Computing device to detect malware
First Claim
Patent Images
1. A mobile computing device comprising:
- a processor configured with processor-executable instructions to;
monitor a plurality of applications operating on the mobile computing device;
log actions of the monitored applications in a log of actions;
generate answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query;
generate a vector information structure for each application in the plurality of applications based on the generated answers, wherein;
each generated vector information structure includes a plurality of numerical values;
at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application;
at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and
the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and
use a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.
25 Citations
28 Claims
-
1. A mobile computing device comprising:
a processor configured with processor-executable instructions to; monitor a plurality of applications operating on the mobile computing device; log actions of the monitored applications in a log of actions; generate answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; generate a vector information structure for each application in the plurality of applications based on the generated answers, wherein; each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and use a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A method of analyzing a plurality of applications operating on a mobile computing device, the method comprising:
-
monitoring the plurality of applications operating on the mobile computing device via a processor of the mobile computing device; logging actions of the monitored applications in a log of actions via the processor of the mobile computing device; generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; generating, by the processor, a vector information structure for each application in the plurality of applications based on the generated answers, wherein; each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and using by the processor a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a mobile computing device to perform operations comprising:
-
monitoring a plurality of applications operating on the mobile computing device; logging actions of the monitored applications in a log of actions; generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; generating a vector information structure for each application in the plurality of applications based on the generated answers, wherein; each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and using a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A mobile computing device comprising:
-
means for monitoring a plurality of applications operating on the mobile computing device; means for logging actions of the monitored applications in a log of actions; means for generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; means for generating a vector information structure for each application in the plurality of applications based on the generated answers, wherein; each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; means for using a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification