Computing device to detect malware
First Claim
Patent Images
1. A method of analyzing mobile device behaviors in a mobile device to identify behaviors inconsistent with normal operation patterns of the mobile device, the method comprising:
- monitoring, by a processor of the mobile device, an activity of a software process;
collecting, by the processor, behavior information from the monitored activity;
using, by the processor, the collected behavior information to generate a vector information structure, wherein;
the generated vector information structure includes a plurality of numerical values,at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process,at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, andthe plurality of numerical values collectively characterize the monitored activity;
applying, by the processor, the generated vector information structure to a machine learning classifier model; and
using, by the processor, a result generated by applying the generated vector information structure to the machine learning classifier model to determine whether the software process is non-benign.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware.
28 Citations
25 Claims
-
1. A method of analyzing mobile device behaviors in a mobile device to identify behaviors inconsistent with normal operation patterns of the mobile device, the method comprising:
-
monitoring, by a processor of the mobile device, an activity of a software process; collecting, by the processor, behavior information from the monitored activity; using, by the processor, the collected behavior information to generate a vector information structure, wherein; the generated vector information structure includes a plurality of numerical values, at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process, at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, and the plurality of numerical values collectively characterize the monitored activity; applying, by the processor, the generated vector information structure to a machine learning classifier model; and using, by the processor, a result generated by applying the generated vector information structure to the machine learning classifier model to determine whether the software process is non-benign. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A mobile computing device comprising:
a hardware processor configured with processor-executable instructions to; monitor an activity of a software process; collect behavior information from the monitored activity; use the collected behavior information to generate a vector information structure, wherein; the generated vector information structure includes a plurality of numerical values, at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process, at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, and the plurality of numerical values collectively characterize the monitored activity; apply the generated vector information structure to a machine learning classifier model; and use a result generated by applying the generated vector information structure to the machine learning classifier model to determine whether the software process is non-benign. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
18. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor in a mobile device to:
-
monitor an activity of a software process; collect behavior information from the monitored activity; use the collected behavior information to generate vector information structure, wherein; the vector information structure includes a plurality of numerical values, at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action of the software process, at least one numerical value in the plurality of numerical values indicates a category for the software process based on an answer to a category query, and the plurality of numerical values collectively characterize the monitored activity; apply the vector information structure to a machine learning classifier model; and use a result generated by applying the vector information structure to the machine learning classifier model to determine whether the software process is non-benign. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification