Framework for efficient security coverage of mobile software applications using machine learning

US 9,594,905 B1
Filed: 10/12/2015
Issued: 03/14/2017
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

instrumenting, by a static instrumentation engine within software executed by a processor, an application of a computing system with at least a first monitoring function, the first monitoring function capable of operating in a run-time environment during processing of the instrumented application;

tracking, by at least a second monitoring function, movement of data associated with the application, the data being at least partially identified by a storage location;

determining whether movement of the data from a first storage location to a second storage location is suspicious; and

reporting suspicious movement of the data.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For one embodiment, a method is described that involves the instrumenting of an application of a computing system with at least one monitoring function, where the monitoring function is capable of operating in a run-time environment during processing of the instrumented application. The movement of data associated with the application is tracked by one or more monitoring functions. This data is at least partially identified by a storage location. Thereafter, a determination is made whether movement of the data from a first storage location to a second storage location is suspicious, and if so, suspicious movement of the data is reported.

506 Citations

36 Claims

1. A method comprising:
- instrumenting, by a static instrumentation engine within software executed by a processor, an application of a computing system with at least a first monitoring function, the first monitoring function capable of operating in a run-time environment during processing of the instrumented application;
  
  tracking, by at least a second monitoring function, movement of data associated with the application, the data being at least partially identified by a storage location;
  
  determining whether movement of the data from a first storage location to a second storage location is suspicious; and
  
  reporting suspicious movement of the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the run-time environment comprises one or more virtual machines processing the instrumented application.
  - 3. The method of claim 2, wherein the second monitoring function is implemented within the one or more virtual machines that operate in conjunction with the first monitoring function to track movement of data associated with the application.
  - 4. The method of claim 1, wherein the first monitoring function monitors one or more Application Programming Interface (API) calls from the instrumented application.
  - 5. The method of claim 1, wherein the first storage location and the second storage location are memory locations and the computing system includes one of a smartphone, a laptop personal computer, a desktop personal computer, or a server.
  - 6. The method of claim 1, wherein the first storage location and the second storage location are register locations.
  - 7. The method of claim 1, wherein the determining whether movement of the data from the first storage location to the second storage location is suspicious comprises (1) identifying that the data is sensitive and (2) identifying that the second storage location is different than any of a plurality of storage locations permitted to store sensitive data.
  - 8. The method of claim 7, wherein the identifying that the data is sensitive comprises identifying whether the data is maintained within an entry of a data structure that is identified as corresponding to a register or system address that is storing sensitive data.
  - 9. The method of claim 1, wherein the determining whether movement of the data from the first storage location to the second storage location is suspicious comprises detecting an attempt by the application to store the data in the second storage location that corresponds to a storage location that is not permitted to store sensitive information.
  - 10. The method of claim 1, wherein the reporting of the suspicious movement of the data comprises sending a report to a central intelligence engine that further controls a testing strategy for the application, the central intelligence engine comprises a first engine that identifies regions of interest within code of the application and a second engine that analyzes the application to identify stimuli to be applied to the application to reach the regions of interest within the code of the application.
  - 11. The method of claim 1, wherein determining whether movement of the data from the first storage location to the second storage location is suspicious comprises identifying an attempt by the application to direct data outside the run-time environment.

12. A system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprisesa static instrumentation engine that, when executed by the processor, is configured to instrument an application with at least a first monitoring function; and
  
  one or more virtual machines included as part of a run-time environment, a first virtual machine of the one or more virtual machines, when executed by the processor, is configured to process the instrumented application and at least a second monitoring function tracking movement of data associated with instrumented application that is determined to be a suspicious activity in response to determining, by the second monitoring function during processing the instrumented application, that the instrumented application is attempting to cause the data to be directed out of the run-time environment.
- View Dependent Claims (13, 14, 15, 16, 31, 32)
- - 13. The system of claim 12 further comprising a central intelligence engine that, when executed by the processor, is configured to receive a report indicating the determined suspicious activity, the central intelligence engine comprises a first engine that identifies regions of interest within code of the application and a second engine that analyzes the application to identify stimuli to be applied to the application to reach the regions of interest within the code of the application.
  - 14. The system of claim 12, wherein the run-time environment comprises the one or more virtual machines and a virtual machine monitor that is responsible for allocating hardware resources of the system to the one or more virtual machines.
  - 15. The system of claim 14, wherein the hardware resources comprises storage space within a non-volatile memory.
  - 16. The system of claim 12, wherein the second monitoring function tracking movement of the data by determining, during processing of the instrumented application, whether the instrumented application is attempting to cause the data to be sent over a network connection.
  - 31. The system of claim 12, wherein the first monitoring function monitors one or more Application Programming Interface (API) calls from the instrumented application.
  - 32. The system of claim 12, wherein the second monitoring function processed by the first virtual machine tracks movement of the data within the instrumented application that is determined to be a suspicious activity.

17. A system comprising:
- a static instrumentation engine configured to instrument an application with at least a first monitoring function;
  
  a run-time environment to process the instrumented application where at least a second monitoring function tracking movement of data associated with the instrumented application that is determined to be a suspicious activity, the run-time environment determining whether movement of the data is a suspicious activity by identifying an attempt by the instrumented application to direct data to an unapproved storage location; and
  
  a central intelligence engine configured to receive a report indicating the determined suspicious activity.
- View Dependent Claims (18, 19, 33, 34, 35, 36)
- - 18. The system of claim 17, wherein the run-time environment comprises one or more virtual machines to process the instrumented application and a virtual machine monitor that is responsible for allocating hardware resources of the system to the one or more virtual machines.
  - 19. The system of claim 17, wherein the run-time environment comprises a first virtual machine that includes the second monitoring function.
  - 33. The system of claim 17, wherein the run-time environment comprises an operating system instance that includes the second monitoring function.
  - 34. The system of claim 17, wherein the run-time environment comprises a virtual machine and the first monitoring function being different than the second monitoring function.
  - 35. The system of claim 34, wherein the first monitoring function monitors one or more Application Programming Interface (API) calls from the instrumented application.
  - 36. The system of claim 35, wherein the run-time environment further comprises an operating system instance that includes a third monitoring function that monitors system calls initiated from the instrumented application, the third monitoring function being different than the first monitoring function and the second monitoring function.

20. A system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprisesa static instrumentation engine configured to instrument an application with at least a first monitoring function,a run-time environment communicatively coupled to the static instrumentation engine, the run-time environment comprises one or more virtual machines that comprises at least a first virtual machine including at least a second monitoring function, the first virtual machine, when executed by the processor, processes the instrumented application and the second monitoring function tracking movement of data associated with the instrumented application that is determined to correspond to a suspicious activity,wherein the run-time environment is further configured to output information that identifies the determined suspicious activity.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20 further comprising a central intelligence engine communicatively coupled to the static instrumentation engine, the central intelligence engine to receive a report indicating the determined suspicious activity.
  - 22. The system of claim 21, wherein the run-time environment comprises the one or more virtual machines to process the instrumented application and a virtual machine monitor that is responsible for allocating hardware resources of the system to the one or more virtual machines.
  - 23. The system of claim 21, wherein the central intelligence engine is configured to enable or disable any of one or more monitoring functions including the second monitoring function.
  - 24. The system of claim 21, wherein the central intelligence engine is configured to enable or disable at least the first monitoring function.
  - 25. The system of claim 22, wherein the hardware resources comprise storage space within a non-volatile memory.
  - 26. The system of claim 20, wherein the determining whether movement of the data from the first storage location to the second storage location is associated with suspicious activity comprises identifying an attempt by the instrumented application to direct data outside the run-time environment.
  - 27. The system of claim 20, wherein the second monitoring function tracking movement of the data by determining, during processing of the instrumented application, whether the instrumented application is attempting to send the data over a network connection.

28. A method comprising:
- instrumenting an application of a computing system to operate in cooperation with one or more monitoring functions, at least a first monitoring function of the one or more monitoring functions operating in a run-time environment during processing of the instrumented application;
  
  tracking, by at least a second monitoring function of, movement of data associated with the application, the data being at least partially identified by a storage location, the tracking of the movement of the data comprises determining, during the processing of the instrumented application, whether the instrumented application is attempting to cause the data to be directed out of the run-time environment;
  
  determining whether the tracked movement of the data is suspicious; and
  
  reporting suspicious movement of the data.
- View Dependent Claims (29, 30)
- - 29. The method of claim 28, wherein the determining whether the instrumented application is attempting to cause the data to be directed out of the run-time environment comprises determining whether the instrumented application is attempting to send the data over a network connection.
  - 30. The method of claim 28, wherein the reporting of the suspicious movement is conducted by the second monitoring function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Song, Dawn, Ha, Phung-Te, Gilbert, Peter J., Xue, Hui
Primary Examiner(s)
Holmes, Michael B

Application Number

US14/881,074
Time in Patent Office

519 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3466   Performance evaluation by t...

G06F 2009/4557   Distribution of virtual mac...

G06F 21/552   involving long-term monitor...

G06F 21/562   Static detection

G06F 21/60   Protecting data

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/45558   Hypervisor-specific managem...

G06N 20/00   Machine learning

Framework for efficient security coverage of mobile software applications using machine learning

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

506 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Framework for efficient security coverage of mobile software applications using machine learning

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

506 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others