Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis

US 9,448,859 B2
Filed: 09/17/2013
Issued: 09/20/2016
Est. Priority Date: 09/17/2013
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing behaviors within a mobile device, comprising:

identifying hot application programming interfaces (APIs) by identifying in a processor of the mobile device APIs that are used most frequently by software applications executing on the mobile device;

storing information regarding usage of identified hot APIs in a hot API log in a memory of the mobile device; and

performing behavior analysis operations based on the information stored in the hot API log to identify mobile device behaviors that are inconsistent with normal operation patterns, the behavior analysis operations comprising;

collecting behavior information from the hot API log;

generating a behavior vector data structure that characterizes the collected behavior information via a plurality of numerical values; and

comparing the behavior vector data structure to contextual information; and

determining whether a mobile device behavior is not benign based on the comparison,wherein the hot API log is organized so that values of generic fields that remain the same across invocations of an API are stored in a separate table as values of specific fields that are specific to each invocation of the API, andwherein the values of the specific fields are stored in a table along with hash keys to the separate table that stores the values of the generic fields.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices for detecting suspicious or performance-degrading mobile device behaviors may include performing behavior monitoring and analysis operations to intelligently, dynamically, and/or adaptively determine the mobile device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the behaviors are to be observed. Such behavior monitoring and analysis operations may be performed continuously (or near continuously) in a mobile device without consuming an excessive amount of processing, memory, or energy resources of the mobile device by identifying hot application programming interfaces (APIs) and hot action patterns that are invoked or used most frequently by software applications of the mobile device and storing information regarding these hot APIs and hot action patterns separately and more efficiently.

16 Citations

View as Search Results

28 Claims

1. A method of analyzing behaviors within a mobile device, comprising:
- identifying hot application programming interfaces (APIs) by identifying in a processor of the mobile device APIs that are used most frequently by software applications executing on the mobile device;
  
  storing information regarding usage of identified hot APIs in a hot API log in a memory of the mobile device; and
  
  performing behavior analysis operations based on the information stored in the hot API log to identify mobile device behaviors that are inconsistent with normal operation patterns, the behavior analysis operations comprising;
  
  collecting behavior information from the hot API log;
  
  generating a behavior vector data structure that characterizes the collected behavior information via a plurality of numerical values; and
  
  comparing the behavior vector data structure to contextual information; and
  
  determining whether a mobile device behavior is not benign based on the comparison,wherein the hot API log is organized so that values of generic fields that remain the same across invocations of an API are stored in a separate table as values of specific fields that are specific to each invocation of the API, andwherein the values of the specific fields are stored in a table along with hash keys to the separate table that stores the values of the generic fields.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - storing information regarding usage of identified hot APIs in the hot API log comprises;
      
      identifying sequences of hot API invocations that are repeated frequently; and
      
      storing the identified sequences of hot API invocations as hot action patterns in a hot action pattern log; and
      
      performing the behavior analysis operations based on the information stored in the hot API log further comprises;
      
      comparing hot action patterns stored in the hot action pattern log to known statistics of API usage; and
      
      classifying the mobile device behavior as benign based on a result of comparing hot action patterns to known statistics of API usage.
  - 3. The method of claim 1, wherein identifying in APIs that are used most frequently by software applications executing on the mobile device comprises monitoring one or more of library API calls, system API calls, and driver API calls by reading information from an API log file.
  - 4. The method of claim 1, wherein storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will change across different invocations of that API.
  - 5. The method of claim 1, wherein storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will be used when performing the behavior analysis operations.
  - 6. The method of claim 1, wherein storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will change across different invocations of that API.
  - 7. The method of claim 1, wherein storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will be used when performing the behavior analysis operations.

8. A mobile device, comprising:
- means for identifying hot application programming interfaces (APIs) by identifying APIs that are used most frequently by software applications executing on the mobile device;
  
  means for storing information regarding usage of identified hot APIs in a hot API log in a memory of the mobile device; and
  
  means for performing behavior analysis operations based on the information stored in the hot API log to identify mobile device behaviors that are inconsistent with normal operation patterns, the means for performing behavior analysis operations comprising;
  
  means for collecting behavior information from the hot API log;
  
  means for generating a behavior vector data structure that characterizes the collected behavior information via a plurality of numerical values; and
  
  means for comparing the behavior vector data structure to contextual information; and
  
  means for determining whether a mobile device behavior is not benign based on the comparison,wherein the hot API log is organized so that values of generic fields that remain the same across invocations of an API are stored in a separate table as values of specific fields that are specific to each invocation of the API, andwherein the values of the specific fields are stored in a table along with hash keys to the separate table that stores the values of the generic fields.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The mobile device of claim 8,wherein means for storing information regarding usage of identified hot APIs in the hot API log comprises:
    - means for identifying sequences of hot API invocations that are repeated frequently; and
      
      means for storing the identified sequences of hot API invocations as hot action patterns in a hot action pattern log, andwherein means for performing behavior analysis operations based on the information stored in the hot API log further comprises;
      
      means for comparing hot action patterns stored in the hot action pattern log to known statistics of API usage; and
      
      means for classifying the mobile device behavior as benign based on a result of comparing hot action patterns to known statistics of API usage.
  - 10. The mobile device of claim 8, wherein means for identifying APIs that are used most frequently by software applications executing on the mobile device comprises means for monitoring one or more of library API calls, system API calls, and driver API calls by reading information from an API log file.
  - 11. The mobile device of claim 8, wherein means for storing information regarding usage of identified hot APIs in the hot API log comprises:
    - means for classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will change across different invocations of that API.
  - 12. The mobile device of claim 8, wherein means for storing information regarding usage of identified hot APIs in the hot API log comprises:
    - means for classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will be used by the means for performing behavior analysis operations.
  - 13. The mobile device of claim 8, wherein means for storing information regarding usage of identified hot APIs in the hot API log comprises:
    - means for classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will change across different invocations of that API.
  - 14. The mobile device of claim 8, wherein means for storing information regarding usage of identified hot APIs in the hot API log comprises:
    - means for classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will be used by the means for performing behavior analysis operations.

15. A mobile device, comprising:
- a memory; and
  
  a processor coupled to the memory, wherein the processor is configured with processor-executable instructions to perform operations comprising;
  
  identifying hot application programming interfaces (APIs) by identifying APIs that are used most frequently by software applications executing on the mobile device;
  
  storing information regarding usage of identified hot APIs in a hot API log in the memory; and
  
  performing behavior analysis operations based on the information stored in the hot API log to identify mobile device behaviors that are inconsistent with normal operation patterns, the behavior analysis operations comprising;
  
  collecting behavior information from the hot API log;
  
  generating a behavior vector data structure that characterizes the collected behavior information via a plurality of numerical values; and
  
  comparing the behavior vector data structure to contextual information; and
  
  determining whether a mobile device behavior is not benign based on the comparison,wherein the hot API log is organized so that values of generic fields that remain the same across invocations of an API are stored in a separate table as values of specific fields that are specific to each invocation of the API, andwherein the values of the specific fields are stored in a table along with hash keys to the separate table that stores the values of the generic fields.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The mobile device of claim 15, wherein:
    - the processor is configured with processor-executable instructions to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises;
      
      identifying sequences of hot API invocations that are repeated frequently; and
      
      storing the identified sequences of hot API invocations as hot action patterns in a hot action pattern log, andthe processor is further configured with processor-executable instructions to perform operations such that performing the behavior analysis operations based on the information stored in the hot API log further comprises;
      
      comparing hot action patterns stored in the hot action pattern log to known statistics of API usage; and
      
      classifying the mobile device behavior as benign based on a result of comparing hot action patterns to known statistics of API usage.
  - 17. The mobile device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that identifying APIs that are used most frequently by software applications executing on the mobile device comprises monitoring one or more of library API calls, system API calls, and driver API calls by reading information from an API log file.
  - 18. The mobile device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will change across different invocations of that API.
  - 19. The mobile device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will be used when performing the behavior analysis operations.
  - 20. The mobile device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will change across different invocations of that API.
  - 21. The mobile device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will be used when performing the behavior analysis operations.

22. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor in a mobile device to perform operations comprising:
- identifying hot application programming interfaces (APIs) by identifying APIs that are used most frequently by software applications executing on the mobile device;
  
  storing information regarding usage of identified hot APIs in a hot API log in a memory of the mobile device; and
  
  performing behavior analysis operations based on the information stored in the hot API log to identify mobile device behaviors that are inconsistent with normal operation patterns, the behavior analysis operations comprising;
  
  collecting behavior information from the hot API log;
  
  generating a behavior vector data structure that characterizes the collected behavior information via a plurality of numerical values; and
  
  comparing the behavior vector data structure to contextual information; and
  
  determining whether a mobile device behavior is not benign based on the comparison,wherein the hot API log is organized so that values of generic fields that remain the same across invocations of an API are stored in a separate table as values of specific fields that are specific to each invocation of the API, andwherein the values of the specific fields are stored in a table along with hash keys to the separate table that stores the values of the generic fields.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that:
    - storing information regarding usage of identified hot APIs in the hot API log comprises;
      
      identifying sequences of hot API invocations that are repeated frequently; and
      
      storing the identified sequences of hot API invocations as hot action patterns in a hot action pattern log; and
      
      performing the behavior analysis operations based on the information stored in the hot API log further comprises;
      
      comparing hot action patterns stored in the hot action pattern log to known statistics of API usage; and
      
      classifying the mobile device behavior as benign based on a result of comparing hot action patterns to known statistics of API usage.
  - 24. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that identifying APIs that are used most frequently by software applications executing on the mobile device comprises monitoring one or more of library API calls, system API calls, and driver API calls by reading information from an API log file.
  - 25. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will change across different invocations of that API.
  - 26. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a generic field in response to determining that there is a low probability that a value of the API information field will be used when performing the behavior analysis operations.
  - 27. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will change across different invocations of that API.
  - 28. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that storing information regarding usage of identified hot APIs in the hot API log comprises:
    - classifying an API information field as a specific field in response to determining that there is a high probability that a value of the API information field will be used when performing the behavior analysis operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gathala, Sudha Anil Kumar, Sridhara, Vinay, Gupta, Rajarshi
Primary Examiner(s)
Le, David

Application Number

US14/028,914
Publication Number

US 20150082441A1
Time in Patent Office

1,099 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

G06F 9/541   via adapters, e.g. between ...

H04L 63/1441   Countermeasures against mal...

H04W 12/125   Protection against power ex...

Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others