正在处理

请稍候...

设置

设置

1. WO2017003593 - CUSTOMIZED NETWORK TRAFFIC MODELS TO DETECT APPLICATION ANOMALIES

注:相关文本通过自动光符识别流程生成。凡涉及法律问题,请以 PDF 版本为准

CLAIMS

What is claimed is:

1. A method of identifying anomalous application behavior by a processor of a computing device, comprising:

detecting network communication activity of an application on a computing device;

identifying one or more device states of the computing device;

identifying one or more categories of the application; and

determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

2. The method of claim 1, wherein the network communication activity comprises one or more of a network traffic pattern of the network communication activity, a quantity of information sent by the application, a quantity of information received by the application, a quantity of destinations to which information is sent by the application, a quantity of sources from which information is received by the application, a type of information sent or received by the application, a data protocol used by the application, and a port traffic mapping related to the network

communication activity of the application.

3. The method of claim 1, wherein the one or more device states comprise one or more of a coarse motion classifier, a device position, and a device network

communication state.

4. The method of claim 1, wherein determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application comprises:

generating a behavior vector based on the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application;

applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector; and

determining whether the application is behaving anomalously based on a result of applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector.

5. The method of claim 1, further comprising taking an action to limit an application behavior in response to determining that the application is behaving anomalously.

6. The method of claim 1, wherein identifying one or more categories of the application comprises analyzing one or more screenshots of a display generated by the application on the computing device.

7. The method of claim 6, wherein analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on a plurality of screenshots of the display generated by the application on the computing device.

8. The method of claim 7, wherein analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.

9. The method of claim 6, wherein identifying one or more categories of the application comprises:

analyzing audio signals generated by the application; and

correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

10. The method of claim 6, wherein identifying one or more categories of the application comprises:

analyzing inputs received at a user interface of the computing device related to the application; and

correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

11. A method of determining a category of an application on a computing device by a processor of the computing device, comprising:

generating a feature vector characterizing one or more screenshots of a display generated by the application on the computing device; and

applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector.

12. The method of claim 11, wherein applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on the generated feature vector.

13. The method of claim 12, wherein applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector comprises determining whether the application is a still-image application or a video application in response to

determining that the application is an image-based application.

14. The method of claim 11, wherein generating a feature vector comprises:

analyzing audio signals generated by the application; and

correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

15. The method of claim 11, wherein generating a feature vector comprises:

analyzing inputs received at a user interface of the computing device related to the application; and

correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

16. A computing device, comprising:

a processor configured with processor-executable instructions to perform operations comprising:

detecting network communication activity of an application on a computing device;

identifying one or more device states of the computing device;

identifying one or more categories of the application; and determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application.

17. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that the network

communication activity comprises one or more of a network traffic pattern of the network communication activity, a quantity of information sent by the application, a quantity of information received by the application, a quantity of destinations to which information is sent by the application, a quantity of sources from which information is received by the application, a type of information sent or received by the application, a data protocol used by the application, and a port traffic mapping related to the network communication activity of the application.

18. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that the one or more device states comprise one or more of a coarse motion classifier, a device position, and a device network communication state.

19. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that determining whether the application is behaving anomalously based on a correlation of the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application comprises:

generating a behavior vector based on the detected network communication activity of the application, the identified one or more device states of the computing device, and the identified one or more categories of the application;

applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector; and

determining whether the application is behaving anomalously based on a result of applying one or more classifier models appropriate for the one or more categories of the application to the generated behavior vector.

20. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations further comprising taking an action to limit an application behavior in response to determining that the application is behaving anomalously.

21. The computing device of claim 16, wherein the processor is configured with processor-executable instructions to perform operations such that identifying one or more categories of the application comprises analyzing one or more screenshots of a display generated by the application on the computing device.

22. The computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations such that analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on a plurality of screenshots of the display generated by the application on the computing device.

23. The computing device of claim 22, wherein the processor is configured with processor-executable instructions to perform operations such that analyzing one or more screenshots of a display generated by the application on the computing device comprises determining whether the application is a still-image application or a video application in response to determining that the application is an image-based application.

24. The computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations such that identifying one or more categories of the application comprises:

analyzing audio signals generated by the application; and

correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

25. The computing device of claim 21, wherein the processor is configured with processor-executable instructions to perform operations such that identifying one or more categories of the application comprises:

analyzing inputs received at a user interface of the computing device related to the application; and

correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.

26. A computing device, comprising:

a processor configured with processor-executable instructions to perform operations comprising:

generating a feature vector characterizing one or more screenshots of a display generated by an application on the computing device; and

applying a classifier model to the feature vector, wherein one or more categories of the application are identified based on results of applying the classifier model to the feature vector.

27. The computing device of claim 26, wherein the processor is configured with processor-executable instructions to perform operations such that applying a classifier model to the feature vector comprises determining whether the application is an image-based application, a text-based application, or a meta-application based on the generated feature vector.

28. The computing device of claim 27, wherein the processor is configured with processor-executable instructions to perform operations such that applying a classifier model to the feature vector comprises determining whether the application is a still- image application or a video application in response to determining that the application is an image-based application.

29. The computing device of claim 26, wherein the processor is configured with processor-executable instructions to perform operations such that generating a feature vector comprises:

analyzing audio signals generated by the application; and

correlating the analyzed audio signals with the one or more screenshots of the display generated by the application on the computing device.

30. The computing device of claim 26, wherein the processor is configured with processor-executable instructions to perform operations such that generating a feature vector comprises:

analyzing inputs received at a user interface of the computing device related to the application; and

correlating the analyzed inputs at the user interface with the one or more screenshots of the display generated by the application on the computing device.