Customized Network Traffic Models To Detect Application Anomalies

US 20160381057A1
Filed: 06/29/2015
Published: 12/29/2016
Est. Priority Date: 06/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method of identifying anomalous application behavior by a processor of a computing device, comprising:

detecting network communication activity of an application on a computing device;

identifying one or more device states of the computing device;

identifying one or more categories of the application; and

determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and devices of the various aspects enable identification of anomalous application behavior. A computing device processor may detect network communication activity of an application on the computing device. The processor may identify one or more device states of the computing device, and one or more categories of the application. The processor may determine whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

Citations

30 Claims

1. A method of identifying anomalous application behavior by a processor of a computing device, comprising:
- detecting network communication activity of an application on a computing device;
  
  identifying one or more device states of the computing device;
  
  identifying one or more categories of the application; and
  
  determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network communication activity comprises one or more of a network traffic pattern of the network communication activity, a quantity of information sent by the application, a quantity of information received by the application, a quantity of destinations to which information is sent by the application, a quantity of sources from which information is received by the application, a type of information sent or received by the application, a data protocol used by the application, and a port traffic mapping related to the network communication activity of the application.
  - 3. The method of claim 1, wherein the one or more device states comprise one or more of a coarse motion classifier, a device position, and a device network communication state.
  - 4. The method of claim 1, wherein determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application comprises:
    - generating a behavior vector based on the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application;
      
      applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector; and
      
      determining whether the application is behaving anomalously based on a result of applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector.
  - 5. The method of claim 1, further comprising taking an action to limit an application behavior in response to determining that the application is behaving anomalously.
  - 6. The method of claim 1, wherein identifying one or more categories of the application comprises analyzing one or more screenshots of a display generated by the application on the computing device.
  - 7. The method of claim 6, wherein analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on a plurality of screenshots of the display generated by the application on the computing device.
  - 8. The method of claim 7, wherein analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 9. The method of claim 6, wherein identifying one or more categories of the application comprises:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.
  - 10. The method of claim 6, wherein identifying one or more categories of the application comprises:
    - analyzing inputs received at a user interface of the computing device related to the application; and
      
      correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

11. A method of determining a category of an application on a computing device by a processor of the computing device, comprising:
- generating a feature vector characterizing one or more screenshots of a display generated by the application on the computing device; and
  
  applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on the generated feature vector.
  - 13. The method of claim 12, wherein applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 14. The method of claim 11, wherein generating a feature vector comprises:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.
  - 15. The method of claim 11, wherein generating a feature vector comprises:
    - analyzing inputs received at a user interface of the computing device related to the application; and
      
      correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

16. A computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  detecting network communication activity of an application on a computing device;
  
  identifying one or more device states of the computing device;
  
  identifying one or more categories of the application; and
  
  determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that the network communication activity comprises one or more of a network traffic pattern of the network communication activity, a quantity of information sent by the application, a quantity of information received by the application, a quantity of destinations to which information is sent by the application, a quantity of sources from which information is received by the application, a type of information sent or received by the application, a data protocol used by the application, and a port traffic mapping related to the network communication activity of the application.
  - 18. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that the one or more device states comprise one or more of a coarse motion classifier, a device position, and a device network communication state.
  - 19. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application comprises:
    - generating a behavior vector based on the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application;
      
      applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector; and
      
      determining whether the application is behaving anomalously based on a result of applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector.
  - 20. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations further comprising taking an action to limit an application behavior in response to determining that the application is behaving anomalously.
  - 21. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that identifying one or more categories of the application comprises analyzing one or more screenshots of a display generated by the application on the computing device.
  - 22. The computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations such that analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on a plurality of screenshots of the display generated by the application on the computing device.
  - 23. The computing device of claim 22, wherein the processor is configured with processor-executable instructions to perform operations such that analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 24. The computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations such that identifying one or more categories of the application comprises:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.
  - 25. The computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations such that identifying one or more categories of the application comprises:
    - analyzing inputs received at a user interface of the computing device related to the application; and
      
      correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

26. A computing device, comprising:
- a processor configured with processor-executable instructions to perform operations comprising;
  
  generating a feature vector characterizing one or more screenshots of a display generated by an application on the computing device; and
  
  applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The computing device of claim 26, wherein the processor is configured with processor-executable instructions to perform operations such that applying a classifier model to the feature vector comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on the generated feature vector.
  - 28. The computing device of claim 27, wherein the processor is configured with processor-executable instructions to perform operations such that applying a classifier model to the feature vector comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.
  - 29. The computing device of claim 26, wherein the processor is configured with processor-executable instructions to perform operations such that generating a feature vector comprises:
    - analyzing audio signals generated by the application; and
      
      correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.
  - 30. The computing device of claim 26, wherein the processor is configured with processor-executable instructions to perform operations such that generating a feature vector comprises:
    - analyzing inputs received at a user interface of the computing device related to the application; and
      
      correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Das, Saumitra Mohan, Mahmoudi, Mona, Sridhara, Vinay, Gupta, Rajarshi, Chen, Yin

Granted Patent

US 10,021,123 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/0631   using root cause analysis; ...

H04L 43/0817   by checking functioning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Customized Network Traffic Models To Detect Application Anomalies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Customized Network Traffic Models To Detect Application Anomalies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links