Using normalized confidence values for classifying mobile device behaviors

What is claimed is: 1. A method of analyzing behaviors in a computing device, comprising: receiving, in a processor of the computing device from a server computing device, a full classifier model and sigmoid parameters; determining, via the processor, a normalized confidence value based on the received sigmoid parameters; and classifying, via the processor, a device behavior of the computing device based on a combination of: an analysis result generated by applying a behavior vector information structure to a lean classifier model; and the normalized confidence value determined based on the received sigmoid parameters. 2. The method of claim 1 , further comprising: generating a list of boosted decision stumps by converting a finite state machine included in the full classifier model into boosted decision stumps; and generating a family of lean classifier models based on the boosted decision stumps included in the list of boosted decision stumps, wherein classifying the device behavior of the computing device comprises: applying the behavior vector information structure to a first lean classifier model in the family of lean classifier models to generate the analysis result; and determining whether to apply the behavior vector information structure to a second lean classifier model in the family of lean classifier models to generate a new analysis result based on the normalized confidence value. 3. The method of claim 1 , further comprising generating the lean classifier model based on the full classifier model. 4. The method of claim 3 , wherein generating the lean classifier model based on the full classifier model comprises: generating a list of boosted decision stumps by converting a finite state machine included in the full classifier model into a plurality of boosted decision stumps; determining a number of different test conditions that should be evaluated to classify the device behavior of the computing device without consuming an excessive amount of processing, memory, or energy resources of the computing device; generating a list of test conditions by sequentially traversing the list of boosted decision stumps and inserting a test condition associated with each sequentially traversed boosted decision stump into the list of test conditions until the list of test conditions includes the number of different test conditions; and generating the lean classifier model to include only those boosted decision stumps that test one of a plurality of test conditions included in the list of test conditions. 5. The method of claim 1 , wherein classifying the device behavior of the computing device comprises: applying collected behavior information included in the behavior vector information structure to each of a plurality of boosted decision stumps included in the lean classifier model; computing a weighted average of a result of applying the collected behavior information to each of the plurality of boosted decision stumps included in the lean classifier model; and classifying the device behavior of the computing device based on a result of comparing the weighted average to a threshold value. 6. The method of claim 1 , further comprising: generating an updated sigmoid parameter based on the normalized confidence value; and sending the updated sigmoid parameter to the server computing device. 7. The method of claim 1 , further comprising: receiving an updated sigmoid parameter from the server computing device; determining a new normalized confidence value based on the updated sigmoid parameter received from the server computing device; and classifying the device behavior of the computing device based on the new normalized confidence value. 8. The method of claim 1 , wherein receiving the full classifier model and the sigmoid parameters comprises receiving a finite state machine that includes information suitable for expression as two or more boosted decision stumps that each include a weight value and a test condition that is associated with a probability value that identifies a likelihood that the test condition will enable the computing device to determine whether the device behavior of the computing device is one of benign and non-benign. 9. A computing device, comprising: means for receiving from a server computing device a full classifier model and sigmoid parameters; means for determining a normalized confidence value based on the received sigmoid parameters; and means for classifying a device behavior of the computing device based on a combination of: an analysis result generated by applying a behavior vector information structure to a lean classifier model; and the normalized confidence value determined based on the received sigmoid parameters. 10. The computing device of claim 9 , further comprising: means for generating a list of boosted decision stumps by converting a finite state machine included in the full classifier model into boosted decision stumps; and means for generating a family of lean classifier models based on the boosted decision stumps included in the list of boosted decision stumps; wherein means for classifying the device behavior of the computing device comprises: means for applying the behavior vector information structure to a first lean classifier model in the family of lean classifier models to generate the analysis result; and means for determining whether to apply the behavior vector information structure to a second lean classifier model in the family of lean classifier models to generate a new analysis result based on the normalized confidence value. 11. The computing device of claim 9 , further comprising means for generating the lean classifier model based on the full classifier model. 12. The computing device of claim 11 , wherein means for generating the lean classifier model based on the full classifier model comprises: means for generating a list of boosted decision stumps by converting a finite state machine included in the full classifier model into a plurality of boosted decision stumps; means for determining a number of different test conditions that should be evaluated to classify the device behavior of the computing device without consuming an excessive amount of processing, memory, or energy resources of the computing device; means for generating a list of test conditions by sequentially traversing the list of boosted decision stumps and inserting a test condition associated with each sequentially traversed boosted decision stump into the list of test conditions until the list of test conditions includes the number of different test conditions; and means for generating the lean classifier model to include only those boosted decision stumps that test one of a plurality of test conditions included in the list of test conditions. 13. The computing device of claim 9 , wherein means for classifying the device behavior of the computing device comprises: means for applying collected behavior information included in the behavior vector information structure to each of a plurality of boosted decision stumps included in the lean classifier model; means for computing a weighted average of a result of applying the collected behavior information to each of the plurality of boosted decision stumps included in the lean classifier model; and means for classifying the device behavior of the computing device based on a result of comparing the weighted average to a threshold value. 14. The computing device of claim 9 , further comprising: means for generating an updated sigmoid parameter based on the normalized confidence value; and means for sending