Data flow based behavioral analysis on mobile devices
First Claim
Patent Images
1. A method of analyzing mobile device behaviors to identify a non-benign software application, comprising:
- identifying in a processor of a mobile device a critical data resource in the mobile device that requires close monitoring;
identifying, via the processor of the mobile device, an intermediate resource in the mobile device that is associated with the critical data resource;
monitoring, via the processor of the mobile device, activities of both the identified critical data resource and the identified intermediate resource in the mobile device to collect behavior information that identifies a pattern of API calls indicative of non-benign activity by a software application that is operating on the mobile device;
generating, via the processor of the mobile device, a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application;
performing behavior-based analysis operations that include;
using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior;
generating a behavior vector based on the identified two or more operations; and
applying the generated behavior vector to a machine learning classifier model to generate analysis results; and
using the generated analysis results to determine whether the software application is not benign.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.
43 Citations
28 Claims
-
1. A method of analyzing mobile device behaviors to identify a non-benign software application, comprising:
-
identifying in a processor of a mobile device a critical data resource in the mobile device that requires close monitoring; identifying, via the processor of the mobile device, an intermediate resource in the mobile device that is associated with the critical data resource; monitoring, via the processor of the mobile device, activities of both the identified critical data resource and the identified intermediate resource in the mobile device to collect behavior information that identifies a pattern of API calls indicative of non-benign activity by a software application that is operating on the mobile device; generating, via the processor of the mobile device, a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application; performing behavior-based analysis operations that include; using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior; generating a behavior vector based on the identified two or more operations; and applying the generated behavior vector to a machine learning classifier model to generate analysis results; and using the generated analysis results to determine whether the software application is not benign. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A mobile computing device, comprising:
-
means for identifying a critical data resource in the mobile computing device that requires close monitoring; means for identifying an intermediate resource in the mobile computing device that is associated with the critical data resource; means for monitoring activities of both the identified critical data resource in the mobile computing device and the identified intermediate resource in the mobile computing device to collect behavior information that identifies a pattern of API calls indicative of a non-benign activity by a software application that is operating on the mobile computing device; means for generating a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application; means for performing behavior-based analysis operations that include; using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior; generating a behavior vector based on the identified two or more operations; and applying the generated behavior vector to a machine learning classifier model to generate analysis results; and means for using the generated analysis results to determine whether the software application is not benign. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A mobile computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; identifying a critical data resource in the mobile computing device that requires close monitoring; identifying an intermediate resource in the mobile computing device that is associated with the critical data resource; monitoring both the identified critical data resource in the mobile computing device and the identified intermediate resource in the mobile computing device to collect behavior information that identifies a pattern of API calls indicative of a non-benign activity by a software application that is operating on the mobile computing device; generating a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application; performing behavior-based analysis operations that include; using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior; generating a behavior vector based on the identified two or more operations; and applying the generated behavior vector to a machine learning classifier model to generate analysis results; and using the generated analysis results to determine whether the software application is not benign. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
22. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor in a mobile computing device to perform operations comprising:
-
identifying a critical data resource in the mobile computing device that requires close monitoring; identifying an intermediate resource in the mobile computing device that is associated with the critical data resource; monitoring both the identified critical data resource and the identified intermediate resource in the mobile computing device to collect behavior information that identifies a pattern of API calls indicative of a non-benign activity by a software application that is operating on the mobile computing device; generating a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application; performing behavior-based analysis operations that include; using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior; generating a behavior vector based on the identified two or more operations; and applying the generated behavior vector to a machine learning classifier model to generate analysis results; and using the generated analysis results to determine whether the software application is not benign. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification