Customized Network Traffic Models To Detect Application Anomalies
First Claim
1. A method of identifying anomalous application behavior by a processor of a computing device, comprising:
- detecting network communication activity of an application on a computing device;
identifying one or more device states of the computing device;
identifying one or more categories of the application; and
determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and devices of the various aspects enable identification of anomalous application behavior. A computing device processor may detect network communication activity of an application on the computing device. The processor may identify one or more device states of the computing device, and one or more categories of the application. The processor may determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.
-
Citations
30 Claims
-
1. A method of identifying anomalous application behavior by a processor of a computing device, comprising:
-
detecting network communication activity of an application on a computing device; identifying one or more device states of the computing device; identifying one or more categories of the application; and determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of determining a category of an application on a computing device by a processor of the computing device, comprising:
-
generating a feature vector characterizing one or more screenshots of a display generated by the application on the computing device; and applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; detecting network communication activity of an application on a computing device; identifying one or more device states of the computing device; identifying one or more categories of the application; and determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
26. A computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; generating a feature vector characterizing one or more screenshots of a display generated by an application on the computing device; and applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector. - View Dependent Claims (27, 28, 29, 30)
Specification