公开(公告)号：US09823843B2

公开(公告)日：2017-11-21

申请号：US14806842

申请日：2015-07-23

Applicant: QUALCOMM Incorporated

Inventor： Mihai Christodorescu ,  Satyajit Prabhakar Patne ,  Sumita Rao ,  Vikram Nair

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F3/06 ,  G06F21/55

CPC classification number: G06F3/0604 ,  G06F3/0653 ,  G06F3/0683 ,  G06F21/552

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

公开(公告)号：US20170024135A1

公开(公告)日：2017-01-26

申请号：US14806842

申请日：2015-07-23

Applicant: QUALCOMM Incorporated

Inventor： Mihai Christodorescu ,  Satyajit Prabhakar Patne ,  Sumita Rao ,  Vikram Nair

IPC: G06F3/06

CPC classification number: G06F3/0604 ,  G06F3/0653 ,  G06F3/0683 ,  G06F21/552

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

Abstract translation: 各个方面的系统，方法和设备使得能够通过监视运行在计算设备上的应用的存储器访问来识别异常应用行为。 在各个方面，存储器访问监视的级别可以基于在计算设备上运行的应用的风险级别。 可以基于由计算设备的一个或多个所选存储器层级层的地址监视单元监视的应用的存储器地址访问来确定风险级别。 选择用于监视应用程序的存储器地址访问的存储器层级层可以基于所确定的应用程序的风险级别。 可以通过启用与所选择的一个或多个存储器层级层相关联的一个或多个地址监视单元（AMU）来监视所选存储器层级层。 选择的AMU的使能可以由AMU选择模块来实现。

公开(公告)号：US09357411B2

公开(公告)日：2016-05-31

申请号：US14174956

申请日：2014-02-07

Applicant: QUALCOMM Incorporated

Inventor： Vinay Sridhara ,  Satyajit Prabhakar Patne ,  Rajarshi Gupta

IPC: H04W24/08 ,  H04W4/00 ,  G06F21/55

CPC classification number: H04W24/08 ,  G06F21/552 ,  H04W4/60

Abstract: Mobile computing devices may be equipped with hardware components configured to monitor key assets of the mobile device at a low level (e.g., firmware level, hardware level, etc.). The hardware component may also be configured to dynamically determine the key assets that are to be monitored in the mobile device, monitor the access or use of these key assets by monitoring data flows, transactions, or operations in a system data bus of the mobile device, and report suspicious activities to a comprehensive behavioral monitoring and analysis system of the mobile device. The comprehensive behavioral monitoring and analysis system may then use this information to quickly identify and respond to malicious or performance degrading activities of the mobile device.

Abstract translation: 移动计算设备可以配备有被配置为以低水平（例如，固件级别，硬件级别等）监视移动设备的关键资产的硬件组件。 硬件组件还可以被配置为动态地确定在移动设备中要被监视的关键资产，通过监视移动设备的系统数据总线中的数据流，事务或操作来监视这些关键资产的访问或使用 将可疑活动报告给移动设备的综合行为监测和分析系统。 然后，综合行为监测和分析系统可以使用该信息来快速识别和响应移动设备的恶意或性能降级活动。

公开(公告)号：US20150230108A1

公开(公告)日：2015-08-13

申请号：US14174956

申请日：2014-02-07

Applicant: QUALCOMM Incorporated

Inventor： Vinay SRIDHARA ,  Satyajit Prabhakar Patne ,  Rajarshi Gupta

IPC: H04W24/08 ,  H04W12/02 ,  H04W4/00

CPC classification number: H04W24/08 ,  G06F21/552 ,  H04W4/60

Abstract: Mobile computing devices may be equipped with hardware components configured to monitor key assets of the mobile device at a low level (e.g., firmware level, hardware level, etc.). The hardware component may also be configured to dynamically determine the key assets that are to be monitored in the mobile device, monitor the access or use of these key assets by monitoring data flows, transactions, or operations in a system data bus of the mobile device, and report suspicious activities to a comprehensive behavioral monitoring and analysis system of the mobile device. The comprehensive behavioral monitoring and analysis system may then use this information to quickly identify and respond to malicious or performance degrading activities of the mobile device.

Abstract translation: 移动计算设备可以配备有被配置为以低水平（例如，固件级别，硬件级别等）监视移动设备的关键资产的硬件组件。 硬件组件还可以被配置为动态地确定在移动设备中要被监视的关键资产，通过监视移动设备的系统数据总线中的数据流，事务或操作来监视这些关键资产的访问或使用 将可疑活动报告给移动设备的综合行为监测和分析系统。 然后，综合行为监测和分析系统可以使用该信息来快速识别和响应移动设备的恶意或性能降级活动。

公开(公告)号：US10089459B2

公开(公告)日：2018-10-02

申请号：US14938212

申请日：2015-11-11

Applicant: QUALCOMM Incorporated

Inventor： Vinay Sridhara ,  Satyajit Prabhakar Patne ,  Rajarshi Gupta

IPC: G06F21/55 ,  G06F21/57 ,  G06F9/30 ,  G06F21/52 ,  G06F21/12 ,  G06F11/36 ,  G06F21/54 ,  G06F21/56 ,  H04L29/06 ,  H04W12/12 ,  G06F9/38

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

公开(公告)号：US20150373036A1

公开(公告)日：2015-12-24

申请号：US14312957

申请日：2014-06-24

Applicant: QUALCOMM Incorporated

Inventor： Satyajit Prabhakar Patne ,  Rajarshi Gupta ,  Lu Xiao

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/556 ,  G06F21/755 ,  H04L63/1466

Abstract: A computing device may use machine learning techniques to determine whether a side channel attack is underway and perform obfuscation operations (e.g., operations to raise the noise floor) or other similar operations to stop or prevent a detected side channel attack. The computing device may determine that a side channel attack is underway in response to determining that the computing device is in airplane mode, that the battery of the computing device the battery has been replaced with a stable DC power supply, that the touch-screen display of the computing device has been disconnected, that there are continuous calls to a cipher application programming interface (API) using the same cipher key, that there has been tampering with a behavioral analysis engine of the computing device, or any combination thereof.

Abstract translation: 计算设备可以使用机器学习技术来确定侧信道攻击是否正在进行并且执行模糊操作（例如，用于提高本底噪声的操作）或其他类似操作以停止或防止检测到的侧信道攻击。 响应于确定计算设备处于飞行模式，计算设备的电池已经被稳定的DC电源替代，计算设备可以确定正在进行侧面信道攻击，触摸屏显示 已经断开了计算设备的连接，使用相同的加密密钥对密码应用程序编程接口（API）进行连续的调用，这已经篡改了计算设备的行为分析引擎，或其任何组合。

公开(公告)号：US20150373035A1

公开(公告)日：2015-12-24

申请号：US14312939

申请日：2014-06-24

Applicant: QUALCOMM Incorporated

Inventor： Satyajit Prabhakar Patne ,  Rajarshi Gupta ,  Lu Xiao

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/556 ,  G06F2221/2125 ,  H04L63/1433

Abstract: A computing device may use machine learning techniques to determine the level, degree, and severity of its vulnerability to side channel attacks. The computing device may intelligently and selectively perform obfuscation operations (e.g., operations to raise the noise floor) to prevent side channel attacks based on the determined level, degree, or severity of its current vulnerability to such attacks. The computing device may also monitor the current level of natural obfuscation produced by the device, determining whether there is sufficient natural obfuscation to prevent a side channel attack during an ongoing critical activity, and perform the obfuscation operation during the ongoing critical activity and in response to determining that there is not sufficient natural obfuscation to adequately protect the computing device against side channel attacks.

Abstract translation: 计算设备可以使用机器学习技术来确定其侧向通道攻击的漏洞的级别，程度和严重性。 计算设备可以智能地和选择性地执行模糊操作（例如，提高噪声底层的操作），以基于其当前对这种攻击的脆弱性的确定的水平，程度或严重性来防止侧信道攻击。 计算设备还可以监视由设备产生的自然混淆的当前水平，确定在持续的关键活动期间是否存在足够的自然混淆以防止侧信道攻击，并且在正在进行的关键活动期间执行混淆操作，并响应于 确定没有足够的自然混淆来充分保护计算设备免受侧向信道攻击。

公开(公告)号：US20160350657A1

公开(公告)日：2016-12-01

申请号：US14726855

申请日：2015-06-01

Applicant: QUALCOMM Incorporated

Inventor： Rajarshi Gupta ,  Satyajit Prabhakar Patne ,  Suresh Bollapragada

IPC: G06N5/04

CPC classification number: G06N5/04 ,  G06F11/3604

Abstract: Systems, methods, and devices of the various aspects enable method of cross-module behavioral validation. A plurality of observer modules of a system may observe behavior or behaviors of a observed module of the system. Each of the observer modules may generate a behavior representation based on the behavior or behaviors of the observed module. Each observer module may apply the behavior representation to a behavior classifier model suitable for each observer module. The observer modules may aggregate classifications of behaviors of the observed module determined by each of the observer modules. The observer modules may determine, based on the aggregated classification, whether the observed module is behaving anomalously.

Abstract translation: 各个方面的系统，方法和设备都支持跨模块行为验证的方法。 系统的多个观察者模块可以观察系统的观察模块的行为或行为。 每个观察者模块可以基于所观察模块的行为或行为来生成行为表示。 每个观察者模块可以将行为表示应用于适合于每个观察者模块的行为分类器模型。 观察者模块可以聚合由每个观察者模块确定的观察模块的行为的分类。 观察者模块可以基于聚合分类来确定观察到的模块是否是异常行为。

公开(公告)号：US20160253497A1

公开(公告)日：2016-09-01

申请号：US14632652

申请日：2015-02-26

Applicant: QUALCOMM Incorporated

Inventor： Mihai Christodorescu ,  Charles Bergan ,  Rajarshi Gupta ,  Satyajit Prabhakar Patne ,  Sumita Rao

IPC: G06F21/55 ,  G06F21/56

CPC classification number: G06F21/554 ,  G06F21/52 ,  G06F21/566

Abstract: Aspects include computing devices, systems, and methods for implementing detecting return oriented programming (ROP) attacks on a computing device. A memory traversal map for a program called to run on the computing device may be loaded. A memory access request of the program to a memory of the computing device may be monitored and a memory address of the memory from the memory access request may be retrieved. The retrieved memory address may be compared to the memory traversal map and a determination of whether the memory access request indicates a ROP attack may be made. The memory traversal map may include a next memory address adjacent to a previous memory address in the memory traversal map. A cumulative anomaly score based on mismatches between the retrieved memory address and the memory traversal map may be calculated and used to determine whether to load a finer grain memory traversal map.

Abstract translation: 方面包括用于在计算设备上实现检测返回定向编程（ROP）攻击的计算设备，系统和方法。 可以加载被称为在计算设备上运行的程序的存储器遍历映射。 可以监视程序对计算设备的存储器的存储器访问请求，并且可以检索来自存储器访问请求的存储器的存储器地址。 可以将检索的存储器地址与存储器遍历映射进行比较，并且可以确定存储器访问请求是否指示ROP攻击。 存储器遍历映射可以包括与存储器遍历映射中的先前存储器地址相邻的下一个存储器地址。 可以计算基于检索的存储器地址和存储器遍历映射之间的不匹配的累积异常得分，并用于确定是否加载更精细的存储器遍历映射。

公开(公告)号：US20160110528A1

公开(公告)日：2016-04-21

申请号：US14514662

申请日：2014-10-15

Applicant: QUALCOMM Incorporated

Inventor： Rajarshi Gupta ,  Satyajit Prabhakar Patne

IPC: G06F21/31 ,  G06F21/57

CPC classification number: G06F21/31 ,  G06F21/316 ,  G06F21/577 ,  G06F2221/034 ,  H04L63/08 ,  H04L63/105 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/145 ,  H04L2463/082 ,  H04W12/06 ,  H04W12/08

Abstract: A computing device processor may be configured with processor-executable instructions to implement methods of using behavioral analysis and machine learning techniques to identify, prevent, correct, and/or otherwise respond to malicious or performance-degrading behaviors of the computing device. As part of these operations, the processor may perform multifactor authentication operations that include determining one or more of a transaction type criticality value, a user confidence value, a software integrity confidence value, and a historical behavior value, using the one or more of these values to determine a number of authentication factors that are be evaluated when authenticating a user of the computing device, and authenticating the user by evaluating the determined number of authentication factors.

Abstract translation: 计算设备处理器可以配置有处理器可执行指令，以实现使用行为分析和机器学习技术来识别，防止，纠正和/或以其他方式响应计算设备的恶意或性能降级行为的方法。 作为这些操作的一部分，处理器可以执行多因素认证操作，其包括使用这些中的一个或多个来确定事务类型临界值，用户置信度值，软件完整性置信度值和历史行为值中的一个或多个 值，以确定在认证计算设备的用户时评估的认证因子的数量，以及通过评估所确定的认证因素的数量来认证用户。