发明名称 |
Lightweight data-flow tracker for realtime behavioral analysis using control flow |
摘要 |
Methods and devices for detecting performance-degrading behaviors include identifying a data source component that inputs data into an application executing on a mobile device, and identifying a data sink component that consumes data output from the application. Using a measured runtime control-flow parameter, a likelihood that the data source component is a critical data resource may be determined. Using the probability value, a behavior model that identifies a mobile device feature associated with the critical data resource may be updated and used to determine whether the software application is malicious. Measured runtime control-flow parameters may include a program execution distance between data source and sink components based on heuristics. Determining program execution distances between data sources and sinks may include computing call graph distances by comparing a source call stack length and a sink call stack length, or by counting method invocations or functional calls between data sources and sinks. |
申请公布号 |
US9158604(B1) |
申请公布日期 |
2015.10.13 |
申请号 |
US201414276043 |
申请日期 |
2014.05.13 |
申请人 |
QUALCOMM Incorporated |
发明人 |
Christodorescu Mihai;Gupta Rajarshi;Fiala David Jerome |
分类号 |
G06F9/54;G06F9/50;G06F9/44 |
主分类号 |
G06F9/54 |
代理机构 |
The Marbury Law Group, PLLC |
代理人 |
The Marbury Law Group, PLLC |
主权项 |
1. A method of tracking data flows in a mobile device, comprising:
identifying a data source component that inputs data into a software application configured for executing on a processing core of the mobile device; identifying a data sink component that consumes data output from the software application; using a measured runtime control-flow parameter to determine a probability value that identifies a likelihood that the data source component is a critical data resource; monitoring application programming interface (API) calls made by the software application when accessing the critical data resource; associating the probability value of the critical data resource with one or more of the API calls; identifying a pattern of API calls as being indicative of non-benign activity by the software application based on the probability value associated with the one or more of the API calls; generating a light-weight behavior signature based on the identified pattern of API calls; using the light-weight behavior signature to perform behavior analysis operations; and determining whether the software application is non-benign based on the behavior analysis operations. |
地址 |
San Diego CA US |