Methods and Systems for Intelligently Detecting Malware and Attacks on Client Computing Devices and Corporate Networks
US-2017308701-A1 · Oct 26, 2017 · US
Malicious object detection in a runtime environment
US10552609B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10552609-B2 |
| Application number | US-201615395053-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 30, 2016 |
| Priority date | Dec 30, 2016 |
| Publication date | Feb 4, 2020 |
| Grant date | Feb 4, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A malicious object detection system for use in managed runtime environments includes a check circuit to receive call information generated by an application, such as an Android application. A machine learning circuit coupled to the check circuit applies a machine learning model to assess the information and/or data included in the call and detect the presence of a malicious object, such as malware or a virus, in the application generating the call. The machine learning model may include a global machine learning model distributed across a number of devices, a local machine learning model based on use patterns of a particular device, or combinations thereof. A graphical user interface management circuit halts execution of applications containing malicious objects and generates a user perceptible output.
First claim
Opening claim text (preview).
What is claimed: 1. A system to locally detect malicious code in a managed runtime system on a processor-based device, the system comprising: a check circuit local to the processor-based device, the check circuit to detect an occurrence of a defined event during the runtime of an application executing on the processor-based device, wherein the occurrence is detected by monitoring runtime application programming interface (API) invocations from user application code to runtime management instructions of the processor-based device; a management circuit local to the processor-based device and communicatively coupled to the check circuit, the management circuit including: a machine learning circuit local to the processor-based device to: assess, responsive to detecting the occurrence of the defined event, data communicated by the application to access a resource; and determine whether the data communicated by the application is indicative of a presence of a malicious object in the application, wherein the check circuit and/or the management circuit modify the user application code to at least partially direct function calls to the check circuit to enable monitoring of the function call. 2. The system of claim 1 , further comprising: at least one communication circuit communicatively coupled to the management circuit; and wherein the management circuit further causes the machine learning circuit to receive a machine learning model from at least one source remote from the processor-based device via the communication circuit. 3. The system of claim 1 , the machine learning circuit to further: update a machine learning model stored on the processor-based mobile device using the assessed data communicated by the application to access the resource. 4. The system of claim 1 , the management circuit to further: cause the processor-based device to halt execution of the application responsive to detecting the data communicated by the application indicates a presence of a malicious object in the application. 5. The system of claim 4 , the management circuit further comprising: a graphical user interface (GUI) management circuit, wherein the management circuit further causes the GUI management circuit to generate a user perceptible output on the processor-based device responsive to detecting the data communicated by the application is indicative of a presence of a malicious object in the application. 6. The system of claim 1 , the machine learning circuit to further: determine whether the data communicated by the application is indicative of a presence of at least one of a virus or malware in the application. 7. The system of claim 1 , the check circuit to further: detect an occurrence of an application programming interface (API) call during the runtime of the application. 8. The system of claim 7 , the machine learning circuit to further: compare at least a portion of the data communicated by the application in the current API call to the resource with at least a portion of the data communicated by the application in at least one prior API call to the resource. 9. The system of claim 1 , the management circuit to: insert a check circuit call at locations in a compiled application, each check circuit call proximate a location in the compiled application corresponding to a respective function call present in the compiled application. 10. The system of claim 9 , the check circuit to further: detect an occurrence of the call to the check circuit in the compiled application. 11. The system of claim 10 , the machine learning circuit to further: compare at least a portion of the data communicated included in the current function call in the compiled application with at least a portion of the data communicated included in at least one prior function call in the compiled application. 12. A method of detecting malicious code in a managed runtime system on a processor-based device, the method comprising: detecting, by a check circuit local to the processor-based device, an occurrence of a defined event during the runtime of an application executing on the processor-based device, wherein the occurrence is detected by monitoring runtime application programming interface (API) invocations from user application code to runtime management instructions of the processor-based device; responsive to detecting the occurrence of the defined event, selectively causing a machine learning circuit communicatively coupled to the check circuit to assess data communicated by the application to access a resource, the machine learning circuit being local to the processor-based device; and determining, by the machine learning circuit, whether the data communicated by the application is indicative of a presence of a malicious object in the application, wherein the check circuit and/or a management circuit modify user application code to at least partially direct function calls to the check circuit to enable monitoring of the function call, wherein the management circuit includes the machine learning circuit. 13. The method of claim 12 , further comprising: receiving by the machine learning circuit, via a communicatively coupled communication circuit, a machine learning model from at least one source remote from the processor-based device. 14. The method of claim 12 , further comprising: updating the machine learning circuit using data from the application executing on the processor-based device. 15. The method of claim 12 , further comprising: responsive to determining the data communicated by the application indicates a presence of a malicious object in the application, causing the processor-based device to halt execution of the application. 16. The method of claim 15 , further comprising: responsive to determining the data communicated by the application indicates a presence of a malicious object in the application, causing a graphical user interface (GUI) management circuit to generate a user perceptible output on the processor-based device. 17. The method of claim 12 wherein determining whether the data communicated by the application is indicative of a presence of a malicious object in the application comprises: determining whether the data communicated by the application is indicative of a presence of at least one of: a virus or malware in the application. 18. The method of claim 12 wherein detecting an occurrence of a defined event during the runtime of the application comprises: detecting an occurrence of an application programming interface (API) call during the runtime of the application. 19. The method of claim 18 wherein determining whether the data communicated by the application is indicative of a presence of a malicious object in the application comprises: causing the machine learning circuit to compare at least a portion of the data communicated by the application in the current API call to the resource with at least a portion of the data communicated by the application in at least one prior API call to the resource. 20. The method of claim 12 , further comprising: inserting, by a management circuit local to the processor-based device, a call to the check circuit at locations in a compiled application code, each check circuit call proximate a location corresponding to a respective function call present in the compiled application code. 21. The method of claim 20 wherein detecting an occurrence of a defined event during the runtime of the application comprises: detecting
Assignees
Inventors
Classifications
Virus type analysis · CPC title
- G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Machine learning · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10552609B2 cover?
- A malicious object detection system for use in managed runtime environments includes a check circuit to receive call information generated by an application, such as an Android application. A machine learning circuit coupled to the check circuit applies a machine learning model to assess the information and/or data included in the call and detect the presence of a malicious object, such as malw…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/566. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 04 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).