Adaptive observation of behavioral features on a mobile device

US 9,495,537 B2
Filed: 06/21/2013
Issued: 11/15/2016
Est. Priority Date: 08/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method for observing computing device behaviors over a period of time via a processor of a computing device to recognize the computing device behaviors that are inconsistent with normal operation patterns of the computing device, the method comprising:

dynamically selecting, via the processor, one or more computing device behaviors for observation;

adaptively observing, via the processor, the dynamically selected computing device behaviors to collect behavior information;

generating a vector data structure that succinctly describes the collected behavior information via a plurality of numbers; and

using, by the processor, the vector data structure to identify a suspicious device behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.

187 Citations

96 Claims

1. A method for observing computing device behaviors over a period of time via a processor of a computing device to recognize the computing device behaviors that are inconsistent with normal operation patterns of the computing device, the method comprising:
- dynamically selecting, via the processor, one or more computing device behaviors for observation;
  
  adaptively observing, via the processor, the dynamically selected computing device behaviors to collect behavior information;
  
  generating a vector data structure that succinctly describes the collected behavior information via a plurality of numbers; and
  
  using, by the processor, the vector data structure to identify a suspicious device behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - file-system operations, file system activity, searches for filenames, file operations, and changes in file permissions.
  - 3. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - device state changes; and
      
      sensor state changes.
  - 4. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - a number of forks;
      
      a number of memory access operations; and
      
      a number of files open.
  - 5. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a display on/off state;
      
      a locked/unlocked state;
      
      a battery charge state;
      
      a camera state; and
      
      a microphone state.
  - 6. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - inter-process communications related to crucial services;
      
      a degree of inter-process communications; and
      
      inter-process communications related to pop-up windows.
  - 7. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises collecting one or more of:
    - statistic information from a driver for cameras;
      
      statistic information from a driver for sensors;
      
      statistic information from a driver for electronic displays;
      
      statistic information from a driver for data controllers;
      
      statistic information from a driver for memory controllers;
      
      statistic information from a driver for system controllers;
      
      statistic information from a driver for access ports;
      
      statistic information from a driver for peripheral devices; and
      
      statistic information from a driver for external memory chips.
  - 8. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a status of a hardware component for cameras;
      
      a status of a hardware component for sensors;
      
      a status of a hardware component for electronic displays;
      
      a status of a hardware component for data controllers;
      
      a status of a hardware component for memory controllers;
      
      a status of a hardware component for system controllers;
      
      a status of a hardware component for access ports;
      
      a status of a hardware component for timers;
      
      a status of a hardware component for peripheral devices;
      
      a status of a hardware component for external memory chips;
      
      a status of a hardware component for voltage regulators;
      
      a status of a hardware component for oscillators;
      
      a status of a hardware component for phase-locked loops; and
      
      a status of a hardware component for peripheral bridges.
  - 9. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a hardware counter that denotes a state of the computing devices; and
      
      a special-purpose register of the processor that stores a count of hardware-related events.
  - 10. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - collecting one or more of location information, camera information, accelerometer information, browser information, phonebook or contact information, recorded audio information and calendar information; and
      
      monitoring one or more of content of browser-based communications, content of voice-based communications, short range radio communications, content of text-based communications, content of recorded audio files, notifications communicated to and from a software application, user verifications, and a user password.
  - 11. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - collecting information that indicates whether a first software application operating on the computing device requested to download and install a second software application on the computing device.
  - 12. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - changes to compass settings;
      
      changes to device settings;
      
      changes to battery life settings;
      
      changes to gyroscope settings;
      
      changes to pressure sensor settings; and
      
      changes to screen settings.
  - 13. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - facial recognition software;
      
      social streams;
      
      notes entered by a useruse of an electronic payment service;
      
      events relating to synchronization;
      
      voice searches;
      
      voice control;
      
      language translators;
      
      offloading of data for computations;
      
      video streaming;
      
      camera usage without user activity; and
      
      microphone usage without user activity.
  - 14. The method of claim 1, wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises one of:
    - monitoring magnet sensors;
      
      detecting near-field communications;
      
      collecting information from a credit card scanner, barcode scanner, or mobile tag reader;
      
      detecting that a keyboard or auxiliary device has been coupled to the computing device;
      
      determining whether a light emitting diode, flash, flashlight, or light source has been modified or disabled;
      
      determining whether a speaker or microphone has been turned on or powered;
      
      detecting a charging or power event;
      
      detecting that the computing device is being used as a game controller;
      
      collecting information from medical sensors or from scanning a user'"'"'s body;
      
      collecting information from an external sensor plugged into an audio jack;
      
      collecting information from a tactile or haptic sensor; and
      
      collecting information pertaining to a thermal state of the computing device.
  - 15. The method of claim 1, further comprising:
    - filtering the collected behavior information via an adaptive filter;
      
      receiving behavior inputs from one or more of a high-level application, a system kernel and a driver application programming interface (API) after filtering by the adaptive filter;
      
      receiving context information regarding operations of the computing device; and
      
      performing spatial correlations of the received behavior inputs and the received context information.
  - 16. The method of claim 15, wherein generating the vector data structure comprises generating a vector that includes information pertaining to one or more of:
    - library API calls;
      
      system calls;
      
      file-system operations;
      
      sensor device state changes;
      
      file system activity;
      
      telephone activity;
      
      memory access operations;
      
      a state of the computing device;
      
      a power on/off state of an electronic display of the computing device;
      
      a locked/unlocked state the computing device;
      
      an amount of battery power remaining;
      
      inter-process communications (IPC);
      
      driver statistics; and
      
      hardware counters.
  - 17. The method of claim 15, wherein generating the vector data structure comprises:
    - generating the vector data structure to include a series of numbers, each of which signifies a feature of the computing device.
  - 18. The method of claim 17, wherein at least one of the series of numbers identifies one or more of:
    - whether a camera of the computing device is in use; and
      
      how many internet messages have been sent from the computing device.
  - 19. The method of claim 15, wherein generating the vector data structure comprises generating a vector that includes at least one of:
    - call information;
      
      text messaging information;
      
      media messaging information;
      
      user account information;
      
      location information;
      
      camera information;
      
      accelerometer information; and
      
      browser information.
  - 20. The method of claim 15, wherein generating the vector data structure comprises generating a vector that includes information collected at a radio level of the computing device.
  - 21. The method of claim 15, wherein generating the vector data structure comprises generating a vector that includes information collected at a sensor level of the computing device.
  - 22. The method of claim 15, further comprising:
    - performing temporal correlations of the received behavior inputs and the received context information, wherein generating the vector data structure comprises generating a behavior vector based on a result of the spatial and temporal correlations.

23. A computing device, comprising a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising:
- dynamically selecting one or more computing device behaviors for observation;
  
  adaptively observing the dynamically selected computing device behaviors to collect behavior information;
  
  generating a vector data structure that succinctly describes the collected behavior information via a plurality of numbers; and
  
  using the vector data structure to identify a suspicious device behavior.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 24. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - file-system operations, file system activity, searches for filenames, file operations, and changes in file permissions.
  - 25. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - device state changes and sensor devices state changes.
  - 26. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - a number of forks;
      
      a number of memory access operations; and
      
      a number of files open.
  - 27. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a display on/off state;
      
      a locked/unlocked state;
      
      a battery charge state;
      
      a camera state; and
      
      a microphone state.
  - 28. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - inter-process communications related to crucial services;
      
      a degree of inter-process communications; and
      
      inter-process communications related to pop-up windows.
  - 29. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises collecting one or more of:
    - statistic information from a driver for cameras;
      
      statistic information from a driver for sensors;
      
      statistic information from a driver for electronic displays;
      
      statistic information from a driver for data controllers;
      
      statistic information from a driver for memory controllers;
      
      statistic information from a driver for system controllers;
      
      statistic information from a driver for access ports;
      
      statistic information from a driver for peripheral devices; and
      
      statistic information from a driver for external memory chips.
  - 30. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a status of a hardware component for cameras;
      
      a status of a hardware component for sensors;
      
      a status of a hardware component for electronic displays;
      
      a status of a hardware component for data controllers;
      
      a status of a hardware component for memory controllers;
      
      a status of a hardware component for system controllers;
      
      a status of a hardware component for access ports;
      
      a status of a hardware component for timers;
      
      a status of a hardware component for peripheral devices;
      
      a status of a hardware component for external memory chips;
      
      a status of a hardware component for voltage regulators;
      
      a status of a hardware component for oscillators;
      
      a status of a hardware component for phase-locked loops; and
      
      a status of a hardware component for peripheral bridges.
  - 31. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a hardware counter that denotes a state of the computing devices; and
      
      a special-purpose register of the processor that stores a count of hardware-related or events.
  - 32. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - collecting one or more of location information, camera information, accelerometer information, browser information, phonebook or contact information, recorded audio information and calendar information; and
      
      monitoring one or more of content of browser-based communications, content of voice-based communications, short range radio communications, content of text-based communications, content of recorded audio files, notifications communicated to and from a software application, user verifications, and a user password.
  - 33. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - collecting information that indicates whether a first software application operating on the computing device requested to download and install a second software application.
  - 34. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - changes to compass settings;
      
      changes to device settings;
      
      changes to battery life settings;
      
      changes to gyroscope settings;
      
      changes to pressure sensor settings; and
      
      changes to screen activity settings.
  - 35. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations wherein adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - facial recognition software;
      
      social streams;
      
      notes entered by a useruse of an electronic payment services;
      
      events relating to synchronization;
      
      voice searches;
      
      voice control;
      
      language translators;
      
      offloading of data for computations;
      
      video streaming;
      
      camera usage without user activity; and
      
      microphone usage without user activity.
  - 36. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises one of:
    - monitoring magnet sensors;
      
      detecting near-field communications;
      
      collecting information from a credit card scanner, barcode scanner, or mobile tag reader;
      
      detecting that a keyboard or auxiliary device has been coupled to the computing device;
      
      determining whether a light emitting diode, flash, flashlight, or light source has been modified or disabled;
      
      determining whether a speaker or microphone has been turned on or powered;
      
      detecting a charging or power event;
      
      detecting that the computing device is being used as a game controller;
      
      collecting information from medical purpose/healthcare sensors or from scanning the user'"'"'s body;
      
      collecting information from an external sensor plugged into one of a USB port and an audio jack;
      
      collecting information from a tactile or haptic sensor; and
      
      collecting information pertaining to a thermal state of the computing device.
  - 37. The computing device of claim 23, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - filtering the collected behavior information via an adaptive filter;
      
      receiving behavior inputs from one or more of a high-level application, a system kernel and a driver application programming interface (API) after filtering by the adaptive filter;
      
      receiving context information regarding operations of the computing device; and
      
      performing spatial correlations of the received behavior inputs and the received context information.
  - 38. The computing device of claim 37, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that generating the vector data structure comprises generating a vector that includes information pertaining to one or more of:
    - library API calls;
      
      system calls;
      
      file-system operations;
      
      sensor device state changes;
      
      file system activity;
      
      telephone activity;
      
      memory access operations;
      
      a state of the computing device;
      
      a power on/off state of an electronic display of the computing device;
      
      a locked/unlocked state the computing device;
      
      an amount of battery power remaining;
      
      inter-process communications (IPC);
      
      driver statistics; and
      
      hardware counters.
  - 39. The computing device of claim 37, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that generating the vector data structure comprises:
    - generating the vector data structure to include a series of numbers, each of which signifies a feature of the computing device.
  - 40. The computing device of claim 39, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that at least one of the series of numbers identifies one or more of:
    - whether a camera of the computing device is in use ; and
      
      how many internet messages have been sent from the computing device.
  - 41. The computing device of claim 37, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that generating the vector data structure comprises generating a vector that includes at least one of:
    - call information;
      
      text messaging information;
      
      media messaging information;
      
      user account information;
      
      location information;
      
      camera information;
      
      accelerometer information; and
      
      browser information.
  - 42. The computing device of claim 37, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that generating the vector data structure comprises generating a vector that includes information collected at a radio level of the computing device.
  - 43. The computing device of claim 37, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations such that generating the vector data structure comprises generating a vector that includes information collected at a sensor level of the computing device.
  - 44. The computing device of claim 37, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - performing temporal correlations of the received behavior inputs and the received context information, wherein generating the vector data structure comprises generating a behavior vector based on a result of the spatial and temporal correlations.

45. A computing device, comprising:
- means for dynamically selecting one or more computing device behaviors for observation;
  
  means for adaptively observing the dynamically selected computing device behaviors to collect behavior information;
  
  means for generating a vector data structure that succinctly describes the collected behavior information via a plurality of numbers; and
  
  means for using the vector data structure to identify a suspicious device behavior.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 46. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring:
    - file-system operations, file system activity, searches for filenames, file operations, and changes in file permissions.
  - 47. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring:
    - device state changes; and
      
      sensor state changes.
  - 48. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring:
    - a number of forks;
      
      a number of memory access operations; and
      
      a number of files open.
  - 49. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring one or more of:
    - a display on/off state;
      
      a locked/unlocked state;
      
      a battery charge state;
      
      a camera state; and
      
      a microphone state.
  - 50. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring one or more of:
    - inter-process communications related to crucial services;
      
      a degree of inter-process communications; and
      
      inter-process communications related to pop-up windows.
  - 51. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for collecting one or more of:
    - statistic information from a driver for cameras;
      
      statistic information from a driver for sensors;
      
      statistic information from a driver for electronic displays;
      
      statistic information from a driver for data controllers;
      
      statistic information from a driver for memory controllers;
      
      statistic information from a driver for system controllers;
      
      statistic information from a driver for access ports;
      
      statistic information from a driver for peripheral devices; and
      
      statistic information from a driver for external memory chips.
  - 52. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring:
    - cameras, sensors, electronic displays, data controllers, memory controllers, system controllers, access ports, timers, peripheral devices, external memory chips, voltage regulators, oscillators, phase-locked loops, peripheral bridges, and other similar components used to support the processors and clients running on the computing device.
  - 53. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring one or more of:
    - a status of a hardware component for cameras;
      
      a status of a hardware component for sensors;
      
      a status of a hardware component for electronic displays;
      
      a status of a hardware component for data controllers;
      
      a status of a hardware component for memory controllers;
      
      a status of a hardware component for system controllers;
      
      a status of a hardware component for access ports;
      
      a status of a hardware component for timers;
      
      a status of a hardware component for peripheral devices;
      
      a status of a hardware component for external memory chips;
      
      a status of a hardware component for voltage regulators;
      
      a status of a hardware component for oscillators;
      
      a status of a hardware component for phase-locked loops; and
      
      a status of a hardware component for peripheral bridges.
  - 54. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - means for collecting one or more of location information, camera information, accelerometer information, browser information, phonebook or contact information, recorded audio information and calendar information; and
      
      means for monitoring one or more of content of browser-based communications, content of voice-based communications, short range radio communications, content of text-based communications, content of recorded audio files, notifications communicated to and from a software application, user verifications, and a user password.
  - 55. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for collecting information that indicates whether a first software application operating on the computing device requested to download and install a second software application.
  - 56. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring one or more of:
    - changes to compass settings;
      
      changes to device settings;
      
      changes to battery life settings;
      
      changes to gyroscope settings;
      
      changes to pressure sensor settings; and
      
      changes to screen settings.
  - 57. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises means for monitoring one or more offacial recognition software;
    - social streams;
      
      notes entered by a useruse of an electronic payment services;
      
      events relating to synchronization;
      
      voice searches;
      
      voice control;
      
      language translators;
      
      offloading of data for computations;
      
      video streaming;
      
      camera usage without user activity; and
      
      microphone usage without user activity.
  - 58. The computing device of claim 45, wherein means for adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises one or more of:
    - means for monitoring magnet sensors;
      
      means for detecting near-field communications;
      
      means for collecting information from a credit card scanner, barcode scanner, or mobile tag readers;
      
      means for detecting that a keyboard or auxiliary device has been coupled to the computing devices;
      
      means for determining whether a light emitting diode, flash, flashlight, or light source has been modified or disabled;
      
      means for determining whether a speaker or microphone has been turned on or powered;
      
      means for detecting a charging or power event;
      
      means for detecting that the computing device is being used as a game controller;
      
      means for collecting information from medical purpose/healthcare sensors or from scanning the user'"'"'s body;
      
      means for collecting information from an external sensor plugged into one of a USB port and an audio jacks;
      
      means for collecting information from a tactile or haptic sensor; and
      
      means for collecting information pertaining to a thermal state of the computing device.
  - 59. The computing device of claim 45, further comprising:
    - means for filtering the collected behavior information via an adaptive filter;
      
      means for receiving behavior inputs from one or more of a high-level application, a system kernel and a driver application programming interface (API) after filtering by the adaptive filter;
      
      means for receiving context information regarding operations of the computing device; and
      
      means for performing spatial correlations of the received behavior inputs and the received context information.
  - 60. The computing device of claim 59, wherein means for generating the vector data structure comprises means for generating a vector that includes information pertaining to one or more of:
    - library API calls;
      
      system calls;
      
      file-system operations;
      
      sensor device state changes;
      
      file system activity;
      
      telephone activity;
      
      memory access operations;
      
      a state of the computing device;
      
      a power on/off state of an electronic display of the computing device;
      
      a locked/unlocked state the computing device;
      
      an amount of battery power remaining;
      
      inter-process communications (IPC);
      
      driver statistics; and
      
      hardware counters.
  - 61. The computing device of claim 59, wherein means for generating the vector data structure comprises:
    - means for generating the vector data structure to include a series of numbers, each of which signifies a feature of the computing device.
  - 62. The computing device of claim 61, wherein at least one of the series of numbers identifies one or more of:
    - whether a camera of the computing device is in use; and
      
      how many internet messages have been sent from the computing device.
  - 63. The computing device of claim 59, wherein means for generating the vector data structure comprises means for generating a vector that includes at least one of:
    - call information;
      
      text messaging information;
      
      media messaging information;
      
      user account information;
      
      location information;
      
      camera information;
      
      accelerometer information; and
      
      browser information.
  - 64. The computing device of claim 59, wherein means for generating the vector data structure comprises means for generating a vector that includes information collected at a radio level of the computing device.
  - 65. The computing device of claim 59, wherein means for generating the vector data structure comprises means for generating a vector that includes information collected at a sensor level of the computing device.
  - 66. The computing device of claim 59, wherein further comprising:
    - means for performing temporal correlations of the received behavior inputs and the received context information, wherein means for generating the vector data structure comprises means for generating a behavior vector based on a result of the spatial and temporal correlations.

67. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor to perform operations comprising:
- dynamically selecting one or more computing device behaviors for observation;
  
  adaptively observing the dynamically selected computing device behaviors to collect behavior information;
  
  generating a vector data structure that succinctly describes the collected behavior information via a plurality of numbers; and
  
  using the vector data structure to identify a suspicious device behavior.
- View Dependent Claims (68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88)
- - 68. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - file-system operations, file system activity, searches for filenames, file operations, and changes in file permissions.
  - 69. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - device state changes; and
      
      sensor state changes.
  - 70. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring:
    - a number of forks;
      
      a number of memory access operations; and
      
      a number of files open.
  - 71. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a display on/off state;
      
      a locked/unlocked state;
      
      a battery charge state;
      
      a camera state; and
      
      a microphone state.
  - 72. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - inter-process communications related to crucial services;
      
      a degree of inter-process communications; and
      
      inter-process communications related to pop-up windows.
  - 73. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises collecting one or more of:
    - statistic information from a driver for cameras;
      
      statistic information from a driver for sensors;
      
      statistic information from a driver for electronic displays;
      
      statistic information from a driver for data controllers;
      
      statistic information from a driver for memory controllers;
      
      statistic information from a driver for system controllers;
      
      statistic information from a driver for access ports;
      
      statistic information from a driver for peripheral devices; and
      
      statistic information from a driver for external memory chips.
  - 74. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a status of a hardware component for cameras;
      
      a status of a hardware component for sensors;
      
      a status of a hardware component for electronic displays;
      
      a status of a hardware component for data controllers;
      
      a status of a hardware component for memory controllers;
      
      a status of a hardware component for system controllers;
      
      a status of a hardware component for access ports;
      
      a status of a hardware component for timers;
      
      a status of a hardware component for peripheral devices;
      
      a status of a hardware component for external memory chips;
      
      a status of a hardware component for voltage regulators;
      
      a status of a hardware component for oscillators;
      
      a status of a hardware component for phase-locked loops; and
      
      a status of a hardware component for peripheral bridges.
  - 75. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - a hardware counters that denotes a state of the computing device; and
      
      a special-purpose register of the processor that stores a count of hardware-related events.
  - 76. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - collecting one or more of location information, camera information, accelerometer information, browser information, phonebook or contact information, recorded audio information and calendar information; and
      
      monitoring one or more of content of browser-based communications, content of voice-based communications, short range radio communications, content of text-based communications, content of recorded audio files, notifications communicated to and from a software application, user verifications, and a user password.
  - 77. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises:
    - collecting information that indicates whether a first software application operating on the computing device requested to download and install a second software application.
  - 78. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring one or more of:
    - changes to compass settings;
      
      changes to device settings;
      
      changes to battery life settings;
      
      changes to gyroscope settings;
      
      changes to pressure sensor settings; and
      
      changes to screen settings.
  - 79. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises monitoring on or more of:
    - facial recognition software;
      
      social streams;
      
      notes entered by a useruse of an electronic payment service;
      
      events relating to synchronization;
      
      voice searches;
      
      voice control;
      
      language translators;
      
      offloading of data for computations;
      
      video streaming;
      
      camera usage without user activity; and
      
      microphone usage without user activity.
  - 80. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that adaptively observing the dynamically selected computing device behaviors to collect the behavior information comprises one of:
    - monitoring magnet sensors;
      
      detecting near-field communications;
      
      collecting information from a credit card scanner, barcode scanner, or mobile tag reader;
      
      detecting that a keyboard or auxiliary device has been coupled to the computing device;
      
      determining whether a light emitting diode, flash, flashlight, or light source has been modified or disabled;
      
      determining whether a speaker or microphone has been turned on or powered;
      
      detecting a charging or power event;
      
      detecting that the computing device is being used as a game controller;
      
      collecting information from medical sensors or from scanning a user'"'"'s body;
      
      collecting information from an external sensor plugged into an audio jack;
      
      collecting information from a tactile or haptic sensor; and
      
      collecting information pertaining to a thermal state of the computing device.
  - 81. The non-transitory processor-readable storage medium of claim 67, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - filtering the collected behavior information via an adaptive filter;
      
      receiving behavior inputs from one or more of a high-level application, a system kernel and a driver application programming interface (API) after filtering by the adaptive filter;
      
      receiving context information regarding operations of the computing device; and
      
      performing spatial correlations of the received behavior inputs and the received context information.
  - 82. The non-transitory processor-readable storage medium of claim 81, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that generating the vector data structure comprises generating a vector that includes information pertaining to one or more of:
    - library API calls;
      
      system calls;
      
      file-system operations;
      
      sensor device state changes;
      
      file system activity;
      
      telephone activity;
      
      memory access operations;
      
      a state of the computing device;
      
      a power on/off state of an electronic display of the computing device;
      
      a locked/unlocked state the computing device;
      
      an amount of battery power remaining;
      
      inter-process communications (IPC);
      
      driver statistics; and
      
      hardware counters.
  - 83. The non-transitory processor-readable storage medium of claim 81, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that generating the vector data structure comprises:
    - generating the vector data structure to include a series of numbers, each of which signifies a feature of the computing device.
  - 84. The non-transitory processor-readable storage medium of claim 83, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that at least one of the series of numbers identifies one or more of:
    - whether a camera of the computing device is in use; and
      
      how many internet messages have been sent from the computing device.
  - 85. The non-transitory processor-readable storage medium of claim 81, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that generating the vector data structure comprises generating a vector that includes at least one of:
    - call information;
      
      text messaging information;
      
      media messaging information;
      
      user account information;
      
      location information;
      
      camera information;
      
      accelerometer information; and
      
      browser information.
  - 86. The non-transitory processor-readable storage medium of claim 81, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that generating the vector data structure comprises generating a vector that includes information collected at a radio level of the computing device.
  - 87. The non-transitory processor-readable storage medium of claim 81, wherein the stored processor-executable instructions are configured to cause a processor to perform operations such that generating the vector data structure comprises generating a vector that includes information collected at a sensor level of the computing device.
  - 88. The non-transitory processor-readable storage medium of claim 81, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - performing temporal correlations of the received behavior inputs and the received context information, wherein generating the vector data structure comprises generating a behavior vector based on a result of the spatial and temporal correlations.

89. A method of improving performance on a mobile device, comprising:
- performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations;
  
  identifying suspicious behavior from the coarse observations;
  
  dynamically determining the mobile device behaviors that require further observation in greater detail;
  
  dynamically determining a level of detail required for the further observation;
  
  performing finer observations based on the determined level of detail required for the further observation;
  
  generating a vector data structure that succinctly describes the finer observations via a plurality of numbers; and
  
  using the vector data structure to identify suspicious behavior from the finer observations.
- View Dependent Claims (90)
- - 90. The method of claim 89, further comprising:
    - performing mobile devices operations to correct the identified suspicious behavior.

91. A computing device, comprising a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising:
- performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations;
  
  identifying suspicious behavior from the coarse observations;
  
  dynamically determining the mobile device behaviors that require further observation in greater detail;
  
  dynamically determining a level of detail required for the further observation;
  
  performing finer observations based on the determined level of detail required for the further observation;
  
  generating a vector data structure that succinctly describes the finer observations via a plurality of numbers; and
  
  using the vector data structure to identify suspicious behavior from the finer observations.
- View Dependent Claims (92)
- - 92. The computing device of claim 91, wherein one or more of the processor cores is configured with processor-executable instructions to perform operations further comprising:
    - performing mobile devices operations to correct the identified suspicious behavior.

93. A computing device, comprising:
- means for performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations;
  
  means for identifying suspicious behavior from the coarse observations;
  
  means for dynamically determining the mobile device behaviors that require further observation in greater detail;
  
  means for dynamically determining a level of detail required for the further observation;
  
  means for performing finer observations based on the determined level of detail required for the further observation;
  
  means for generating a vector data structure that succinctly describes the finer observations via a plurality of numbers; and
  
  means for using the vector data structure to identify suspicious behavior from the finer observations.
- View Dependent Claims (94)
- - 94. The computing device of claim 93, further comprising:
    - means for performing mobile devices operations to correct the identified suspicious behavior.

95. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions to cause a processor to perform operations comprising:
- performing on a mobile device processor real-time behavior analysis of one or more mobile device behaviors to generate coarse observations;
  
  identifying suspicious behavior from the coarse observations;
  
  dynamically determining the mobile device behaviors that require further observation in greater detail;
  
  dynamically determining a level of detail required for the further observation;
  
  performing finer observations based on the determined level of detail required for the further observation;
  
  generating a vector data structure that succinctly describes the finer observations via a plurality of numbers; and
  
  using the vector data structure to identify suspicious behavior from the finer observations.
- View Dependent Claims (96)
- - 96. The non-transitory processor-readable storage medium of claim 95, wherein the stored processor-executable instructions are configured to cause a processor to perform operations further comprising:
    - performing mobile devices operations to correct the identified suspicious behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gupta, Rajarshi, Sridhara, Vinay, Gathala, Anil, Wei, Xuetao
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US13/923,547
Publication Number

US 20140053260A1
Time in Patent Office

1,243 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/50   Monitoring users, programs ...

G06F 21/552   involving long-term monitor...

Adaptive observation of behavioral features on a mobile device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

187 Citations

96 Claims

Specification

Use Cases

Quick Links

Others

Adaptive observation of behavioral features on a mobile device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

187 Citations

96 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others