Secure behavior analysis over trusted execution environment
First Claim
1. A method of classifying behaviors in a mobile device, comprising:
- generating a behavior vector in a privileged-normal portion of a secure operating environment of the mobile device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment;
sending the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and
determining whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile computing device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.
23 Citations
30 Claims
-
1. A method of classifying behaviors in a mobile device, comprising:
-
generating a behavior vector in a privileged-normal portion of a secure operating environment of the mobile device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment; sending the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and determining whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing device, comprising:
-
a multi-core processor including two or more processor cores, wherein one or more of the processor cores is configured with processor-executable instructions to; generate a behavior vector in a privileged-normal portion of a secure operating environment of the computing device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment; send the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and determine whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computing device, comprising:
-
means for generating a behavior vector in a privileged-normal portion of a secure operating environment of the computing device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment; means for sending the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and means for determining whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (20, 21)
-
-
22. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to:
-
generate a behavior vector in a privileged-normal portion of a secure operating environment of the computing device based on behavior information collected via an observer component in the privileged-normal portion of the secure operating environment; send the behavior vector across a secure protection boundary of the secure operating environment by sending the behavior vector from the privileged-normal portion of the secure operating environment to an analyzer component in an unprivileged-secure portion of the secure operating environment; and determine whether a device behavior can be classified based on a result of applying the behavior vector to a classifier model in the unprivileged-secure portion of the secure operating environment. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification