Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors

US 9,686,023 B2
Filed: 11/27/2013
Issued: 06/20/2017
Est. Priority Date: 01/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method of generating and using data models in a mobile device, comprising:

receiving, in a processor of the mobile device from a server computing device, a full classifier model, the received full classifier model including a plurality of decision nodes, each decision node in the plurality of decision nodes including a test condition and a weight value;

collecting mobile device-specific information in the mobile device;

identifying combinations of features that require monitoring and analysis in the mobile device, and determining a relative importance of each of the identified feature combinations, based on the collected mobile device-specific information;

culling, via the processor of the mobile device, the received full classifier model to generate a lean classifier model that includes a subset of the plurality of decision nodes included in the received full classifier model, the culling comprising;

identifying decision nodes included in the received full classifier model that include test conditions relevant to evaluating the identified feature combinations;

prioritizing the identified decision nodes based on determined relative importance of the identified feature combinations; and

generating the lean classifier model to include only the identified decision nodes, ordered in accordance with their priority;

generating a behavior vector that characterizes a behavior of the mobile device; and

applying, by the processor of the mobile device, the generated behavior vector to the generated lean classifier model to classify the behavior of the mobile device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The various aspects provide a mobile device and methods implemented on the mobile device for modifying behavior models to account for device-specific or device-state-specific features. In the various aspects, a behavior analyzer module may leverage a full feature set of behavior models (i.e. a large classifier model) received from a network server to create lean classifier models for use in monitoring for malicious behavior on the mobile device, and the behavior analyzer module may dynamically modify these lean classifier models to include features specific to the mobile device and/or the mobile device'"'"'s current configuration. Thus, the various aspects may enhance overall security for a particular mobile device by taking the mobile device and its current configuration into account and may improve overall performance by monitoring only features that are relevant to the mobile device.

196 Citations

30 Claims

1. A method of generating and using data models in a mobile device, comprising:
- receiving, in a processor of the mobile device from a server computing device, a full classifier model, the received full classifier model including a plurality of decision nodes, each decision node in the plurality of decision nodes including a test condition and a weight value;
  
  collecting mobile device-specific information in the mobile device;
  
  identifying combinations of features that require monitoring and analysis in the mobile device, and determining a relative importance of each of the identified feature combinations, based on the collected mobile device-specific information;
  
  culling, via the processor of the mobile device, the received full classifier model to generate a lean classifier model that includes a subset of the plurality of decision nodes included in the received full classifier model, the culling comprising;
  
  identifying decision nodes included in the received full classifier model that include test conditions relevant to evaluating the identified feature combinations;
  
  prioritizing the identified decision nodes based on determined relative importance of the identified feature combinations; and
  
  generating the lean classifier model to include only the identified decision nodes, ordered in accordance with their priority;
  
  generating a behavior vector that characterizes a behavior of the mobile device; and
  
  applying, by the processor of the mobile device, the generated behavior vector to the generated lean classifier model to classify the behavior of the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - receiving the full classifier model comprises receiving a finite state machine that includes information that is suitable for conversion to the plurality of decision nodes; and
      
      culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises generating the lean classifier model to include only the identified decision nodes that evaluate a mobile device feature that is relevant to a current operating state or configuration of the mobile device.
  - 3. The method of claim 2, wherein culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises:
    - determining a number of unique test conditions that should be evaluated to classify the behavior without consuming an excessive amount of processing, memory, or energy resources of the mobile device;
      
      generating a list of test conditions by sequentially traversing the plurality of test conditions in the full classifier model and inserting those test conditions that are relevant to classifying the behavior of the mobile device into the list of test conditions until the list of test conditions includes the determined number of unique test conditions; and
      
      generating the lean classifier model to include decision nodes in the full classifier model that test one of the test conditions included in the generated list of test conditions.
  - 4. The method of claim 2, wherein applying the generated behavior vector to the generated lean classifier model in the mobile device to classify the behavior of the mobile device comprises using the lean classifier model to determine whether the behavior is not benign by:
    - applying collected behavior information to each decision node in the lean classifier model;
      
      computing a weighted average of results of applying the collected behavior information to each decision node in the lean classifier model; and
      
      comparing the weighted average to a threshold value.
  - 5. The method of claim 1, further comprising:
    - monitoring the mobile device to detect a change in one of;
      
      a state of the mobile device,a configuration of the mobile device,a capability of the mobile device, anda functionality of the mobile device;
      
      modifying the lean classifier model to include an updated set of test conditions in response to detecting the change; and
      
      using the modified lean classifier model to classify the behavior of the mobile device.
  - 6. The method of claim 5, wherein monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - identifying an added mobile device feature associated with the detected change;
      
      determining whether the identified added mobile device feature is included in the generated lean classifier model; and
      
      adding the identified feature to the generated lean classifier model in response to determining that the identified feature is not included in the generated lean classifier model.
  - 7. The method of claim 5, wherein monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - detecting the change in the capability of the mobile device by detecting an addition of an auxiliary component to the mobile device;
      
      determining whether the lean classifier model includes any test conditions that evaluate the auxiliary component;
      
      determining whether the full classifier model includes any test conditions for the auxiliary component in response to determining that the lean classifier model does not include any test conditions that evaluate the auxiliary component; and
      
      adding a new decision node that includes a new test condition associated with the auxiliary component to the lean classifier model in response to determining that the full classifier model includes test conditions for the auxiliary component.
  - 8. The method of claim 5, wherein monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - detecting the change in the functionality of the mobile device;
      
      determining whether the detected change in functionality represents added or removed functionality;
      
      determining whether the lean classifier model includes any test conditions that evaluate a mobile device feature affected by the detected change in functionality in response to determining that the detected change in functionality represents added functionality;
      
      determining whether the full classifier model includes any test conditions that evaluate the mobile device feature in response to determining that the lean classifier model does not include any test conditions that evaluate the mobile device feature; and
      
      adding a new decision node that includes a new test condition that evaluates the mobile device feature affected by the detected change to the lean classifier model in response to determining that the full classifier model includes test conditions that evaluate the mobile device feature.
  - 9. The method of claim 5, wherein monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - determining whether there has been the change in state on the mobile device;
      
      identifying a feature that is relevant to a previous state of the mobile device and not relevant to a current state of the mobile device in response to determining that there has been the change in state on the mobile device; and
      
      removing from the lean classifier model test conditions associated with the identified feature.

10. A mobile device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  receiving from a server computing device a full classifier model, the received full classifier model including a plurality of decision nodes, each decision node in the plurality of decision nodes including a test condition and a weight value;
  
  collecting mobile device-specific information in the mobile device;
  
  identifying combinations of features that require monitoring and analysis in the mobile device, and determining a relative importance of each of the identified feature combinations, based on the collected mobile device-specific information;
  
  culling the received full classifier model to generate a lean classifier model that includes a subset of the plurality of decision nodes included in the received full classifier model, the culling comprising;
  
  identifying decision nodes included in the received full classifier model that include test conditions relevant to evaluating the identified feature combinations;
  
  prioritizing the identified decision nodes based on the determined relative importance of the identified feature combinations; and
  
  generating the lean classifier model to include only the identified decision nodes, ordered in accordance with their priority;
  
  generating a behavior vector that characterizes a behavior of the mobile device; and
  
  applying the generated behavior vector to the generated lean classifier model in the mobile device to classify the behavior of the mobile device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations such that:
    - receiving the full classifier model comprises receiving a finite state machine that includes information that is suitable for conversion to the plurality of decision nodes; and
      
      culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises generating the lean classifier model to include only the identified decision nodes that evaluate a mobile device feature that is relevant to a current operating state or configuration of the mobile device.
  - 12. The mobile device of claim 11, wherein the processor is configured with processor-executable instructions to perform operations such that culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises:
    - determining a number of unique test conditions that should be evaluated to classify the behavior without consuming an excessive amount of processing, memory, or energy resources of the mobile device;
      
      generating a list of test conditions by sequentially traversing the plurality of test conditions in the full classifier model and inserting those test conditions that are relevant to classifying the behavior of the mobile device into the list of test conditions until the list of test conditions includes the determined number of unique test conditions; and
      
      generating the lean classifier model to include the identified decision nodes in the full classifier model that test one of the test conditions included in the generated list of test conditions.
  - 13. The mobile device of claim 11, wherein the processor is configured with processor-executable instructions to perform operations such that applying the generated behavior vector to the generated lean classifier model in the mobile device to classify the behavior of the mobile device comprises using the lean classifier model to determine whether the behavior is not benign by:
    - applying collected behavior information to each decision node in the lean classifier model;
      
      computing a weighted average of results of applying the collected behavior information to each decision node in the lean classifier model; and
      
      comparing the weighted average to a threshold value.
  - 14. The mobile device of claim 10, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - monitoring the mobile device to detect a change in one of;
      
      a state of the mobile device,a configuration of the mobile device,a capability of the mobile device, anda functionality of the mobile device;
      
      modifying the lean classifier model to include an updated set of test conditions in response to detecting the change; and
      
      using the modified lean classifier model to classify the behavior of the mobile device.
  - 15. The mobile device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - identifying an added mobile device feature associated with the detected change;
      
      determining whether the identified added mobile device feature is included in the generated lean classifier model; and
      
      adding the identified feature to the generated lean classifier model in response to determining that the identified feature is not included in the generated lean classifier model.
  - 16. The mobile device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - detecting the change in the capability of the mobile device by detecting an addition of an auxiliary component to the mobile device;
      
      determining whether the lean classifier model includes any test conditions that evaluate the auxiliary component;
      
      determining whether the full classifier model includes any test conditions for the auxiliary component in response to determining that the lean classifier model does not include any test conditions that evaluate the auxiliary component; and
      
      adding a new decision node that includes a new test condition associated with the auxiliary component to the lean classifier model in response to determining that the full classifier model includes test conditions for the auxiliary component.
  - 17. The mobile device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - detecting the change in the functionality of the mobile device;
      
      determining whether the detected change in functionality represents added or removed functionality;
      
      determining whether the lean classifier model includes any test conditions that evaluate a mobile device feature affected by the detected change in functionality in response to determining that the detected change in functionality represents added functionality;
      
      determining whether the full classifier model includes any test conditions that evaluate the mobile device feature in response to determining that the lean classifier model does not include any test conditions that evaluate the mobile device feature; and
      
      adding a new decision node that includes a new test condition that evaluates the mobile device feature affected by the detected change to the lean classifier model in response to determining that the full classifier model includes test conditions that evaluate the mobile device feature.
  - 18. The mobile device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - determining whether there has been the change in state on the mobile device;
      
      identifying a feature that is relevant to a previous state of the mobile device and not relevant to a current state of the mobile device in response to determining that there has been the change in state on the mobile device; and
      
      removing from the lean classifier model test conditions associated with the identified feature.

19. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a mobile device to perform operations comprising:
- receiving from a server computing device a full classifier model, the received full classifier model including a plurality of decision nodes, each decision node in the plurality of decision nodes including a test condition and a weight value;
  
  collecting mobile device-specific information in the mobile device;
  
  identifying combinations of features that require monitoring and analysis in the mobile device, and determining a relative importance of each of the identified feature combinations, based on the collected mobile device-specific information;
  
  culling the received full classifier model to generate a lean classifier model that includes a subset of the plurality of decision nodes included in the received full classifier model, the culling comprises;
  
  identifying decision nodes included in the received full classifier model that include test conditions relevant to evaluating the identified feature combinations;
  
  prioritizing the identified decision nodes based on the determined relative importance of the identified feature combinations; and
  
  generating the lean classifier model to include only the identified decision nodes, ordered in accordance with their priority;
  
  generating a behavior vector that characterizes a behavior of the mobile device; and
  
  applying the generated behavior vector to the generated lean classifier model in the mobile device to classify the behavior of the mobile device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that:
    - receiving the full classifier model comprises receiving a finite state machine that includes information that is suitable for conversion to the plurality of decision nodes; and
      
      culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises generating the lean classifier model to include only the identified decision nodes that evaluate a mobile device feature that is relevant to a current operating state or configuration of the mobile device.
  - 21. The non-transitory computer readable storage medium of claim 20, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises:
    - determining a number of unique test conditions that should be evaluated to classify the behavior without consuming an excessive amount of processing, memory, or energy resources of the mobile device;
      
      generating a list of test conditions by sequentially traversing the plurality of test conditions in the full classifier model and inserting those test conditions that are relevant to classifying the behavior of the mobile device into the list of test conditions until the list of test conditions includes the determined number of unique test conditions; and
      
      generating the lean classifier model to include the identified decision nodes in the full classifier model that test one of the test conditions included in the generated list of test conditions.
  - 22. The non-transitory computer readable storage medium of claim 20, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that applying the generated behavior vector to the generated lean classifier model in the mobile device to classify the behavior of the mobile device comprises using the lean classifier model to determine whether the behavior is not benign by:
    - applying collected behavior information to each decision node in the lean classifier model;
      
      computing a weighted average of results of applying the collected behavior information to each decision node in the lean classifier model; and
      
      comparing the weighted average to a threshold value.
  - 23. The non-transitory computer readable storage medium of claim 19, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising:
    - monitoring the mobile device to detect a change in one of;
      
      a state of the mobile device, a configuration of the mobile device, a capability of the mobile device, and a functionality of the mobile device;
      
      modifying the lean classifier model to include an updated set of test conditions in response to detecting the change; and
      
      using the modified lean classifier model to classify the behavior of the mobile device.
  - 24. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - identifying an added mobile device feature associated with the detected change;
      
      determining whether the identified feature is included in the generated lean classifier model; and
      
      adding the identified feature to the generated lean classifier model in response to determining that the identified feature is not included in the generated lean classifier model.
  - 25. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - detecting the change in the capability of the mobile device by detecting an addition of an auxiliary component to the mobile device;
      
      determining whether the lean classifier model includes any test conditions that evaluate the auxiliary component;
      
      determining whether the full classifier model includes any test conditions for the auxiliary component in response to determining that the lean classifier model does not include any test conditions that evaluate the auxiliary component; and
      
      adding a new decision node that includes a new test condition associated with the auxiliary component to the lean classifier model in response to determining that the full classifier model includes test conditions for the auxiliary component.
  - 26. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - detecting the change in the functionality of the mobile device;
      
      determining whether the detected change in functionality represents added or removed functionality;
      
      determining whether the lean classifier model includes any test conditions that evaluate a mobile device feature affected by the detected change in functionality in response to determining that the detected change in functionality represents added functionality;
      
      determining whether the full classifier model includes any test conditions that evaluate the mobile device feature in response to determining that the lean classifier model does not include any test conditions that evaluate the mobile device feature; and
      
      adding a new decision node that includes a new test condition that evaluates the mobile device feature affected by the detected change to the lean classifier model in response to determining that the full classifier model includes test conditions that evaluate the mobile device feature.
  - 27. The non-transitory computer readable storage medium of claim 23, wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that monitoring the mobile device and modifying the lean classifier model to include the updated set of test conditions in response to detecting the change comprises:
    - determining whether there has been the change in state on the mobile device;
      
      identifying a feature that is relevant to a previous state of the mobile device and not relevant to a current state of the mobile device in response to determining that there has been the change in state on the mobile device; and
      
      removing from the lean classifier model test conditions associated with the identified feature.

28. A mobile device, comprising:
- means for receiving from a server computing device a full classifier model, the received full classifier model including a plurality of decision nodes, each decision node in the plurality of decision nodes including a test condition and a weight value;
  
  means for collecting mobile device-specific information in the mobile device;
  
  means for identifying combinations of features that require monitoring and analysis in the mobile device, and determining a relative importance of each of the identified feature combinations, based on the collected mobile device-specific information;
  
  means for culling, via the processor of the mobile device, the received full classifier model to generate a lean classifier model that includes a subset of the plurality of decision nodes included in the received full classifier model, the means for culling comprising;
  
  means for identifying decision nodes included in the received full classifier model that include test conditions relevant to evaluating the identified feature combinations;
  
  means for prioritizing the identified decision nodes based on the determined relative importance of the identified feature combinations; and
  
  means for generating the lean classifier model to include only the identified decision nodes, ordered in accordance with their priority;
  
  means for generating a behavior vector that characterizes a behavior of the mobile device; and
  
  means for applying the generated behavior vector to the generated lean classifier model to classify the behavior of the mobile device.
- View Dependent Claims (29, 30)
- - 29. The mobile device of claim 28, wherein:
    - means for receiving the full classifier model comprises means for receiving a finite state machine that includes information that is suitable for conversion to the plurality of decision nodes; and
      
      means for culling the received full classifier model to generate the lean classifier model that includes the subset of the plurality of decision nodes included in the received full classifier model further comprises means for generating the lean classifier model to include only the identified decision nodes that evaluate a mobile device feature that is relevant to a current operating state or configuration of the mobile device.
  - 30. The mobile device of claim 29, wherein means for culling the received full classifier model to generate the lean classifier model further comprises:
    - means for determining a number of unique test conditions that should be evaluated to classify the behavior without consuming an excessive amount of processing, memory, or energy resources of the mobile device;
      
      means for generating a list of test conditions by sequentially traversing the plurality of test conditions in the full classifier model and inserting those test conditions that are relevant to classifying the behavior of the mobile device into the list of test conditions until the list of test conditions includes the determined number of unique test conditions; and
      
      means for generating the lean classifier model to include the identified decision nodes in the full classifier model that test one of the test conditions included in the generated list of test conditions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Sridhara, Vinay, Gupta, Rajarshi, Fawaz, Kassem
Primary Examiner(s)
Jain, Ankur
Assistant Examiner(s)
Chen, Zhitong

Application Number

US14/091,707
Publication Number

US 20140187177A1
Time in Patent Office

1,301 Days
Field of Search

None
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

H04B 17/391   Modelling the propagation c...

Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

196 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links