Framework for iterative analysis of mobile software applications
US-9225740-B1 · Dec 29, 2015 · US
Methods and systems of generating application-specific models for the targeted protection of vital applications
US9606893B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9606893-B2 |
| Application number | US-201414451597-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 5, 2014 |
| Priority date | Dec 6, 2013 |
| Publication date | Mar 28, 2017 |
| Grant date | Mar 28, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, and computing devices implementing the methods, improve the efficiency and performance of a comprehensive behavioral monitoring and analysis system that is configured to predict whether a software application is causing undesirable or performance depredating behavior. The behavioral monitoring and analysis system may be configured to quickly and efficiently classify certain software applications as being benign by generating a behavior vector that characterizes the activities of the software application, determining whether the generated behavior vector includes a distinguishing behavior or behavioral clue identifying the software application as a trusted software application, and classifying the software application as benign in response to determining that the generated behavior vector includes a distinguishing behavior identifying the software application as a trusted software application.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of analyzing a software application operating on a computing device, the method comprising: monitoring in a processor of the computing device activities of the software application by collecting behavior information from a log of actions stored in a memory of the computing device; generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and determining whether the generated behavior vector includes a distinguishing behavior caused by a performance of a special operation by the software application in the computing device that identifies the software application to the computing device as being from a known vendor. 2. The method of claim 1 , wherein determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying use of an unexpected device feature by the software application. 3. The method of claim 1 , wherein determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying unusual use of a device feature by the software application. 4. The method of claim 1 , further comprising: authenticating the software application by classifying the software application as benign in response to determining that the generated behavior vector includes the distinguishing behavior. 5. The method of claim 1 , further comprising: performing deep behavioral analysis operations by applying the generated behavior vector to a focused classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior; and applying the generated behavior vector to a classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior. 6. The method of claim 5 , further comprising: receiving a full classifier model that includes a plurality of test conditions; identifying device features used by the software application; identifying test conditions in the plurality of test conditions that evaluate the identified device features; and generating an application-based classifier model that prioritizes the identified test conditions, wherein applying the generated behavior vector to the classifier model to determine whether the software application is non-benign comprises applying the generated behavior vector to the generated application-based classifier model. 7. The method of claim 6 , wherein: generating the behavior vector based on the collected behavior information comprises using the collected behavior information to generate a feature vector; and applying the generated behavior vector to the generated application-based classifier model comprises: applying the generated feature vector to the application-based classifier model so as to evaluate each test condition included in the application-based classifier model; computing a weighted average of each result of evaluating test conditions in the application-based classifier model; and determining whether the behavior is non-benign based on the weighted average. 8. The method of claim 6 , wherein: receiving the full classifier model that includes the plurality of test conditions comprises receiving a finite state machine that includes information that is suitable for conversion into a plurality of decision nodes that each evaluate one of the plurality of test conditions; and generating the application-based classifier model that prioritizes the identified test conditions comprises generating the application-based classifier model to include decision nodes that evaluate one of: a device feature that is relevant to the software application; and a device feature that is relevant to an application type of the software application. 9. A computing device, comprising: a memory; and a processor coupled to the memory, wherein the processor is configured with processor-executable instructions to perform operations comprising: monitoring activities of a software application by collecting behavior information from a log of actions stored in the memory; generating a behavior vector that characterizes the monitored activities of the software application based on the collected behavior information; and determining whether the generated behavior vector includes a distinguishing behavior caused by a performance of a special operation by the software application in the computing device that identifies the software application to the computing device as being from a known vendor. 10. The computing device of claim 9 , wherein the processor is configured with processor-executable instructions such that determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying use of an unexpected device feature by the software application. 11. The computing device of claim 9 , wherein the processor is configured with processor-executable instructions such that determining whether the generated behavior vector includes the distinguishing behavior comprises determining whether the generated behavior vector includes information identifying unusual use of a device feature by the software application. 12. The computing device of claim 9 , wherein the processor is configured with processor-executable instructions to perform operations further comprising: authenticating the software application by classifying the software application as benign in response to determining that the generated behavior vector includes the distinguishing behavior. 13. The computing device of claim 9 , wherein the processor is configured with processor-executable instructions to perform operations further comprising: performing deep behavioral analysis operations by applying the generated behavior vector to a focused classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior; and applying the generated behavior vector to a classifier model to determine whether the software application is non-benign in response to determining that the generated behavior vector does not include the distinguishing behavior. 14. The computing device of claim 13 , wherein the processor is configured with processor-executable instructions to perform operations further comprising: receiving a full classifier model that includes a plurality of test conditions; identifying device features used by the software application; identifying test conditions in the plurality of test conditions that evaluate the identified device features; and generating an application-based classifier model that prioritizes the identified test conditions, wherein applying the generated behavior vector to the classifier model to determine whether the software application is non-benign comprises applying the generated behavior vector to the generated application-based classifier model. 15. The computing device of claim 14 , wherein the processor is configured with processor-executable instructions such that: generating the behavior vector based on the collected behavior information comprises using the collected behavior information to generate a feature vector; and
Assignees
Inventors
Classifications
Physics · mapped topic
- G06F21/44Primary
Program or device authentication · CPC title
Distributed expert systems; Blackboards · CPC title
- G06F21/52Primary
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9606893B2 cover?
- Methods, and computing devices implementing the methods, improve the efficiency and performance of a comprehensive behavioral monitoring and analysis system that is configured to predict whether a software application is causing undesirable or performance depredating behavior. The behavioral monitoring and analysis system may be configured to quickly and efficiently classify certain software ap…
- Who is the assignee on this patent?
- Qualcomm Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/44. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 28 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).