Computing device to detect malware

US 9,973,517 B2
Filed: 01/07/2014
Issued: 05/15/2018
Est. Priority Date: 03/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing mobile device behaviors in a mobile device to identify behaviors inconsistent with normal operation patterns of the mobile device, the method comprising:

monitoring, by a processor of the mobile device, an activity of a software process;

collecting, by the processor, behavior information from the monitored activity;

using, by the processor, the collected behavior information to generate a vector information structure, wherein;

the generated vector information structure includes a plurality of numerical values,at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process,at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, andthe plurality of numerical values collectively characterize the monitored activity;

applying, by the processor, the generated vector information structure to a machine learning classifier model; and

using, by the processor, a result generated by applying the generated vector information structure to the machine learning classifier model to determine whether the software process is non-benign.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.

28 Citations

View as Search Results

25 Claims

1. A method of analyzing mobile device behaviors in a mobile device to identify behaviors inconsistent with normal operation patterns of the mobile device, the method comprising:
- monitoring, by a processor of the mobile device, an activity of a software process;
  
  collecting, by the processor, behavior information from the monitored activity;
  
  using, by the processor, the collected behavior information to generate a vector information structure, wherein;
  
  the generated vector information structure includes a plurality of numerical values,at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process,at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, andthe plurality of numerical values collectively characterize the monitored activity;
  
  applying, by the processor, the generated vector information structure to a machine learning classifier model; and
  
  using, by the processor, a result generated by applying the generated vector information structure to the machine learning classifier model to determine whether the software process is non-benign.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising terminating, by the processor, the software process in response to determining that the software process is non-benign.
  - 3. The method of claim 1, wherein the generated vector information structure includes information that may be input to a decision node in the machine learning classifier model.
  - 4. The method of claim 1, wherein generating the vector information structure comprises generating a vector that includes information suitable for generating answers to at least one of:
    - an existence query;
      
      an amount query;
      
      an order query;
      
      orthe category query.
  - 5. The method of claim 1, wherein:
    - monitoring the activity of the software process comprises monitoring, by the processor, a plurality of activities of a software application; and
      
      using the collected behavior information to generate the generated vector information structure comprises generating, by the processor, the vector information structure such that the plurality of numerical values characterize one of the plurality of activities of the software application.
  - 6. The method of claim 1, wherein using the collected behavior information to generate the generated vector information structure comprises:
    - determining, by the processor, whether the monitored activity has a high probability of identifying malware;
      
      generating, by the processor, the generated vector information structure in response to determining that the monitored activity has the high probability of identifying malware; and
      
      monitoring a different type of activity in response to determining that the monitored activity does not have the high probability of identifying malware.
  - 7. The method of claim 1, wherein collecting the behavior information from the monitored activity comprises collecting, by the processor, information from a log of actions stored in a memory of the mobile device.
  - 8. The method of claim 1, wherein collecting the behavior information from the monitored activity comprises collecting information on:
    - at least one device-dependent action; and
      
      at least one device-independent action.
  - 9. The method of claim 1, wherein:
    - monitoring the activity of the software process, collecting the behavior information from the monitored activity and using the collected behavior information to generate the vector information structure are accomplished by a behavior analysis engine executing in the processor of the mobile device; and
      
      the behavior analysis engine is customized based on;
      
      at least one device independent action; and
      
      at least one device-dependent action.

10. A mobile computing device comprising:
- a hardware processor configured with processor-executable instructions to;
  
  monitor an activity of a software process;
  
  collect behavior information from the monitored activity;
  
  use the collected behavior information to generate a vector information structure, wherein;
  
  the generated vector information structure includes a plurality of numerical values,at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process,at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, andthe plurality of numerical values collectively characterize the monitored activity;
  
  apply the generated vector information structure to a machine learning classifier model; and
  
  use a result generated by applying the generated vector information structure to the machine learning classifier model to determine whether the software process is non-benign.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The mobile computing device of claim 10, wherein the processor is configured with processor-executable instructions to use the collected behavior information to generate the vector information structure by generating the vector information structure to include information that may be input to a decision node in the machine learning classifier model.
  - 12. The mobile computing device of claim 10, wherein the processor-executable instructions to generate the vector information structure comprise processor-executable instructions to generate a vector that includes information suitable for generating answers to at least one of:
    - an existence query;
      
      an amount query;
      
      an order query;
      
      orthe category query.
  - 13. The mobile computing device of claim 10, wherein the processor is configured with processor-executable instructions to:
    - monitor the activity of the software process by monitoring a plurality of activities of a software application; and
      
      use the collected behavior information to generate the vector information structure by generating the vector information structure such that the plurality of numerical values characterize one of the plurality of activities of the software application.
  - 14. The mobile computing device of claim 10, wherein the processor is configured with processor-executable instructions to use the collected behavior information to generate the vector information structure by:
    - determining whether the monitored activity has a high probability of identifying malware;
      
      generating the vector information structure in response to determining that the monitored activity has the high probability of identifying malware; and
      
      monitoring a different type of activity in response to determining that the monitored activity does not have the high probability of identifying malware.
  - 15. The mobile computing device of claim 10, wherein the processor is configured with processor-executable instructions to collect the behavior information from the monitored activity by collecting information from a log of actions stored in a memory of the mobile computing device.
  - 16. The mobile computing device of claim 10, wherein the processor is configured with processor-executable instructions to collect the behavior information from the monitored activity by collecting information on:
    - at least one device-dependent action; and
      
      at least one device-independent action.
  - 17. The mobile computing device of claim 10, wherein:
    - the processor is configured with processor-executable instructions to monitor the activity of the software process, collect the behavior information from the monitored activity and use the collected behavior information to generate the vector information structure via a behavior analysis engine; and
      
      the behavior analysis engine is customized based on;
      
      at least one device independent action; and
      
      at least one device-dependent action.

18. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor in a mobile device to:
- monitor an activity of a software process;
  
  collect behavior information from the monitored activity;
  
  use the collected behavior information to generate vector information structure, wherein;
  
  the vector information structure includes a plurality of numerical values,at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process,at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, andthe plurality of numerical values collectively characterize the monitored activity;
  
  apply the vector information structure to a machine learning classifier model; and
  
  use a result generated by applying the vector information structure to the machine learning classifier model to determine whether the software process is non-benign.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The non-transitory computer readable storage medium of claim 18, wherein the stored processor-executable software instructions are configured to use the collected behavior information to generate the vector information structure by generating the vector information structure to include information that may be input to of a decision node in the machine learning classifier model.
  - 20. The non-transitory computer readable storage medium of claim 18, wherein the stored processor-executable software instructions are configured to generate the vector information structure by generating a vector that includes information suitable for generating answers to at least one of:
    - an existence query;
      
      an amount query;
      
      an order query;
      
      orthe category query.
  - 21. The non-transitory computer readable storage medium of claim 18, wherein the stored processor-executable software instructions are configured to:
    - monitor the activity of the software process comprises b monitoring a plurality of activities of a software application; and
      
      use the collected behavior information to generate the vector information structure by generating the vector information structure such that the plurality of numerical values characterize one of the plurality of activities of the software application.
  - 22. The non-transitory computer readable storage medium of claim 18, wherein the stored processor-executable software instructions are configured to use the collected behavior information to generate the vector information structure by:
    - determining whether the monitored activity has a high probability of identifying malware;
      
      generating the vector information structure in response to determining that the monitored activity has the high probability of identifying malware; and
      
      monitoring a different type of activity in response to determining that the monitored activity does not have the high probability of identifying malware.
  - 23. The non-transitory computer readable storage medium of claim 18, wherein the stored processor-executable software instructions are configured to collect the behavior information from the monitored activity by collecting information from a log of actions stored in a memory accessible by the processor.
  - 24. The non-transitory computer readable storage medium of claim 18, wherein the stored processor-executable software instructions are configured to collect the behavior information from the monitored activity by collecting information on:
    - at least one device-dependent action; and
      
      at least one device-independent action.
  - 25. The non-transitory computer readable storage medium of claim 18, wherein:
    - the stored processor-executable software instructions are configured to monitor the activity of the software process, collect the behavior information from the monitored activity, and use the collected behavior information to generate the vector information structure via a behavior analysis engine, andthe stored processor-executable software instructions are further configured to customize the behavior analysis engine based on;
      
      at least one device independent action; and
      
      at least one device-dependent action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Hsiao, Hsu-Chun, Deng, Shuo, Salamat, Babak, Gupta, Rajarshi, Das, Saumitra Mohan
Primary Examiner(s)
Plecha, Thaddeus J

Application Number

US14/149,471
Publication Number

US 20140123289A1
Time in Patent Office

1,589 Days
Field of Search

726 2, 726 22- 24
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

Computing device to detect malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Computing device to detect malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links