Data flow based behavioral analysis on mobile devices

US 9,607,146 B2
Filed: 09/18/2013
Issued: 03/28/2017
Est. Priority Date: 09/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing mobile device behaviors to identify a non-benign software application, comprising:

identifying in a processor of a mobile device a critical data resource in the mobile device that requires close monitoring;

identifying, via the processor of the mobile device, an intermediate resource in the mobile device that is associated with the critical data resource;

monitoring, via the processor of the mobile device, activities of both the identified critical data resource and the identified intermediate resource in the mobile device to collect behavior information that identifies a pattern of API calls indicative of non-benign activity by a software application that is operating on the mobile device;

generating, via the processor of the mobile device, a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application;

performing behavior-based analysis operations that include;

using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior;

generating a behavior vector based on the identified two or more operations; and

applying the generated behavior vector to a machine learning classifier model to generate analysis results; and

using the generated analysis results to determine whether the software application is not benign.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.

43 Citations

View as Search Results

28 Claims

1. A method of analyzing mobile device behaviors to identify a non-benign software application, comprising:
- identifying in a processor of a mobile device a critical data resource in the mobile device that requires close monitoring;
  
  identifying, via the processor of the mobile device, an intermediate resource in the mobile device that is associated with the critical data resource;
  
  monitoring, via the processor of the mobile device, activities of both the identified critical data resource and the identified intermediate resource in the mobile device to collect behavior information that identifies a pattern of API calls indicative of non-benign activity by a software application that is operating on the mobile device;
  
  generating, via the processor of the mobile device, a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application;
  
  performing behavior-based analysis operations that include;
  
  using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior;
  
  generating a behavior vector based on the identified two or more operations; and
  
  applying the generated behavior vector to a machine learning classifier model to generate analysis results; and
  
  using the generated analysis results to determine whether the software application is not benign.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein identifying the critical data resource in the mobile device that requires close monitoring and identifying the intermediate resource in the mobile device that is associated with the critical data resource each further comprises identifying ghost resources.
  - 3. The method of claim 1, wherein identifying the critical data resource in the mobile device that requires close monitoring and identifying the intermediate resource in the mobile device that is associated with the critical data resource each further comprises identifying a resource of the mobile device that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 4. The method of claim 1, further comprising:
    - observing the mobile device behaviors over a period of time to recognize the mobile device behaviors that are inconsistent with normal operation patterns,wherein performing the behavior-based analysis operations further comprises dynamically determining the mobile device behaviors that are to be observed to collect information that is to be included in the behavior vector based on information included in the light-weight behavior signature.
  - 5. The method of claim 1, wherein performing the behavior-based analysis operations further comprises:
    - identifying the mobile device behaviors that require more detailed analysis based on information included in the light-weight behavior signature.
  - 6. The method of claim 5, further comprising:
    - observing the identified mobile device behaviors in greater detail;
      
      generating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      using the generated behavior signature to perform the more detailed analysis of the observed mobile device behaviors.
  - 7. The method of claim 1, wherein performing the behavior-based analysis operations further comprises:
    - determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

8. A mobile computing device, comprising:
- means for identifying a critical data resource in the mobile computing device that requires close monitoring;
  
  means for identifying an intermediate resource in the mobile computing device that is associated with the critical data resource;
  
  means for monitoring activities of both the identified critical data resource in the mobile computing device and the identified intermediate resource in the mobile computing device to collect behavior information that identifies a pattern of API calls indicative of a non-benign activity by a software application that is operating on the mobile computing device;
  
  means for generating a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application;
  
  means for performing behavior-based analysis operations that include;
  
  using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior;
  
  generating a behavior vector based on the identified two or more operations; and
  
  applying the generated behavior vector to a machine learning classifier model to generate analysis results; and
  
  means for using the generated analysis results to determine whether the software application is not benign.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The mobile computing device of claim 8, wherein means for identifying the critical data resource in the mobile computing device that requires close monitoring and the means for identifying intermediate resource in the mobile computing device that is associated with the critical data resource each further comprises means for identifying ghost resources.
  - 10. The mobile computing device of claim 8, wherein means for identifying the critical data resource in the mobile computing device that requires close monitoring and the means for identifying intermediate resource in the mobile computing device that is associated with the critical data resource each further comprises means for identifying a resource of the mobile computing device that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 11. The mobile computing device of claim 8, further comprising:
    - means for observing mobile device behaviors over a period of time to recognize the mobile device behaviors that are inconsistent with normal operation patterns,wherein means for wherein performing the behavior-based analysis operations further comprises means for dynamically determining the mobile device behaviors that are to be observed to collect information that is to be included in the behavior vector based on information included in the light-weight behavior signature.
  - 12. The mobile computing device of claim 8, wherein means for performing the behavior-based analysis operations further comprises:
    - means for identifying mobile device behaviors that require more detailed analysis based on information included in the light-weight behavior signature.
  - 13. The mobile computing device of claim 12, further comprising:
    - means for observing the determined mobile device behaviors in greater detail;
      
      means for generating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      means for using the generated behavior signature to perform the more detailed analysis of the observed mobile device behaviors.
  - 14. The mobile computing device of claim 8, wherein means for performing the behavior-based analysis operations further comprises:
    - means for determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

15. A mobile computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  identifying a critical data resource in the mobile computing device that requires close monitoring;
  
  identifying an intermediate resource in the mobile computing device that is associated with the critical data resource;
  
  monitoring both the identified critical data resource in the mobile computing device and the identified intermediate resource in the mobile computing device to collect behavior information that identifies a pattern of API calls indicative of a non-benign activity by a software application that is operating on the mobile computing device;
  
  generating a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application;
  
  performing behavior-based analysis operations that include;
  
  using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior;
  
  generating a behavior vector based on the identified two or more operations; and
  
  applying the generated behavior vector to a machine learning classifier model to generate analysis results; and
  
  using the generated analysis results to determine whether the software application is not benign.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The mobile computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that identifying the critical data resource in the mobile computing device that requires close monitoring and identifying the intermediate resource in the mobile computing device that is associated with the critical data resource each further comprises identifying ghost resources.
  - 17. The mobile computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that identifying the critical data resource in the mobile computing device that requires close monitoring and identifying the intermediate resource in the mobile computing device that is associated with the critical data resource each further comprises identifying a resource of the mobile computing device that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 18. The mobile computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - observing mobile device behaviors over a period of time to recognize the mobile device behaviors that are inconsistent with normal operation patterns,wherein performing the behavior-based analysis operations further comprises dynamically determining the mobile device behaviors that are to be observed to collect information that is to be included in the behavior vector based on information included in the light-weight behavior signature.
  - 19. The mobile computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that performing the behavior-based analysis operations further comprises:
    - identifying the mobile device behaviors that require more detailed analysis based on information included in the light-weight behavior signature.
  - 20. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - observing the identified mobile device behaviors in greater detailgenerating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      using the generated behavior signature to perform the more detailed analysis of the observed mobile device behaviors.
  - 21. The mobile computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that performing the behavior-based analysis operations further comprises:
    - determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

22. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor in a mobile computing device to perform operations comprising:
- identifying a critical data resource in the mobile computing device that requires close monitoring;
  
  identifying an intermediate resource in the mobile computing device that is associated with the critical data resource;
  
  monitoring both the identified critical data resource and the identified intermediate resource in the mobile computing device to collect behavior information that identifies a pattern of API calls indicative of a non-benign activity by a software application that is operating on the mobile computing device;
  
  generating a light-weight behavior signature based on the collected behavior information that identifies the pattern of API calls indicative of non-benign activity by the software application;
  
  performing behavior-based analysis operations that include;
  
  using the generated light-weight behavior signature to identify two or more operations of the software application that should be analyzed together as a single mobile device behavior;
  
  generating a behavior vector based on the identified two or more operations; and
  
  applying the generated behavior vector to a machine learning classifier model to generate analysis results; and
  
  using the generated analysis results to determine whether the software application is not benign.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that identifying the critical data resource in the mobile computing device that requires close monitoring and identifying the intermediate resource in the mobile computing device that is associated with the critical data resource each further comprises identifying ghost resources.
  - 24. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that identifying the critical data resource in the mobile computing device that requires close monitoring and identifying the intermediate resource in the mobile computing device that is associated with the critical data resource each further comprises identifying a resource of the mobile computing device that requires API call monitoring based on API calls made by the software application to the critical data resource.
  - 25. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations further comprising observing mobile device behaviors over a period of time to recognize the mobile device behaviors that are inconsistent with normal operation patterns, and wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that performing the behavior-based analysis operations further comprises dynamically determining the mobile device behaviors that are to be observed to collect information that is to be included in the behavior vector based on information included in the light-weight behavior signature.
  - 26. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that performing the behavior-based analysis operations further comprises:
    - identifying the mobile device behaviors that require more detailed analysis based on information included in the light-weight behavior signature.
  - 27. The non-transitory computer readable storage medium of claim 26, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations further comprising:
    - observing the identified mobile device behaviors in greater detailgenerating a robust behavior signature that more fully describes the observed mobile device behaviors; and
      
      using the generated behavior signature to perform the more detailed analysis of the observed mobile device behaviors.
  - 28. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that performing the behavior-based analysis operations further comprises:
    - determining a time period for which operations of the software application are to be analyzed based on information included in the light-weight behavior signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Sridhara, Vinay, Gathala, Sudha Anil Kumar, Gupta, Rajarshi
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US14/030,053
Publication Number

US 20150082430A1
Time in Patent Office

1,287 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/566 Dynamic detection, i.e. det...

Data flow based behavioral analysis on mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Data flow based behavioral analysis on mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others