Abstract:
The various aspects provide a mobile device and methods implemented on the mobile device for modifying behavior models to account for device-specific or device-state-specific features. In the various aspects, a behavior analyzer module may leverage a full feature set of behavior models (i.e. a large classifier model) received from a network server to create lean classifier models for use in monitoring for malicious behavior on the mobile device, and the behavior analyzer module may dynamically modify these lean classifier models to include features specific to the mobile device and/or the mobile device's current configuration. Thus, the various aspects may enhance overall security for a particular mobile device by taking the mobile device and its current configuration into account and may improve overall performance by monitoring only features that are relevant to the mobile device.
Abstract:
The various aspects provide for a computing device and methods implemented by the device to ensure that an application executing on the device and seeking root access will not cause malicious behavior while after receiving root access. Before giving the application root access, the computing device may identify operations the application intends to execute while having root access, determine whether executing the operations will cause malicious behavior by simulating execution of the operations, and pre-approve those operations after determining that executing those operations will not result in malicious behavior. Further, after giving the application root access, the computing device may only allow the application to perform pre-approved operations by quickly checking the application's pending operations against the pre-approved operations before allowing the application to perform those operations. Thus, the various aspects may ensure that an application receives root access without compromising the performance or security integrity of the computing device.
Abstract:
Methods and systems for classifying mobile device behavior include generating a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model along with sigmoid parameters and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Results of applying the focused or lean classifier model may be normalized using a sigmoid function, with the resulting normalized result used to determine whether the behavior is benign or non-benign.
Abstract:
Methods and systems for classifying mobile device behavior include configuring a server use a large corpus of mobile device behaviors to generate a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Boosted decision stumps may be culled by selecting all boosted decision stumps that depend upon a limited set of test conditions.
Abstract:
Methods and systems for classifying mobile device behavior include generating a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model along with sigmoid parameters and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Results of applying the focused or lean classifier model may be normalized using a sigmoid function, with the resulting normalized result used to determine whether the behavior is benign or non-benign.
Abstract:
The various aspects provide for a computing device and methods implemented by the device to ensure that an application executing on the device and seeking root access will not cause malicious behavior while after receiving root access. Before giving the application root access, the computing device may identify operations the application intends to execute while having root access, determine whether executing the operations will cause malicious behavior by simulating execution of the operations, and pre-approve those operations after determining that executing those operations will not result in malicious behavior. Further, after giving the application root access, the computing device may only allow the application to perform pre-approved operations by quickly checking the application's pending operations against the pre-approved operations before allowing the application to perform those operations. Thus, the various aspects may ensure that an application receives root access without compromising the performance or security integrity of the computing device.
Abstract:
Methods, systems and devices use operating system execution states while monitoring applications executing on a mobile device to perform comprehensive behavioral monitoring and analysis include configuring a mobile device to monitor an activity of a software application, generate a shadow feature value that identifies an operating system execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device may also be configured to intelligently determine whether the operating system execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the operating system execution states of the software applications for which such determinations are relevant.
Abstract:
Methods and systems for classifying mobile device behavior include configuring a server use a large corpus of mobile device behaviors to generate a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Boosted decision stumps may be culled by selecting all boosted decision stumps that depend upon a limited set of test conditions.
Abstract:
The various aspects provide a mobile device and methods implemented on the mobile device for modifying behavior models to account for device-specific or device-state-specific features. In the various aspects, a behavior analyzer module may leverage a full feature set of behavior models (i.e. a large classifier model) received from a network server to create lean classifier models for use in monitoring for malicious behavior on the mobile device, and the behavior analyzer module may dynamically modify these lean classifier models to include features specific to the mobile device and/or the mobile device's current configuration. Thus, the various aspects may enhance overall security for a particular mobile device by taking the mobile device and its current configuration into account and may improve overall performance by monitoring only features that are relevant to the mobile device.