On-line behavioral analysis engine in mobile device with multiple analyzer model providers

US 9,747,440 B2
Filed: 07/09/2013
Issued: 08/29/2017
Est. Priority Date: 08/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring mobile device behaviors in a mobile device based on models received from multiple model providers, comprising:

receiving, via a mobile device processor of the mobile device, a first machine learning model from a first model provider, the received first machine learning model identifying factors and data points relevant to enabling the mobile device processor to determine whether a mobile device behavior is benign;

receiving in the mobile device a second machine learning model from a second model provider that is different than, and operates independent of, the first model provider, the received second machine learning model identifying different factors and data points relevant to enabling the mobile device processor to determine whether the mobile device behavior is benign;

installing either the first machine learning model or the second machine learning model in the mobile device in conjunction with an existing behavior analyzer engine installed in the mobile device;

selecting for monitoring one or more mobile device behaviors in the mobile device based on factors and data points identified by the installed machine learning model;

monitoring the selected mobile device behaviors to collect behavior information;

using the collected behavior information to perform spatial and/or temporal correlations;

generating a behavior vector based on a result of the spatial and/or temporal correlations;

comparing the generated behavior vector to the installed machine learning model to generate a comparison result; and

determining whether the mobile device behavior is benign based on the comparison result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and devices for generating data models in a client-cloud communication system may include applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors. Such vectors may be analyzed to identify factors in the first family of classifier models that have the highest probability of enabling a mobile device to better determine whether a mobile device behavior is malicious or benign. Based on this analysis, a second family of classifier models may be generated that identify significantly fewer factors and data points as being relevant for enabling the mobile device to better determine whether the mobile device behavior is malicious or benign based on the determined factors. A mobile device classifier module based on the second family of classifier models may be generated and made available for download by mobile devices, including devices contributing behavior vectors.

199 Citations

36 Claims

1. A method for monitoring mobile device behaviors in a mobile device based on models received from multiple model providers, comprising:
- receiving, via a mobile device processor of the mobile device, a first machine learning model from a first model provider, the received first machine learning model identifying factors and data points relevant to enabling the mobile device processor to determine whether a mobile device behavior is benign;
  
  receiving in the mobile device a second machine learning model from a second model provider that is different than, and operates independent of, the first model provider, the received second machine learning model identifying different factors and data points relevant to enabling the mobile device processor to determine whether the mobile device behavior is benign;
  
  installing either the first machine learning model or the second machine learning model in the mobile device in conjunction with an existing behavior analyzer engine installed in the mobile device;
  
  selecting for monitoring one or more mobile device behaviors in the mobile device based on factors and data points identified by the installed machine learning model;
  
  monitoring the selected mobile device behaviors to collect behavior information;
  
  using the collected behavior information to perform spatial and/or temporal correlations;
  
  generating a behavior vector based on a result of the spatial and/or temporal correlations;
  
  comparing the generated behavior vector to the installed machine learning model to generate a comparison result; and
  
  determining whether the mobile device behavior is benign based on the comparison result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein receiving the first machine learning model comprises receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 3. The method of claim 1, further comprising:
    - replacing the installed machine learning model with a third machine learning model received from a third model provider; and
      
      linking the received third machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received third machine learning model.
  - 4. The method of claim 1, further comprising:
    - updating the installed machine learning model with information included in a third machine learning model received from a third model provider; and
      
      linking the updated machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated machine learning model.
  - 5. The method of claim 1, further comprising:
    - receiving a plurality of additional machine learning models from a plurality of public networks; and
      
      updating the installed machine learning model with information included in one or more of the received plurality of machine learning models.
  - 6. The method of claim 1, wherein receiving the first machine learning model from the first model provider comprises receiving the first machine learning model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 7. The method of claim 1, wherein receiving the first machine learning model from the first model provider comprises:
    - accessing and authenticating an online app store by the mobile device processor;
      
      downloading a menu of models available for download or update from the online app store;
      
      receiving in the mobile device processor a user selection input;
      
      requesting download or update of a user-selected model from the online app store; and
      
      receiving the requested user-selected model in a download buffer of the mobile device.
  - 8. The method of claim 1, wherein installing either the first machine learning model or the second machine learning model in the mobile device in conjunction with the existing behavior analyzer engine installed in the mobile device comprises:
    - validating the received first machine learning model;
      
      installing the validated machine learning model in a memory of the mobile device; and
      
      registering the installed machine learning model with an observer module of the mobile device.
  - 9. The method of claim 1, further comprising:
    - receiving a new machine learning model that identifies additional factors and data points as being relevant to enabling the mobile device processor to determine whether the mobile device behavior is benign;
      
      updating the installed machine learning model with information included in the new machine learning model in response to determining that an identified mobile device behavior is suspicious; and
      
      comparing the generated behavior vector to the updated machine learning model to determine whether the identified suspicious mobile device behavior is benign.

10. A mobile computing device comprising:
- a mobile device processor;
  
  means for receiving a first machine learning model from a first model provider, the received first machine learning model identifying factors and data points relevant to enabling the mobile device processor to determine whether the mobile device behavior is benign;
  
  means for receiving a second machine learning model from a second model provider that is different than, and operates independent of, the first model provider, the received second machine learning model identifying different factors and data points relevant to enabling the mobile device processor to determine whether the mobile device behavior is benign;
  
  means for installing either the first machine learning model or the second machine learning model in conjunction with an existing behavior analyzer engine;
  
  means for selecting for monitoring one or more mobile device behaviors in the mobile computing device based on factors and data points identified by the installed machine learning model;
  
  means for monitoring the selected mobile device behaviors to collect behavior information;
  
  means for using the collected behavior information to perform spatial and/or temporal correlations;
  
  means for generating a behavior vector based on a result of the spatial and/or temporal correlations;
  
  means for comparing the generated behavior vector to the installed machine learning model to generate a comparison result; and
  
  means for determining whether the mobile device behavior is benign based on the comparison result.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The mobile computing device of claim 10, wherein means for receiving the first machine learning model comprises means for receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 12. The mobile computing device of claim 10, further comprising:
    - means for replacing the installed machine learning model with a third machine learning model received from a third model provider; and
      
      means for linking the received third machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received third machine learning model.
  - 13. The mobile computing device of claim 10, further comprising:
    - means for updating the installed machine learning model with information included in a third machine learning model received from a third model provider; and
      
      means for linking the updated machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated machine learning model.
  - 14. The mobile computing device of claim 10, further comprising:
    - means for receiving a plurality of additional machine learning models from a plurality of public networks; and
      
      means for updating the installed machine learning model with information included in one or more of the received plurality of machine learning models.
  - 15. The mobile computing device of claim 10, wherein means for receiving the first machine learning model from the first model provider comprises means for receiving the first machine learning model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 16. The mobile computing device of claim 10, wherein means for receiving the first machine learning model from the first model provider comprises:
    - means for accessing and authenticating an online app store by the mobile device processor;
      
      means for downloading a menu of models available for download or update from the online app store;
      
      means for receiving in the mobile device processor a user selection input;
      
      means for requesting download or update of a user-selected model from the online app store; and
      
      means for receiving the requested user-selected model in a download buffer.
  - 17. The mobile computing device of claim 10, wherein means for installing either the first machine learning model or the second machine learning model in conjunction with the existing behavior analyzer engine comprises:
    - means for validating the received first machine learning model;
      
      means for installing the validated machine learning model in memory; and
      
      means for registering the installed machine learning model with an observer module.
  - 18. The mobile computing device of claim 10, further comprising:
    - means for receiving a new machine learning model that identifies additional factors and data points as being relevant to enabling the mobile device processor to determine whether a mobile device behavior is benign;
      
      means for updating the installed machine learning model with information included in the new machine learning model in response to determining that an identified mobile device behavior is suspicious; and
      
      means for comparing the generated behavior vector to the updated machine learning model to determine whether the identified suspicious mobile device behavior is benign.

19. A mobile computing device, comprising:
- a memory; and
  
  a processor coupled to the memory, wherein the processor is configured with processor-executable instructions to perform operations comprising;
  
  receiving a first machine learning model from a first model provider, the received first machine learning model identifying factors and data points relevant to enabling the processor to determine whether a mobile device behavior is benign;
  
  receiving a second machine learning model from a second model provider that is different than, and operates independent of, the first model provider, the received second machine learning model identifying different factors and data points relevant to enabling the processor to determine whether the mobile device behavior is benign;
  
  installing either the first machine learning model or the second machine learning model in conjunction with an existing behavior analyzer engine;
  
  selecting for monitoring one or more mobile device behaviors in the mobile computing device based on factors and data points identified by the installed machine learning model;
  
  monitoring the selected mobile device behaviors to collect behavior information;
  
  using the collected behavior information to perform spatial and/or temporal correlations;
  
  generating a behavior vector based on a result of the spatial and/or temporal correlations;
  
  comparing the generated behavior vector to the installed machine learning model to generate a comparison result; and
  
  determining whether the mobile device behavior is benign based on the comparison result.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the first machine learning model comprises receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 21. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - replacing the installed machine learning model with a third machine learning model received from a third model provider; and
      
      linking the received third machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received third machine learning model.
  - 22. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - updating the installed machine learning model with information included in a third machine learning model received from a third model provider; and
      
      linking the updated machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated machine learning model.
  - 23. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a plurality of additional machine learning models from a plurality of public networks; and
      
      updating the installed machine learning model with information included in one or more of the received plurality of machine learning models.
  - 24. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the first machine learning model from the first model provider comprises receiving the first machine learning model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 25. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations such that receiving the first machine learning model from the first model provider comprises:
    - accessing and authenticating an online app store;
      
      downloading a menu of models available for download or update from the online app store;
      
      receiving a user selection input;
      
      requesting download or update of a user-selected model from the online app store; and
      
      receiving the requested user-selected model in a download buffer.
  - 26. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations such that installing either the first machine learning model or the second machine learning model in conjunction with the existing behavior analyzer engine comprises:
    - validating the received first machine learning model;
      
      installing the validated machine learning model in the memory; and
      
      registering the installed machine learning model with an observer module.
  - 27. The mobile computing device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a new machine learning model that identifies additional factors and data points as being relevant to enabling the processor to determine whether a behavior is benign;
      
      updating the installed machine learning model with information included in the new machine learning model when it is determined that an identified mobile device behavior is suspicious; and
      
      comparing the generated behavior vector to the updated machine learning model to determine whether the identified suspicious mobile device behavior is benign.

28. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a mobile device processor of a mobile computing device to perform operations comprising:
- receiving a first machine learning model from a first model provider, the received first machine learning model identifying factors and data points relevant to enabling the mobile device processor to determine whether a mobile device behavior is benign;
  
  receiving a second machine learning model from a second model provider that is different than, and operates independent of, the first model provider, the received second machine learning model identifying different factors and data points relevant to enabling the mobile device processor to determine whether the mobile device behavior is benign;
  
  installing either the first machine learning model or the second machine learning model in conjunction with an existing behavior analyzer engine;
  
  selecting for monitoring one or more mobile device behaviors in the mobile computing device based on factors and data points identified by the installed machine learning model;
  
  monitoring the selected mobile device behaviors to collect behavior information;
  
  using the collected behavior information to perform spatial and/or temporal correlations;
  
  generating a behavior vector based on a result of the spatial and/or temporal correlations;
  
  comparing the generated behavior vector to the installed machine learning model to generate a comparison result; and
  
  determining whether the mobile device behavior is benign based on the comparison result.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the first machine learning model comprises receiving a finite state machine representation that includes a mapping of features to behavior classifications.
  - 30. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - replacing the installed machine learning model with a third machine learning model received from a third model provider; and
      
      linking the received third machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the received third machine learning model.
  - 31. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - updating the installed machine learning model with information included in a third machine learning model received from a third model provider; and
      
      linking the updated machine learning model to the existing behavior analyzer engine so that when the existing behavior analyzer engine performs analysis operations it does so using the updated machine learning model.
  - 32. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - receiving a plurality of additional machine learning models from a plurality of public networks; and
      
      updating the installed machine learning model with information included in one or more of the received plurality of machine learning models.
  - 33. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the first machine learning model from the first model provider comprises receiving the first machine learning model from one of:
    - a cloud service network server;
      
      an app store server;
      
      a web server identified via uniform resource locator address; and
      
      a file transfer protocol service network server.
  - 34. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that receiving the first machine learning model from the first model provider comprises:
    - accessing and authenticating an online app store;
      
      downloading a menu of machine learning models available for download or update from the online app store;
      
      receiving a user selection input;
      
      requesting download or update of a user-selected machine learning model from the online app store; and
      
      receiving the requested user-selected machine learning model in a download buffer.
  - 35. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations such that installing either the first machine learning model or the second machine learning model in conjunction with the existing behavior analyzer engine comprises:
    - validating the received first machine learning model;
      
      installing the validated machine learning model in memory; and
      
      registering the installed machine learning model with an observer module.
  - 36. The non-transitory computer readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the mobile device processor to perform operations further comprising:
    - receiving a new machine learning model that identifies additional factors and data points as being relevant to enabling the mobile device processor to determine whether a behavior is benign;
      
      updating the installed machine learning model with information included in the new machine learning model in response to determining that an identified mobile device behavior is suspicious; and
      
      comparing the generated behavior vector to the updated machine learning model to better determine whether the identified suspicious mobile device behavior is benign.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gupta, Rajarshi, Bapst, Mark, Reshadi, Mohammad H, Kumar, Samir
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Ullah, Sharif E

Application Number

US13/937,462
Publication Number

US 20140053261A1
Time in Patent Office

1,512 Days
Field of Search

726 22, 726 2, 726 21, 726 36, 713150, 713163, 713181, 380255, 380264, 380276
US Class Current
CPC Class Codes

G06F 11/3013   where the computing system ...

G06F 11/3409   for performance assessment

G06F 11/3447   Performance evaluation by m...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 21/316   by observing the pattern of...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 2201/865   Monitoring of software

G06F 8/61   Installation

G06F 8/65   Updates security arrangemen...

G06N 5/043   Distributed expert systems;...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

On-line behavioral analysis engine in mobile device with multiple analyzer model providers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

199 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

On-line behavioral analysis engine in mobile device with multiple analyzer model providers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others