citations

32 Claims

1. A method of observing mobile device behaviors in a mobile device over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns, the method comprising:
- observing a mobile device behavior in an observer module in a privileged-normal portion of a secure operating environment of the mobile device;
  
  generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations;
  
  sending the concise behavior vector across a secure protection boundary of the secure operating environment of the mobile device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and
  
  determining whether the mobile device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - classifying the mobile device behavior as suspicious in response to determining that the mobile device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      guiding further observations of the mobile device behavior in response to classifying the mobile device behavior as suspicious.
  - 3. The method of claim 1, further comprising:
    - alerting one of a user of the mobile device and a client module of a non-benign behavior in a secure, tamper-proof manner.
  - 4. The method of claim 1, wherein sending the concise behavior vector to the analyzer module in the unprivileged-secure portion of the secure operating environment comprises:
    - storing the concise behavior vector in a secure buffer.
  - 5. The method of claim 1, wherein observing the mobile device behavior in the observer module in the privileged-normal portion of the secure operating environment comprises:
    - collecting behavior information from a module in an unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 6. The method of claim 1, wherein determining whether the mobile device behavior may be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises:
    - sending the result of applying the concise behavior vector to the classifier model across another protection domain of the secure operating environment by sending the result from the unprivileged-secure portion of the secure operating environment to a client module in an unprivileged-normal portion of the secure operating environment by writing the result in the secure buffer.
  - 7. The method of claim 1, further comprising:
    - classifying the mobile device behavior as suspicious in response to determining that the mobile device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model; and
      
      communicating with the observer module to request deeper observation of the mobile device behavior in response to classifying the mobile device behavior as suspicious.
  - 8. The method of claim 1, further comprising:
    - sending a secure tamper-proof message to a user of the mobile device alerting to the possibility of malicious or performance-degrading behavior in response to classifying the mobile device behavior as non-benign.

9. A computing device, comprising a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising:
- observing a computing device behavior in an observer module in a privileged-normal portion of a secure operating environment of the computing device;
  
  generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations;
  
  sending the concise behavior vector across a secure protection boundary of the secure operating environment of the computing device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and
  
  determining whether the computing device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - classifying the computing device behavior as suspicious in response to determining that the computing device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      guiding further observations of the computing device behavior in response to classifying the computing device behavior as suspicious.
  - 11. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - alerting one of a user of the computing device and a client module a non-benign behavior in a secure, tamper-proof manner.
  - 12. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that sending the concise behavior vector to the analyzer module in the unprivileged-secure portion of the secure operating environment comprises:
    - storing the concise behavior vector in a secure buffer.
  - 13. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that observing the computing device behavior in the observer module in the privileged-normal portion of the secure operating environment comprises:
    - collecting behavior information from a module in an unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 14. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that determining whether the computing device behavior may be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises:
    - sending the result of applying the concise behavior vector to the classifier model across another protection domain of the secure operating environment of the computing device by sending the result from the unprivileged-secure portion of the secure operating environment to a client module in an unprivileged-normal portion of the secure operating environment by writing the result in the secure buffer.
  - 15. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - classifying the computing device behavior as suspicious in response to determining that the computing device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model; and
      
      communicating with the observer module to request deeper observation of the computing device behavior in response to classifying the computing device behavior as suspicious.
  - 16. The computing device of claim 9, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - sending a secure tamper-proof message to a user of the computing device alerting to the possibility of malicious or performance-degrading behavior in response to classifying the computing device behavior as non-benign.

17. A computing device, comprising:
- means for observing a computing device behavior in an observer module in a privileged-normal portion of a secure operating environment of the computing device;
  
  means for generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations;
  
  means for sending the concise behavior vector across a secure protection boundary of the secure operating environment of the computing device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and
  
  means for determining whether the computing device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computing device of claim 17, further comprising:
    - means for classifying the computing device behavior as suspicious in response to determining that the computing device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      means for guiding further observations of the computing device behavior in response to classifying the computing device behavior as suspicious.
  - 19. The computing device of claim 17, further comprising:
    - means for alerting one of a user of the computing device and a client module of a non-benign behavior in a secure, tamper-proof manner.
  - 20. The computing device of claim 17, wherein means for sending the concise behavior vector to the analyzer module in the unprivileged-secure portion of the secure operating environment comprises means for storing the concise behavior vector in a secure buffer.
  - 21. The computing device of claim 17, wherein means for observing the computing device behavior in the observer module in the privileged-normal portion of the secure operating environment comprises means for collecting behavior information from a module in a unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 22. The computing device of claim 17, wherein means for determining whether the computing device behavior may be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises means for sending the result of applying the concise behavior vector to the classifier model across another protection domain of the secure operating environment by sending the result from the unprivileged-secure portion of the secure operating environment to a client module in an unprivileged-normal portion of the secure operating environment by writing the result in the secure buffer.
  - 23. The computing device of claim 17, further comprising:
    - means for classifying the computing device behavior as suspicious in response to determining that the computing device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model; and
      
      means for communicating with the observer module to request deeper observation of the computing device behavior in response to classifying the computing device behavior as suspicious.
  - 24. The computing device of claim 17, further comprising:
    - means for sending a secure tamper-proof message to a user of the computing device alerting to the possibility of malicious or performance-degrading behavior in response to classifying the computing device behavior as non-benign.

25. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to perform operations comprising:
- observing a computing device behavior in an observer module in a privileged-normal portion of a secure operating environment of the computing device;
  
  generating a concise behavior vector in the privileged-normal portion of the secure operating environment based on the observations;
  
  sending the concise behavior vector across a secure protection boundary of the secure operating environment of the computing device by sending the concise behavior vector from the privileged-normal portion of the secure operating environment to an analyzer module in an unprivileged-secure portion of the secure operating environment; and
  
  determining whether the computing device behavior may be classified as one of benign and non-benign based on a result of applying the concise behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - classifying the computing device behavior as suspicious in response to determining that the computing device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      guiding further observations of the computing device behavior in response to classifying the computing device behavior as suspicious.
  - 27. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - alerting one of a user of the computing device and a client module of a non-benign behavior in a secure, tamper-proof manner.
  - 28. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that sending the concise behavior vector to the analyzer module in the unprivileged-secure portion of the secure operating environment comprises:
    - storing the concise behavior vector in a secure buffer.
  - 29. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that observing the computing device behavior in the observer module in the privileged-normal portion of the secure operating environment comprises:
    - collecting behavior information from a module in an unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 30. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that determining whether the computing device behavior may be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises:
    - sending the result of applying the concise behavior vector to the classifier model across another protection domain of the secure operating environment by sending the result from the unprivileged-secure portion of the secure operating environment to a client module in an unprivileged-normal portion of the secure operating environment by writing the result in the secure buffer.
  - 31. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - classifying the computing device behavior as suspicious in response to determining that the computing device behavior may not be classified as one of benign and non-benign based on the result of applying the concise behavior vector to the classifier model; and
      
      communicating with the observer module to request deeper observation of the computing device behavior in response to classifying the computing device behavior as suspicious.
  - 32. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - sending a secure tamper-proof message to a user of the computing device alerting to the possibility of malicious or performance-degrading behavior in response classifying the computing device behavior as non-benign.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gupta, Rajarshi, Halambi, Ashok, Rimoni, Yoram
Primary Examiner(s)
Nguyen, David Q

Application Number

US13/929,082
Publication Number

US 20140051432A1
Time in Patent Office

1,027 Days
Field of Search

455/425, 726/30
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04W 12/086   using security domains

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

H04W 24/02   Arrangements for optimising...

H04W 24/08   Testing, supervising or mon...

Secure behavior analysis over trusted execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

180 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Secure behavior analysis over trusted execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others