Hardware assisted asset tracking for information leak prevention

US 9,357,411 B2
Filed: 02/07/2014
Issued: 05/31/2016
Est. Priority Date: 02/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing mobile device behaviors, comprising:

monitoring by a processor of a mobile device the mobile device behaviors to collect behavior information;

generating a behavior vector using the collected behavior information;

applying the generated behavior vector to a classifier model to generate an analysis result;

determining whether a resource in the mobile device is susceptible to misuse based on the generated analysis result;

determining in a hardware component of the mobile device whether the resource is a key asset that requires close monitoring in response to determining that the resource is susceptible to misuse based on the generated analysis result;

monitoring in the hardware component the access or use of the resource by a software application to obtain low level behavior information in response to determining that the resource is a key asset that requires close monitoring;

providing the obtained low level behavior information from the hardware component to a behavioral monitoring and analysis system of the mobile device; and

determining in the behavioral monitoring and analysis system whether the software application is suspicious based on the low level behavior information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mobile computing devices may be equipped with hardware components configured to monitor key assets of the mobile device at a low level (e.g., firmware level, hardware level, etc.). The hardware component may also be configured to dynamically determine the key assets that are to be monitored in the mobile device, monitor the access or use of these key assets by monitoring data flows, transactions, or operations in a system data bus of the mobile device, and report suspicious activities to a comprehensive behavioral monitoring and analysis system of the mobile device. The comprehensive behavioral monitoring and analysis system may then use this information to quickly identify and respond to malicious or performance degrading activities of the mobile device.

Citations

20 Claims

1. A method of analyzing mobile device behaviors, comprising:
- monitoring by a processor of a mobile device the mobile device behaviors to collect behavior information;
  
  generating a behavior vector using the collected behavior information;
  
  applying the generated behavior vector to a classifier model to generate an analysis result;
  
  determining whether a resource in the mobile device is susceptible to misuse based on the generated analysis result;
  
  determining in a hardware component of the mobile device whether the resource is a key asset that requires close monitoring in response to determining that the resource is susceptible to misuse based on the generated analysis result;
  
  monitoring in the hardware component the access or use of the resource by a software application to obtain low level behavior information in response to determining that the resource is a key asset that requires close monitoring;
  
  providing the obtained low level behavior information from the hardware component to a behavioral monitoring and analysis system of the mobile device; and
  
  determining in the behavioral monitoring and analysis system whether the software application is suspicious based on the low level behavior information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein providing the obtained low level behavior information from the hardware component to the behavioral monitoring and analysis system comprises:
    - determining in the hardware component whether the access or use of the resource by the software application is suspicious; and
      
      notifying the behavioral monitoring and analysis system of the mobile device that the access or use of the resource by the software application is suspicious.
  - 3. The method of claim 1, wherein monitoring in the hardware component the access or use of the resource by the software application to obtain the low level behavior information comprises monitoring a data bus in a configurable hardware debug component to detect an application programming interface (API) call issued by the software application.
  - 4. The method of claim 1, wherein determining whether the resource is the key asset comprises:
    - receiving in a translation unit of the mobile device information identifying a component in the mobile device as a critical data resource;
      
      determining in the translation unit a section of memory that stores information for the component; and
      
      adding the determined section of memory to a key asset list stored in a memory of the mobile device.
  - 5. The method of claim 1, further comprising:
    - monitoring an instruction queue to identify an instruction sequence associated with the resource;
      
      determining whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities; and
      
      removing the identified instruction sequence from the instruction queue in response to determining that the identified instruction sequence is associated with the malicious activity.
  - 6. The method of claim 1, wherein determining whether the resource is the key asset comprises determining whether the resource is an asset selected from a group comprising:
    - a memory block;
      
      a memory address;
      
      a memory addresses range;
      
      a device address;
      
      a register; and
      
      a hardware block.
  - 7. The method of claim 1, further comprising:
    - identifying in the behavioral monitoring and analysis system a pattern of application programming interface (API) calls as being indicative of malicious activity by the software application in response to determining that the software application is suspicious;
      
      generating a light-weight behavior signature based on the identified pattern of API calls;
      
      using the light-weight behavior signature to perform behavior analysis operations; and
      
      determining whether the software application is malicious or benign based on the behavior analysis operations.
  - 8. The method of claim 2, wherein notifying the behavioral monitoring and analysis system comprises communicating an identifier of the software application and trace data to one of an observer daemon and an analyzer daemon operating in the processor of the mobile device.
  - 9. The method of claim 8, further comprising:
    - identifying the mobile device behaviors that require deeper analysis based on information included in the identifier and trace data.

10. A mobile device, comprising:
- a hardware component;
  
  a processor coupled to the hardware component, wherein the processor is configured with processor-executable instructions to perform operations comprising;
  
  monitoring by a processor of a mobile device the mobile device behaviors to collect behavior information;
  
  generating a behavior vector using the collected behavior information;
  
  applying the generated behavior vector to a classifier model to generate an analysis result;
  
  determining whether a resource in the mobile device is susceptible to misuse based on the generated analysis result;
  
  determining via the hardware component whether the resource is a key asset that requires close monitoring in response to determining that the resource is susceptible to misuse based on the generated analysis result;
  
  monitoring via the hardware component the access or use of the resource by a software application to obtain low level behavior information in response to determining that the resource is a key asset that requires close monitoring;
  
  providing the obtained low level behavior information to a behavioral monitoring and analysis system of the mobile device; and
  
  determining via the behavioral monitoring and analysis system whether the software application is suspicious based on the low level behavior information.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations such that providing the obtained low level behavior information to the behavioral monitoring and analysis system of the mobile device comprises:
    - determining in the hardware component whether the access or use of the resource by the software application is suspicious; and
      
      notifying the behavioral monitoring and analysis system that the access or use of the resource by the software application is suspicious.
  - 12. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations such that monitoring the access or use of the resource by the software application to obtain the low level behavior information comprises monitoring a data bus via a configurable hardware debug component to detect an application programming interface (API) call issued by the software application.
  - 13. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations such that determining whether the resource is the key asset comprises:
    - receiving via a translation unit of the mobile device information identifying a component in the mobile device as a critical data resource;
      
      determining in the translation unit a section of memory that stores information for the component; and
      
      adding the determined section of memory to a key asset list stored in a memory of the mobile device.
  - 14. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - monitoring an instruction queue to identify an instruction sequence associated with the resource;
      
      determining whether an identified instruction sequence is associated with a malicious activity by comparing the identified instruction sequence to known patterns of malicious activities; and
      
      removing the identified instruction sequence from the instruction queue in response to determining that the identified instruction sequence is associated with the malicious activity.
  - 15. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations such that determining whether the resource is the key asset comprises determining whether the resource is an asset selected from a group comprising:
    - a memory block;
      
      a memory address;
      
      a memory addresses range;
      
      a device address;
      
      a register; and
      
      a hardware block.
  - 16. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - identifying in the behavioral monitoring and analysis system a pattern of application programming interface (API) calls as being indicative of malicious activity by the software application in response to determining that the software application is suspicious;
      
      generating a light-weight behavior signature based on the identified pattern of API calls;
      
      using the light-weight behavior signature to perform behavior analysis operations; and
      
      determining whether the software application is malicious or benign based on the behavior analysis operations.

17. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor in a mobile device to perform operations for analyzing mobile device behaviors, the operations comprising:
- monitoring by a processor of a mobile device the mobile device behaviors to collect behavior information;
  
  generating a behavior vector using the collected behavior information;
  
  applying the generated behavior vector to a classifier model to generate an analysis result;
  
  determining whether a resource in the mobile device is susceptible to misuse based on the generated analysis result;
  
  determining via a hardware component of the mobile device whether the resource is a key asset that requires close monitoring in response to determining that the resource is susceptible to misuse based on the generated analysis result;
  
  monitoring via the hardware component the access or use of the resource by a software application to obtain low level behavior information in response to determining that the resource is a key asset that requires close monitoring;
  
  providing the obtained low level behavior information to a behavioral monitoring and analysis system of the mobile device; and
  
  determining in the behavioral monitoring and analysis system whether the software application is suspicious based on the low level behavior information obtained by the hardware component.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that providing the obtained low level behavior information from the hardware component to the behavioral monitoring and analysis system comprises:
    - determining in the hardware component whether the access or use of the resource by the software application is suspicious; and
      
      notifying the behavioral monitoring and analysis system that the access or use of the resource by the software application is suspicious.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that monitoring in the hardware component the access or use of the resource by the software application to obtain low level behavior information comprises monitoring a data bus in a configurable hardware debug component to detect an application programming interface (API) call issued by the software application.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that determining whether the resource is the key asset comprises:
    - receiving in a translation unit of the mobile device information identifying a component in the mobile device as a critical data resource;
      
      determining in the translation unit a section of memory that stores information for the component; and
      
      adding the determined section of memory to a key asset list stored in a memory of the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Sridhara, Vinay, Patne, Satyajit Prabhakar, Gupta, Rajarshi
Primary Examiner(s)
Anya, Charles E

Application Number

US14/174,956
Publication Number

US 20150230108A1
Time in Patent Office

844 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04W 24/08   Testing, supervising or mon...

H04W 4/60   Subscription-based services...

Hardware assisted asset tracking for information leak prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware assisted asset tracking for information leak prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links