Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security

US 9,672,355 B2
Filed: 09/14/2012
Issued: 06/06/2017
Est. Priority Date: 09/16/2011
Status: Active Grant

First Claim

Patent Images

1. A method for assessing the quality of mobile applications, the method comprising:

providing a computer networked environment comprising a cloud-based service for mobile devices that when operated;

performs a static analysis risk assessment of binary code associated with a mobile application being submitted by a submission source, the static analysis comprising de-compiling the binary code to obtain corresponding source code and determining from the source code at least one capability of the binary code;

examines execution behavior of the mobile application within an instrumented sandbox environment;

aggregates analysis of the execution behavior and static analysis to generate a feature vector comprising;

(i) a network summary feature, (ii) an operating system based behavioral feature, and (iii) a static analysis feature; and

performs classification using the feature vector, yielding predictor statistics describing quality and vulnerability characteristics of mobile application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present system includes a computer-networked system that allows mobile subscribers, and others, to submit mobile applications to be analyzed for anomalous and malicious behavior using data acquired during the execution of the application within a highly instrumented and controlled environment for which the analysis relies on per-execution as well as comparative aggregate data across many such executions from one or more subscribers.

Citations

45 Claims

1. A method for assessing the quality of mobile applications, the method comprising:
- providing a computer networked environment comprising a cloud-based service for mobile devices that when operated;
  
  performs a static analysis risk assessment of binary code associated with a mobile application being submitted by a submission source, the static analysis comprising de-compiling the binary code to obtain corresponding source code and determining from the source code at least one capability of the binary code;
  
  examines execution behavior of the mobile application within an instrumented sandbox environment;
  
  aggregates analysis of the execution behavior and static analysis to generate a feature vector comprising;
  
  (i) a network summary feature, (ii) an operating system based behavioral feature, and (iii) a static analysis feature; and
  
  performs classification using the feature vector, yielding predictor statistics describing quality and vulnerability characteristics of mobile application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 2. The method of claim 1, wherein the cloud-based service generates an analysis vector comprised of one or more feature sets derived from analysis of application related data selected from the group comprising execution characteristics of the application and analysis of static characteristics of the application.
  - 3. The method of claim 1, wherein the cloud service generates an analysis report comprised of at least of one of:
    - a risk assessment identifying suspicious behavioral characteristics of the mobile application;
      
      a malware confidence rating indicating a confidence of the risk assessment;
      
      a malware probability rating indicating a probability of malware existence;
      
      a malware risk rating indicating dangerousness of the associated risks; and
      
      a malware label indicating details about nature of the risks associated with the mobile application.
  - 4. The method of claim 2 further comprising accumulating analysis results from a selected set of previously generated analysis vectors.
  - 5. The method of claim 4 further comprising benchmarking aggregated statistical assessments of the analysis results for the mobile application against aggregated statistical assessments associated with a set of previous analyses using the same or different mobile applications.
  - 6. The method of claim 3 wherein the analysis reports are generated based on one or more selection criteria selected from the group of a submission source, behavioral characteristics, static characteristics, and anomalies in the analysis reports.
  - 7. The method of claim 3 wherein the cloud-based service provides autonomous evaluation, reporting, and assessment of the mobile applications.
  - 8. The method of claim 3 wherein the cloud-based service provides a status monitoring of the generation of the analysis reports.
  - 9. The method of claim 2 wherein the cloud-based service further analyzes log files generated during execution and analysis of the mobile applications.
  - 10. The method of claim 2 wherein the cloud-based service further analyzes static characteristics of the mobile application via a data flow analysis, wherein such static characteristics include one or more of binary code, source code, and metadata of the mobile application.
  - 11. The method of claim 10 wherein analysis of the binary code of the mobile application is based at least in part on data retrieved from public online data repositories.
  - 12. The method of claim 9 further comprising analyzing derivative forms of the logs.
  - 13. The method of claim 12 wherein the analysis is based at least in part on natural language processing methods.
  - 14. The method of claim 3 wherein the cloud-based service analyzes one or more sources selected from the group of internet protocol transactions, network transferred files, network reach, network load from/to ad-serving sites, network connections to malicious sites, user interface traversal, internet geographic reach, network intrusion alerts, operating system API histogram, application-level API histogram, resource usage profile, and file system changes.
  - 15. The method of claim 14 wherein the cloud-based service further provides forensic analysis of the network traffic between a sandbox-emulated mobile device and internet sites reached to, such forensic analysis comprising:
    - reassembling identifiable application objects from a network traffic byte stream;
      
      autonomously applying antivirus analysis to the application objects; and
      
      creating a report listing detected infections on the application objects.
  - 16. The method of claim 15 wherein the forensic analysis further comprises:
    - planting data with the execution of the binary of the mobile application; and
      
      detecting and logging ex-filtration of the planted data over a network.
  - 17. The method of claim 15 wherein the forensic analysis further comprises analyzing logged secure network traffic using an intercepting proxy.
  - 18. The method of claim 9 further comprising generating a log validity metric to assess the quality of the log files.
  - 19. The method of claim 9 wherein the cloud-based service further uses term frequency-inverse document frequency techniques to generate assessments of execution of the binary of the mobile application from a document corpus comprised of the log files, application history data, and analysis associated with the binary of the mobile application.
  - 20. The method of claim 4 further comprising applying one or more machine learning techniques on the accumulated analysis reports, thereby performing predictive classification of the mobile application.
  - 21. The method of claim 20 wherein the set of selected analysis vectors is based at least in part on one or more of whether an application is known to be infected, whether an application is known to not be infected, and applications having a common infection.
  - 22. The method of claim 20, wherein the cloud-based service further provides classification machine learning techniques selected from the group consisting of support vector machines, ensemble learning methods, and decision trees for generating predictors about the mobile application based on at least one of aggregated behavior and code inspection data of multiple applications.
  - 23. The method of claim 22 wherein generation of the predictors is constrained based at least in part on a combination of multiple machine learning techniques.
  - 24. The method of claim 20 wherein the machine learning techniques are based at least in part on a time range and a submission source.
  - 25. The method of claim 20 further comprising identifying potential zero-day malware and one or more corresponding mobile applications based at least in part on at least one of a high malware rating, a high malware probability, and a high malware confidence.
  - 26. The method of claim 25 further comprising notifying an administrator of the cloud-based service upon identification of a potential zero-day malware.
  - 27. The method of claim 20 wherein the cloud-based service further performs a periodical clustering re-evaluation of the set of analysis vectors, thereby resulting in a set of classification clusters.
  - 28. The method of claim 20 wherein the cloud-based service further performs a mapping assignment of the analysis vector to a current set of classification clusters.
  - 29. The method of claim 28 wherein the cloud-based service further determines whether a new analysis vector can reliably be claimed to be a member of an existing cluster, and if not, classifies the new analysis vector as an anomaly.
  - 30. The method of claim 20 further comprising generating a clustering classification set from the set of analysis vectors, and wherein the set is selected based on an infection type.
  - 31. The method of claim 30 wherein the generation of the clustering classification is based on one or more criteria selected from the group comprising:
    - elapsed time from a most recent clustering event, a number of anomalous vectors observed since the most recent clustering event, and a number of analysis vectors processed since the most recent clustering event.
  - 32. The method of claim 1 wherein the cloud-based service further provides an extensible instrumentation platform, thereby facilitating an addition of plug-in instrumentation related to behavioral and static aspects of the application.
  - 33. The method of claim 1, wherein the instrumented sandbox environment is based on one or more of a set of software-emulated mobile devices and a device bank of one or more actual mobile devices.
  - 34. The method of claim 1 further providing using an authorization key provided by the submission source to authenticate the mobile applications.
  - 35. The method of claim 34 wherein the cloud-based service queues submitted mobile applications and prioritizes execution scheduling of the received submissions based at least in part on the submission source, an authorization key, and a submission time.
  - 36. The method of claim 1 wherein the mobile applications are received from one of a mobile device, a webpage interface, or a submission API-compliant client.
  - 37. The method of claim 36 wherein the mobile device submits an application for analysis, notifies a user of analysis results, receiving analysis updates and maintains a history of submissions and analysis results.
  - 38. The method of claim 14 wherein the cloud-based service further provides visualization of the internet connectivity network realized by the executions of one or more applications augmented with one or more of classification and antivirus findings, malicious sites reached, access to common subnets, geographical distribution of internet addresses reached, total network traffic between internet addresses, number of intrusion detection alerts triggered on access to an internet address, access to reverse domain name service and registration records for identified internet addresses, subscriber identity, and application identity.
  - 39. The method of claim 38 further comprising exploring the visualization to identify network addresses reached by infected application binaries.
  - 40. The method of claim 15 wherein the mobile device autonomously submits the mobile application for analysis and determines whether the application will be subsequently used on the mobile device.
  - 41. The method of claim 1 wherein execution of the mobile application in the instrumented sandbox environment is subject to stimuli that simulate environmental changes perceived by a mobile device, wherein such stimuli comprise one or more of a change in current GPS coordinates, a loss of a wireless signal, and a change in strength of a wireless signal.
  - 42. The method of claim 1 wherein the examination of the execution behaviors of the mobile application comprises examination of one or more user interfaces of the mobile application using a depth-first traversal of user interface windows and elements.
  - 43. The method of claim 42 wherein a current user interface is interrogated for existing elements and the existing elements are further examined to determine a proper interaction mode based on one or more of heuristics, random traversal, or fixed input stimuli.
  - 44. The method of claim 43 further comprising logging and collecting metrics while traversing the user interface.
  - 45. The method of claim 44 further comprising providing autonomous detection of application binaries that, based on the collected metrics, indicate poor traversal performance as compared to metrics collected from other mobile applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veracode Incorporated (Broadcom, Inc.)
Original Assignee
Veracode Incorporated (Broadcom, Inc.)
Inventors
Titonis, Theodora Heather, Manohar-Alers, Nelson Roberto, Wysopal, Christopher John
Primary Examiner(s)
Dinh, Minh

Application Number

US13/617,568
Publication Number

US 20130097706A1
Time in Patent Office

1,726 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06N 20/00   Machine learning

H04L 63/1433   Vulnerability analysis

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links