What technology area does this patent fall under?

Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Sep 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Methods and systems for identifying malware through differences in cloud vs. client behavior

US2016285897A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016285897-A1
Application number	US-201514667461-A
Country	US
Kind code	A1
Filing date	Mar 24, 2015
Priority date	Mar 24, 2015
Publication date	Sep 29, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A computing device may be configured to work in conjunction with another component (e.g., a server) to better determine whether a software application is benign or non-benign. This may be accomplished via the server performing static and/or dynamic analysis operations, generating a behavior information structure that describes or characterizes the range of correct or expected behaviors of the software application, and sending the behavior information structure to a computing device. The computing device may compare the received behavior information structure to a locally generated behavior information structure to determining whether the observed behavior of the software application differs or deviates from the expected behavior of the software application or whether the observed behavior is within the range of expected behaviors. The computing device may increase its level of security/scrutiny when the behavior information structure does not match the local behavior information structure.

First claim

Opening claim text (preview).

1 . A method of analyzing behaviors of a software application operating in a computing device, comprising: receiving in a processor of the computing device from a server device a behavior information structure that identifies a range of expected behaviors of the software application; monitoring activities of the software application on the computing device to collect local behavior information; using the local behavior information to generate a local behavior information structure that characterizes an observed behavior of the software application; comparing the generated local behavior information structure and the received behavior information structure to generate comparison results; using the generated comparison results to determine whether the observed behavior of the software application is within the range of expected behaviors of the software application; and applying the generated local behavior information structure to a classifier model to generate analysis results in response to determining, based on the generated comparison results, that the observed behavior of the software application is not within the range of expected behaviors of the software application. 2 . (canceled) 3 . The method of claim 1 , wherein receiving the behavior information structure that identifies the range of expected behaviors of the software application comprises: receiving in the processor of the computing device a vector data structure that includes information derived from static and dynamic analysis operations performed in the server device. 4 . The method of claim 1 , further comprising sending the generated comparison results to the server device in response to determining that the observed behavior of the software application is not within the range of expected behaviors of the software application. 5 . The method of claim 1 , further comprising: increasing a scrutiny level for evaluating the software application in response to determining that the observed behavior of the software application is not within the range of expected behaviors of the software application. 6 . The method of claim 5 , further comprising using the analysis results to determine whether the software application is non-benign. 7 . The method of claim 5 , further comprising: applying the generated local behavior information structure to a lean classifier model to generate additional analysis results in response to determining that the observed behavior of the software application is within the range of expected behaviors of the software application; and using the additional analysis results to determine whether the software application is non-benign. 8 . The method of claim 5 , wherein increasing the scrutiny level for evaluating the software application in response to determining that the observed behavior of the software application is not within the range of expected behaviors of the software application comprises: generating an application-specific classifier model; and applying the generated local behavior information structure to the generated application-specific classifier model. 9 . The method of claim 8 , wherein generating the application-specific classifier model comprises: receiving a full classifier model that includes a plurality of test conditions; identifying device features used by the software application; identifying test conditions in the plurality of test conditions that evaluate the identified device features; and generating the application-specific classifier model to include the identified test conditions. 10 . A computing device, comprising: a processor configured with processor-executable instructions to perform operations comprising: receiving from a server device a behavior information structure that identifies a range of expected behaviors of a software application operating on the computing device; monitoring activities of the software application to collect local behavior information; using the local behavior information to generate a local behavior information structure that characterizes an observed behavior of the software application; comparing the generated local behavior information structure and the received behavior information structure to generate comparison results; using the generated comparison results to determine whether the observed behavior of the software application is within the range of expected behaviors of the software application; and applying the generated local behavior information structure to a classifier model to generate analysis results in response to determining, based on the generated comparison results, that the observed behavior of the software application is not within the range of expected behaviors of the software application. 11 . (canceled) 12 . The computing device of claim 10 , wherein the processor is configured with processor-executable instructions to perform operations such that receiving the behavior information structure that identifies the range of expected behaviors of the software application comprises: receiving a vector data structure that includes information derived from static and dynamic analysis operations performed in the server device. 13 . The computing device of claim 10 , wherein the processor is configured with processor-executable instructions to perform operations further comprising: sending the generated comparison results to the server device in response to determining that the observed behavior of the software application is not within the range of expected behaviors of the software application. 14 . The computing device of claim 10 , wherein the processor is configured with processor-executable instructions to perform operations further comprising: increasing a scrutiny level for evaluating the software application in response to determining that the observed behavior of the software application is not within the range of expected behaviors of the software application. 15 . The computing device of claim 14 , wherein the processor is configured with processor-executable instructions to perform operations further comprising using the analysis results to determine whether the software application is non-benign. 16 . The computing device of claim 14 , wherein the processor is configured with processor-executable instructions to perform operations further comprising: applying the generated local behavior information structure to a lean classifier model to generate additional analysis results in response to determining that the observed behavior of the software application is within the range of expected behaviors of the software application; and using the additional analysis results to determine whether the software application is non-benign. 17 . The computing device of claim 14 , wherein: the processor is configured with processor-executable instructions to perform operations such that increasing the scrutiny level for evaluating the software application in response to determining that the observed behavior of the software application is not within the range of expected behaviors of the software application comprises: generating an application-specific classifier model; and applying the generated local behavior information structure to the generated application-specific classifier model. 18 . The computing device of claim 17 , wherein the processor is configured with processor-executable instructions to perform operations such that generating the application-specific classifier model comprises: receiving a full classifier mo

Assignees

Qualcomm Inc

Inventors

Classifications

H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
G06N99/005
Physics · mapped topic
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
G06F21/56
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title

Patent family

Related publications grouped by family.

View patent family 55527680

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016285897A1 cover?: A computing device may be configured to work in conjunction with another component (e.g., a server) to better determine whether a software application is benign or non-benign. This may be accomplished via the server performing static and/or dynamic analysis operations, generating a behavior information structure that describes or characterizes the range of correct or expected behaviors of the s…
Who is the assignee on this patent?: Qualcomm Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Sep 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).