公开(公告)号：US09686023B2

公开(公告)日：2017-06-20

申请号：US14091707

申请日：2013-11-27

Applicant: QUALCOMM Incorporated

Inventor： Vinay Sridhara ,  Rajarshi Gupta ,  Kassem Fawaz

IPC: H04B17/00 ,  G06N5/04 ,  H04B17/391

CPC classification number: H04B17/391 ,  G06N5/003 ,  G06N99/005

Abstract: The various aspects provide a mobile device and methods implemented on the mobile device for modifying behavior models to account for device-specific or device-state-specific features. In the various aspects, a behavior analyzer module may leverage a full feature set of behavior models (i.e. a large classifier model) received from a network server to create lean classifier models for use in monitoring for malicious behavior on the mobile device, and the behavior analyzer module may dynamically modify these lean classifier models to include features specific to the mobile device and/or the mobile device's current configuration. Thus, the various aspects may enhance overall security for a particular mobile device by taking the mobile device and its current configuration into account and may improve overall performance by monitoring only features that are relevant to the mobile device.

公开(公告)号：US09323929B2

公开(公告)日：2016-04-26

申请号：US14090200

申请日：2013-11-26

Applicant: QUALCOMM Incorporated

Inventor： David Fiala ,  Mihai Christodorescu ,  Vinay Sridhara ,  Rajarshi Gupta ,  Kassem Fawaz

IPC: G06F21/56

CPC classification number: G06F21/56 ,  G06F21/566

Abstract: The various aspects provide for a computing device and methods implemented by the device to ensure that an application executing on the device and seeking root access will not cause malicious behavior while after receiving root access. Before giving the application root access, the computing device may identify operations the application intends to execute while having root access, determine whether executing the operations will cause malicious behavior by simulating execution of the operations, and pre-approve those operations after determining that executing those operations will not result in malicious behavior. Further, after giving the application root access, the computing device may only allow the application to perform pre-approved operations by quickly checking the application's pending operations against the pre-approved operations before allowing the application to perform those operations. Thus, the various aspects may ensure that an application receives root access without compromising the performance or security integrity of the computing device.

Abstract translation: 各种方面提供了一种计算设备和由设备实现的方法，以确保在接收根访问之后在设备上执行并寻求root访问的应用不会引起恶意行为。 在给予应用程序根访问之前，计算设备可以识别应用程序在具有root访问的同时执行的操作，确定执行操作是否会通过模拟操作的执行而导致恶意行为，并且在确定执行这些操作之后预先批准这些操作 操作不会导致恶意行为。 此外，在给予应用程序根访问之后，计算设备可以仅允许应用程序通过在允许应用程序执行这些操作之前快速检查应用程序针对预先批准的操作的待处理操作来执行预先批准的操作。 因此，各个方面可以确保应用程序接收根访问，而不会影响计算设备的性能或安全完整性。

公开(公告)号：US10089582B2

公开(公告)日：2018-10-02

申请号：US14826430

申请日：2015-08-14

Applicant: QUALCOMM Incorporated

Inventor： Kassem Fawaz ,  Vinay Sridhara ,  Rajarshi Gupta ,  Yin Chen

IPC: G06F17/00 ,  G06N7/00 ,  G06N7/08 ,  G06N99/00 ,  G06N5/04 ,  G06N5/02

Abstract: Methods and systems for classifying mobile device behavior include generating a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model along with sigmoid parameters and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Results of applying the focused or lean classifier model may be normalized using a sigmoid function, with the resulting normalized result used to determine whether the behavior is benign or non-benign.

公开(公告)号：US09684870B2

公开(公告)日：2017-06-20

申请号：US14090261

申请日：2013-11-26

Applicant: QUALCOMM Incorporated

Inventor： Kassem Fawaz ,  Vinay Sridhara ,  Rajarshi Gupta

IPC: G06N5/04 ,  G06N5/02

CPC classification number: G06N5/043 ,  G06N5/025

Abstract: Methods and systems for classifying mobile device behavior include configuring a server use a large corpus of mobile device behaviors to generate a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Boosted decision stumps may be culled by selecting all boosted decision stumps that depend upon a limited set of test conditions.

公开(公告)号：US20150356462A1

公开(公告)日：2015-12-10

申请号：US14826430

申请日：2015-08-14

Applicant: QUALCOMM Incorporated

Inventor： Kassem Fawaz ,  Vinay Sridhara ,  Rajarshi Gupta ,  Yin Chen

IPC: G06N99/00 ,  G06N7/00

CPC classification number: G06N99/005 ,  G06N5/025 ,  G06N5/043

Abstract: Methods and systems for classifying mobile device behavior include generating a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model along with sigmoid parameters and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Results of applying the focused or lean classifier model may be normalized using a sigmoid function, with the resulting normalized result used to determine whether the behavior is benign or non-benign.

Abstract translation: 用于分类移动设备行为的方法和系统包括生成包括适合于转换为增强的决策树桩的有限状态机的完整分类器模型和/或描述与确定移动设备行为是良性还是贡献相关的所有或许多特征 随着时间的推移，移动设备的恶化。 移动设备可以连同S型参数一起接收完整的分类器模型，并使用该模型来生成一整套增强的决策树桩，通过将完整集合剔除，从而从整个集合或精益分类器模型生成更多聚焦或精益分类器模型，适用于有效地确定是否 移动设备行为是良性的。 应用聚焦或精确分类器模型的结果可以使用S形函数进行归一化，所得到的归一化结果用于确定行为是良性还是非良性。

公开(公告)号：US20150150130A1

公开(公告)日：2015-05-28

申请号：US14090200

申请日：2013-11-26

Applicant: QUALCOMM Incorporated

Inventor： David Fiala ,  Mihai Christodorescu ,  Vinay Sridhara ,  Rajarshi Gupta ,  Kassem Fawaz

IPC: G06F21/56

CPC classification number: G06F21/56 ,  G06F21/566

Abstract: The various aspects provide for a computing device and methods implemented by the device to ensure that an application executing on the device and seeking root access will not cause malicious behavior while after receiving root access. Before giving the application root access, the computing device may identify operations the application intends to execute while having root access, determine whether executing the operations will cause malicious behavior by simulating execution of the operations, and pre-approve those operations after determining that executing those operations will not result in malicious behavior. Further, after giving the application root access, the computing device may only allow the application to perform pre-approved operations by quickly checking the application's pending operations against the pre-approved operations before allowing the application to perform those operations. Thus, the various aspects may ensure that an application receives root access without compromising the performance or security integrity of the computing device.

Abstract translation: 各种方面提供了一种计算设备和由设备实现的方法，以确保在接收根访问之后在设备上执行并寻求root访问的应用不会引起恶意行为。 在给予应用程序根访问之前，计算设备可以识别应用程序在具有root访问的同时执行的操作，确定执行操作是否会通过模拟操作的执行而导致恶意行为，并且在确定执行这些操作之后预先批准这些操作 操作不会导致恶意行为。 此外，在给予应用程序根访问之后，计算设备可以仅允许应用程序通过在允许应用程序执行这些操作之前快速检查应用程序针对预先批准的操作的待处理操作来执行预先批准的操作。 因此，各个方面可以确保应用程序接收根访问，而不会影响计算设备的性能或安全完整性。

公开(公告)号：US09147072B2

公开(公告)日：2015-09-29

申请号：US14064437

申请日：2013-10-28

Applicant: QUALCOMM Incorporated

Inventor： Kassem Fawaz ,  Vinay Sridhara ,  Rajarshi Gupta ,  Mihai Christodorescu

IPC: G06F7/04 ,  G06F17/30 ,  H04N7/16 ,  G06F21/56 ,  G06F21/55

CPC classification number: G06F21/566 ,  G06F21/552

Abstract: Methods, systems and devices use operating system execution states while monitoring applications executing on a mobile device to perform comprehensive behavioral monitoring and analysis include configuring a mobile device to monitor an activity of a software application, generate a shadow feature value that identifies an operating system execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device may also be configured to intelligently determine whether the operating system execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the operating system execution states of the software applications for which such determinations are relevant.

Abstract translation: 方法，系统和设备使用操作系统执行状态，同时监视在移动设备上执行的执行综合行为监控和分析的应用程序，包括配置移动设备来监视软件应用程序的活动，生成标识操作系统执行的阴影特征值 在该活动期间生成软件应用程序的状态，生成将所监视的活动与影子特征值相关联的行为向量，并基于生成的行为向量，阴影特征值和/或操作系统执行状态来确定活动是恶意还是良性 。 移动设备还可以被配置为智能地确定软件应用的操作系统执行状态是否与确定所监视的移动设备行为是否是恶意的或可疑的相关，并且仅监视软件应用的操作系统执行状态 这些确定是相关的。

公开(公告)号：US20140188781A1

公开(公告)日：2014-07-03

申请号：US14090261

申请日：2013-11-26

Applicant: QUALCOMM Incorporated

Inventor： Kassem Fawaz ,  Vinay Sridhara ,  Rajarshi Gupta

IPC: G06N5/02

CPC classification number: G06N5/043 ,  G06N5/025

Abstract: Methods and systems for classifying mobile device behavior include configuring a server use a large corpus of mobile device behaviors to generate a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Boosted decision stumps may be culled by selecting all boosted decision stumps that depend upon a limited set of test conditions.

Abstract translation: 用于分类移动设备行为的方法和系统包括配置服务器使用大的移动设备行为语料库来生成包括适合于转换为增强的决策树桩的有限状态机和/或描述所有或许多特征的完整分类器模型 与确定移动设备行为是否良好或对移动设备随着时间的退化有所贡献相关。 移动设备可以接收完整的分类器模型并且使用该模型来产生一整套增强的决策树桩，通过将整个集合剔除，从而可以通过将整个集合剔除，从而从中产生更集中或精确的分类器模型，适合于有效地确定移动设备行为是否 良性。 通过选择依赖于有限的测试条件的所有提升的决策树桩，可以剔除增强的决策树桩。

公开(公告)号：US20140187177A1

公开(公告)日：2014-07-03

申请号：US14091707

申请日：2013-11-27

Applicant: QUALCOMM Incorporated

Inventor： Vinay Sridhara ,  Rajarshi Gupta ,  Kassem Fawaz

IPC: H04B17/00 ,  H04W24/02

CPC classification number: H04B17/391 ,  G06N5/003 ,  G06N99/005

Abstract: The various aspects provide a mobile device and methods implemented on the mobile device for modifying behavior models to account for device-specific or device-state-specific features. In the various aspects, a behavior analyzer module may leverage a full feature set of behavior models (i.e. a large classifier model) received from a network server to create lean classifier models for use in monitoring for malicious behavior on the mobile device, and the behavior analyzer module may dynamically modify these lean classifier models to include features specific to the mobile device and/or the mobile device's current configuration. Thus, the various aspects may enhance overall security for a particular mobile device by taking the mobile device and its current configuration into account and may improve overall performance by monitoring only features that are relevant to the mobile device.

Abstract translation: 各个方面提供在移动设备上实现的移动设备和方法，用于修改行为模型以考虑设备特定或设备状态特定的特征。 在各个方面，行为分析器模块可以利用从网络服务器接收的行为模型（即大型分类器模型）的完整特征集来创建用于监视移动设备上的恶意行为的精简分类器模型，以及行为 分析器模块可以动态地修改这些精益分类器模型以包括特定于移动设备和/或移动设备的当前配置的特征。 因此，各个方面可以通过考虑移动设备及其当前配置来增强特定移动设备的总体安全性，并且可以通过仅监视与移动设备相关的特征来提高整体性能。