Computing device to detect malware

US 9,832,211 B2
Filed: 03/19/2012
Issued: 11/28/2017
Est. Priority Date: 03/19/2012
Status: Active Grant

First Claim

Patent Images

1. A mobile computing device comprising:

a processor configured with processor-executable instructions to;

monitor a plurality of applications operating on the mobile computing device;

log actions of the monitored applications in a log of actions;

generate answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query;

generate a vector information structure for each application in the plurality of applications based on the generated answers, wherein;

each generated vector information structure includes a plurality of numerical values;

at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application;

at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and

the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and

use a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.

25 Citations

View as Search Results

28 Claims

1. A mobile computing device comprising:
- a processor configured with processor-executable instructions to;
  
  monitor a plurality of applications operating on the mobile computing device;
  
  log actions of the monitored applications in a log of actions;
  
  generate answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query;
  
  generate a vector information structure for each application in the plurality of applications based on the generated answers, wherein;
  
  each generated vector information structure includes a plurality of numerical values;
  
  at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application;
  
  at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and
  
  the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and
  
  use a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The mobile computing device of claim 1, wherein the processor is further configured with processor-executable instructions to:
    - restrict an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign.
  - 3. The mobile computing device of claim 1, wherein the processor is configured with processor-executable instructions to perform operations such that generating answers to queries regarding the actions stored in the log of actions includes:
    - generating at least one answer to an existence query, an amount query, or an order query.
  - 4. The mobile computing device of claim 3, wherein the processor is configured with processor-executable instructions to perform operations such that generating answers to queries regarding the actions stored in the log of actions further comprises:
    - generating at least one answer to;
      
      a query regarding an observed behavior; and
      
      a query regarding an expected behavior.
  - 5. The mobile computing device of claim 1, wherein the processor is further configured with processor-executable instructions to analyze device-independent actions.
  - 6. The mobile computing device of claim 1, wherein the processor is further configured with processor-executable instructions to analyze device-dependent actions.
  - 7. The mobile computing device of claim 6, wherein the processor is configured with processor-executable instructions to perform operations such that analyzing the device-dependent actions comprises analyzing a combination of:
    - application installation information;
      
      device information;
      
      communications information; and
      
      user interaction information.

8. A method of analyzing a plurality of applications operating on a mobile computing device, the method comprising:
- monitoring the plurality of applications operating on the mobile computing device via a processor of the mobile computing device;
  
  logging actions of the monitored applications in a log of actions via the processor of the mobile computing device;
  
  generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query;
  
  generating, by the processor, a vector information structure for each application in the plurality of applications based on the generated answers, wherein;
  
  each generated vector information structure includes a plurality of numerical values;
  
  at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application;
  
  at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and
  
  the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and
  
  using by the processor a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising restricting an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign.
  - 10. The method of claim 8, wherein generating answers to queries regarding the actions stored in the log of actions includes:
    - generating at least one answer to an existence query, an amount query, or an order query.
  - 11. The method of claim 10, wherein generating answers to queries regarding the actions stored in the log of actions further comprises:
    - generating at least one answer to;
      
      a query regarding an observed behavior; and
      
      a query regarding an expected behavior.
  - 12. The method of claim 8, further comprising analyzing device-independent actions.
  - 13. The method of claim 8, further comprising analyzing device-dependent actions.
  - 14. The method of claim 13, wherein analyzing the device-dependent actions further comprises analyzing a combination of:
    - application installation information;
      
      device information;
      
      communications information; and
      
      user interaction information.

15. A non-transitory computer-readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a mobile computing device to perform operations comprising:
- monitoring a plurality of applications operating on the mobile computing device;
  
  logging actions of the monitored applications in a log of actions;
  
  generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query;
  
  generating a vector information structure for each application in the plurality of applications based on the generated answers, wherein;
  
  each generated vector information structure includes a plurality of numerical values;
  
  at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application;
  
  at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and
  
  the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and
  
  using a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations further comprising:
    - restricting an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations such that includes:
    - generating at least one answer to an existence query, an amount query, or an order query.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations such that generating answers to queries regarding the actions stored in the log of actions further comprises:
    - generating at least one answer to;
      
      a query regarding an observed behavior; and
      
      a query regarding an expected behavior.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations further comprising analyzing device-independent actions.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations further comprising analyzing device-dependent actions.
  - 21. The non-transitory computer-readable storage medium of claim 20, wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations such that analyzing the device-dependent actions further comprises analyzing a combination of:
    - application installation information;
      
      device information;
      
      communications information; and
      
      user interaction information.

22. A mobile computing device comprising:
- means for monitoring a plurality of applications operating on the mobile computing device;
  
  means for logging actions of the monitored applications in a log of actions;
  
  means for generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query;
  
  means for generating a vector information structure for each application in the plurality of applications based on the generated answers, wherein;
  
  each generated vector information structure includes a plurality of numerical values;
  
  at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application;
  
  at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and
  
  the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications;
  
  means for using a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The mobile computing device of claim 22, further comprising:
    - means for restricting an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign.
  - 24. The mobile computing device of claim 22, wherein means for generating answers to queries regarding the actions stored in the log of actions includes:
    - means for generating at least one answer to an existence query, an amount query, or an order query.
  - 25. The mobile computing device of claim 24, wherein means for generating answers to queries regarding the actions stored in the log of actions further comprises:
    - means for generating at least one answer to;
      
      a query regarding an observed behavior; and
      
      a query regarding an expected behavior.
  - 26. The mobile computing device of claim 22, further comprising means for analyzing device-independent actions.
  - 27. The mobile computing device of claim 22, wherein further comprising means for analyzing device-dependent actions.
  - 28. The mobile computing device of claim 27, wherein means for analyzing the device-dependent actions comprises means for analyzing a combination of:
    - application installation informationdevice information;
      
      communications information; and
      
      user interaction information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Hsiao, Hsu-Chun, Deng, Shuo, Salamat, Babak, Gupta, Rajarshi, Das, Saumitra Mohan
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
KU, SHIUH-HUEI P

Application Number

US13/424,251
Publication Number

US 20130247187A1
Time in Patent Office

2,080 Days
Field of Search

726 2, 726 22, 726 23, 726 24
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

Computing device to detect malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Computing device to detect malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links