Method and system for inferring application states by performing behavioral analysis operations in a mobile device

US 9,684,787 B2
Filed: 04/08/2014
Issued: 06/20/2017
Est. Priority Date: 04/08/2014
Status: Active Grant

First Claim

Patent Images

1. A method of determining an execution state of a software application or process in a mobile device, the method comprising:

monitoring in a processor of the mobile device an activity of the software application or process to collect behavior information;

using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers;

applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and

using the application-and-operating-system-agnostic execution state information to determine the execution state of the software application or process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and devices compute and use the actual execution states of software applications to implement power saving schemes and to perform behavioral monitoring and analysis operations. A mobile device may be configured to monitor an activity of a software application, generate a shadow feature value that identifies actual execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device processor may also be configured to intelligently determine whether the execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the execution states of the software applications for which such determinations are relevant.

Citations

30 Claims

1. A method of determining an execution state of a software application or process in a mobile device, the method comprising:
- monitoring in a processor of the mobile device an activity of the software application or process to collect behavior information;
  
  using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers;
  
  applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and
  
  using the application-and-operating-system-agnostic execution state information to determine the execution state of the software application or process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - selecting a power saving scheme based on the determined execution state; and
      
      implementing the selected power saving scheme.
  - 3. The method of claim 1, further comprising:
    - anticipating a future execution state of the software application or process by applying the classifier model to the behavior vector; and
      
      informing a scheduler of the determined future execution state so as to enable the scheduler to perform an action consistent with the determined future execution state.
  - 4. The method of claim 1, further comprising:
    - determining an operating system execution state of the software application or process; and
      
      determining whether the determined operating system execution state is the same as the determined execution state.
  - 5. The method of claim 4, further comprising classifying the software application as not benign in response to determining that the operating system execution state is not the same as the determined execution state.
  - 6. The method of claim 1, further comprising:
    - selecting a behavior classifier model based on the determined execution state; and
      
      using the selected behavior classifier model to determine whether the software application is not benign.
  - 7. The method of claim 6, wherein selecting the behavior classifier model based on the determined execution state comprises selecting an application specific classifier model.
  - 8. The method of claim 6, wherein selecting the behavior classifier model based on the determined execution state comprises:
    - identifying mobile device features used by the software application; and
      
      selecting the behavior classifier model to include the identified features.
  - 9. The method of claim 1, further comprising:
    - determining whether the execution state of the software application or process is relevant to the activity;
      
      generating a shadow feature value that identifies the execution state of the software application or process during which the activity was monitored in response to determining that the execution state is relevant to the activity;
      
      generating a second behavior vector that associates the activity with the shadow feature value identifying the execution state; and
      
      using the second behavior vector to determine whether the activity is not benign.

10. A computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  monitoring an activity of a software application or process to collect behavior information;
  
  using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers;
  
  applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and
  
  using the application-and-operating-system-agnostic execution state information to determine an execution state of the software application or process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computing device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - selecting a power saving scheme based on the determined execution state; and
      
      implementing the selected power saving scheme.
  - 12. The computing device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - anticipating a future execution state of the software application or process by applying the classifier model to the behavior vector; and
      
      informing a scheduler of the determined future execution state so as to enable the scheduler to perform an action consistent with the determined future execution state.
  - 13. The computing device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - determining an operating system execution state of the software application or process; and
      
      determining whether the determined operating system execution state is the same as the determined execution state.
  - 14. The computing device of claim 13, wherein the processor is configured with processor-executable instructions to perform operations further comprising classifying the software application as not benign in response to determining that the operating system execution state is not the same as the determined execution state.
  - 15. The computing device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - selecting a behavior classifier model based on the determined execution state; and
      
      using the selected behavior classifier model to determine whether the software application is not benign.
  - 16. The computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that selecting the behavior classifier model based on the determined execution state comprises selecting an application specific classifier model.
  - 17. The computing device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations such that selecting the behavior classifier model based on the determined execution state comprises:
    - identifying mobile device features used by the software application; and
      
      selecting the behavior classifier model to include the identified features.
  - 18. The computing device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - determining whether the execution state of the software application or process is relevant to the activity;
      
      generating a shadow feature value that identifies the execution state of the software application or process during which the activity was monitored in response to determining that the execution state is relevant to the activity;
      
      generating a second behavior vector that associates the activity with the shadow feature value identifying the execution state; and
      
      using the second behavior vector to determine whether the activity is not benign.

19. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations comprising:
- monitoring an activity of a software application or process to collect behavior information;
  
  using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers;
  
  applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and
  
  using the application-and-operating-system-agnostic execution state information to determine an execution state of the software application or process.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a mobile device processor of a receiver device to perform operations further comprising:
    - selecting a power saving scheme based on the determined execution state; and
      
      implementing the selected power saving scheme.
  - 21. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations comprising:
    - anticipating a future execution state of the software application or process by applying the classifier model to the behavior vector; and
      
      informing a scheduler of the determined future execution state so as to enable the scheduler to perform an action consistent with the determined future execution state.
  - 22. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations comprising:
    - determining an operating system execution state of the software application or process; and
      
      determining whether the determined operating system execution state is the same as the determined execution state.
  - 23. The non-transitory computer readable storage medium of claim 22, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations comprising:
    - classifying the software application as not benign in response to determining that the operating system execution state is not the same as the determined execution state.
  - 24. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations comprising:
    - selecting a behavior classifier model based on the determined execution state; and
      
      using the selected behavior classifier model to determine whether the software application is not benign.
  - 25. The non-transitory computer readable storage medium of claim 24, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations such that selecting the behavior classifier model based on the determined execution state comprises selecting an application specific classifier model.
  - 26. The non-transitory computer readable storage medium of claim 24, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations comprising such that selecting the behavior classifier model based on the determined execution state comprises:
    - identifying mobile device features used by the software application; and
      
      selecting the behavior classifier model to include the identified features.
  - 27. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a mobile device processor to perform operations comprising:
    - determining whether the execution state of the software application or process is relevant to the activity;
      
      generating a shadow feature value that identifies the execution state of the software application or process during which the activity was monitored in response to determining that the execution state is relevant to the activity;
      
      generating a second behavior vector that associates the activity with the shadow feature value identifying the execution state; and
      
      using the second behavior vector to determine whether the activity is not benign.

28. A mobile computing device, comprising:
- means for monitoring an activity of a software application or process to collect behavior information;
  
  means for using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers;
  
  means for applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and
  
  means for using the application-and-operating-system-agnostic execution state information to determine an execution state of the software application or process.
- View Dependent Claims (29, 30)
- - 29. The mobile computing device of claim 28, further comprising:
    - means for selecting a power saving scheme based on the determined execution state; and
      
      means for implementing the selected power saving scheme.
  - 30. The mobile computing device of claim 28, further comprising:
    - means for anticipating a future execution state of the software application or process by applying the classifier model to the behavior vector; and
      
      means for informing a scheduler of the determined future execution state so as to enable the scheduler to perform an action consistent with the determined future execution state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation, Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Rychlik, Bohuslav, Sridhara, Vinay, Gupta, Rajarshi
Primary Examiner(s)
NGUYEN, TU T

Application Number

US14/247,400
Publication Number

US 20150286820A1
Time in Patent Office

1,169 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 1/3206   Monitoring of events, devic...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/4893   taking into account power o...

Method and system for inferring application states by performing behavioral analysis operations in a mobile device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for inferring application states by performing behavioral analysis operations in a mobile device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links