Method and system for inferring application states by performing behavioral analysis operations in a mobile device
First Claim
1. A method of determining an execution state of a software application or process in a mobile device, the method comprising:
- monitoring in a processor of the mobile device an activity of the software application or process to collect behavior information;
using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers;
applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and
using the application-and-operating-system-agnostic execution state information to determine the execution state of the software application or process.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems and devices compute and use the actual execution states of software applications to implement power saving schemes and to perform behavioral monitoring and analysis operations. A mobile device may be configured to monitor an activity of a software application, generate a shadow feature value that identifies actual execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device processor may also be configured to intelligently determine whether the execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the execution states of the software applications for which such determinations are relevant.
-
Citations
30 Claims
-
1. A method of determining an execution state of a software application or process in a mobile device, the method comprising:
-
monitoring in a processor of the mobile device an activity of the software application or process to collect behavior information; using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers; applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and using the application-and-operating-system-agnostic execution state information to determine the execution state of the software application or process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; monitoring an activity of a software application or process to collect behavior information; using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers; applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and using the application-and-operating-system-agnostic execution state information to determine an execution state of the software application or process. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
19. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor to perform operations comprising:
-
monitoring an activity of a software application or process to collect behavior information; using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers; applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and using the application-and-operating-system-agnostic execution state information to determine an execution state of the software application or process. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A mobile computing device, comprising:
-
means for monitoring an activity of a software application or process to collect behavior information; means for using the collected behavior information to generate a behavior vector that describes the monitored activity via a series of numbers; means for applying a classifier model that includes a plurality of test conditions to the generated behavior vector to generate application-and-operating-system-agnostic execution state information; and means for using the application-and-operating-system-agnostic execution state information to determine an execution state of the software application or process. - View Dependent Claims (29, 30)
-
Specification