Lightweight data-flow tracker for realtime behavioral analysis using control flow

摘要

Methods and devices for detecting performance-degrading behaviors include identifying a data source component that inputs data into an application executing on a mobile device, and identifying a data sink component that consumes data output from the application. Using a measured runtime control-flow parameter, a likelihood that the data source component is a critical data resource may be determined. Using the probability value, a behavior model that identifies a mobile device feature associated with the critical data resource may be updated and used to determine whether the software application is malicious. Measured runtime control-flow parameters may include a program execution distance between data source and sink components based on heuristics. Determining program execution distances between data sources and sinks may include computing call graph distances by comparing a source call stack length and a sink call stack length, or by counting method invocations or functional calls between data sources and sinks.

主权项

1. A method of tracking data flows in a mobile device, comprising:
identifying a data source component that inputs data into a software application configured for executing on a processing core of the mobile device; identifying a data sink component that consumes data output from the software application; using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource; monitoring application programming interface (API) calls made by the software application when accessing the critical data resource; associating the probability value of the critical data resource with one or more of the API calls; identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls; generating a light-weight behavior signature based on the identified pattern of API calls; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is non-benign based on the behavior analysis operations.