Secure behavior analysis over trusted execution environment

US 9,756,066 B2
Filed: 12/03/2015
Issued: 09/05/2017
Est. Priority Date: 08/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method of classifying behaviors in a mobile device, comprising:

generating a behavior vector in a privileged-normal portion of a secure operating environment of the mobile device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment;

sending the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and

determining whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile computing device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

23 Citations

View as Search Results

30 Claims

1. A method of classifying behaviors in a mobile device, comprising:
- generating a behavior vector in a privileged-normal portion of a secure operating environment of the mobile device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment;
  
  sending the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and
  
  determining whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein determining whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises determining whether the device behavior can be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment.
  - 3. The method of claim 2, further comprising:
    - using a secure message to alert a user of the mobile device of a possibility of malicious or performance-degrading behavior in response to classifying the device behavior as non-benign.
  - 4. The method of claim 2, further comprising:
    - classifying the device behavior as suspicious in response to determining that the device behavior cannot be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      observing the device behavior in response to classifying the device behavior as suspicious.
  - 5. The method of claim 4, wherein observing the device behavior in response to classifying the device behavior as suspicious comprises communicating with the observer component to request deeper observation of device behaviors.
  - 6. The method of claim 1, wherein sending the behavior vector from the privileged-normal portion of the secure operating environment to the analyzer component in the unprivileged-secure portion of the secure operating environment comprises storing the behavior vector in a secure buffer.
  - 7. The method of claim 1, wherein generating the behavior vector in the privileged-normal portion of the secure operating environment based on the behavior information collected via the observer component in the privileged-normal portion of the secure operating environment comprises collecting behavior information in the observer component from a component in an unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 8. The method of claim 1, wherein determining whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises sending the result across a second protection domain of the secure operating environment.
  - 9. The method of claim 8, wherein sending the result across the second protection domain of the secure operating environment comprises sending the result from the unprivileged-secure portion of the secure operating environment to a client component in an unprivileged-normal portion of the secure operating environment.

10. A computing device, comprising:
- a multi-core processor including two or more processor cores, wherein one or more of the processor cores is configured with processor-executable instructions to;
  
  generate a behavior vector in a privileged-normal portion of a secure operating environment of the computing device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment;
  
  send the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and
  
  determine whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computing device of claim 10, wherein the one or more processor cores is configured with processor-executable instructions to determine whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment by determining whether the device behavior can be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment.
  - 12. The computing device of claim 11, wherein the one or more processor cores is configured with processor-executable instructions to:
    - use a secure message to alert a user of the computing device of a possibility of malicious or performance-degrading behavior in response to classifying the device behavior as non-benign.
  - 13. The computing device of claim 11, wherein the one or more processor cores is configured with processor-executable instructions to:
    - classify the device behavior as suspicious in response to determining that the device behavior cannot be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      observe the device behavior in response to classifying the device behavior as suspicious.
  - 14. The computing device of claim 13, wherein the one or more processor cores is configured with processor-executable instructions to observe the device behavior in response to classifying the device behavior as suspicious by communicating with the observer component to request deeper observation of device behaviors.
  - 15. The computing device of claim 10, wherein the one or more processor cores is configured with processor-executable instructions to send the behavior vector from the privileged-normal portion of the secure operating environment to the analyzer component in the unprivileged-secure portion of the secure operating environment by storing the behavior vector in a secure buffer.
  - 16. The computing device of claim 10, wherein the one or more processor cores is configured with processor-executable instructions to generate the behavior vector in the privileged-normal portion of the secure operating environment based on the behavior information collected via the observer component in the privileged-normal portion of the secure operating environment by collecting behavior information in the observer component from a component in an unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 17. The computing device of claim 10, wherein the one or more processor cores is configured with processor-executable instructions to determine whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment by sending the result across a second protection domain of the secure operating environment.
  - 18. The computing device of claim 17, wherein the one or more processor cores is configured with processor-executable instructions to send the result across the second protection domain of the secure operating environment by sending the result from the unprivileged-secure portion of the secure operating environment to a client component in an unprivileged-normal portion of the secure operating environment.

19. A computing device, comprising:
- means for generating a behavior vector in a privileged-normal portion of a secure operating environment of the computing device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment;
  
  means for sending the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and
  
  means for determining whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (20, 21)
- - 20. The computing device of claim 19, wherein means for determining whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment comprises means for determining whether the device behavior can be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment.
  - 21. The computing device of claim 20, further comprising:
    - means for classifying the device behavior as suspicious in response to determining that the device behavior cannot be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      means for observing the device behavior in response to classifying the device behavior as suspicious.

22. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to:
- generate a behavior vector in a privileged-normal portion of a secure operating environment of the computing device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment;
  
  send the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and
  
  determine whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause a processor to determine whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment by determining whether the device behavior can be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment.
  - 24. The non-transitory processor-readable storage medium of claim 23, wherein the stored processor-executable instructions are configured to cause a processor to:
    - use a secure message to alert a user of the computing device of a possibility of malicious or performance-degrading behavior in response to classifying the device behavior as non-benign.
  - 25. The non-transitory processor-readable storage medium of claim 23, wherein the stored processor-executable instructions are configured to cause a processor to:
    - classify the device behavior as suspicious in response to determining that the device behavior cannot be classified as one of benign and non-benign based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment; and
      
      observe the device behavior in response to classifying the device behavior as suspicious.
  - 26. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause a processor to observe the device behavior in response to classifying the device behavior as suspicious by communicating with the observer component to request deeper observation of device behaviors.
  - 27. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause a processor to send the behavior vector from the privileged-normal portion of the secure operating environment to the analyzer component in the unprivileged-secure portion of the secure operating environment by storing the behavior vector in a secure buffer.
  - 28. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause a processor to generate the behavior vector in the privileged-normal portion of the secure operating environment based on the behavior information collected via the observer component in the privileged-normal portion of the secure operating environment by collecting behavior information in the observer component from a component in an unprivileged-normal portion of the secure operating environment via an instrumented API.
  - 29. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause a processor to determine whether the device behavior can be classified based on the result of applying the behavior vector to the classifier model in the unprivileged-secure portion of the secure operating environment by sending the result across a second protection domain of the secure operating environment.
  - 30. The non-transitory processor-readable storage medium of claim 29, wherein the stored processor-executable instructions are configured to cause a processor to send the result across the second protection domain of the secure operating environment by sending the result from the unprivileged-secure portion of the secure operating environment to a client component in an unprivileged-normal portion of the secure operating environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gupta, Rajarshi, Halambi, Soorgoli Ashok, Rimoni, Yoram
Primary Examiner(s)
Nguyen, David Q

Application Number

US14/957,850
Publication Number

US 20160088009A1
Time in Patent Office

642 Days
Field of Search

455425, 726 30
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04W 12/086   using security domains

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

H04W 24/02   Arrangements for optimising...

H04W 24/08   Testing, supervising or mon...

Secure behavior analysis over trusted execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Secure behavior analysis over trusted execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others