Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis

摘要

Methods and devices for detecting suspicious or performance-degrading mobile device behaviors may include performing behavior monitoring and analysis operations to intelligently, dynamically, and/or adaptively determine the mobile device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the behaviors are to be observed. Such behavior monitoring and analysis operations may be performed continuously (or near continuously) in a mobile device without consuming an excessive amount of processing, memory, or energy resources of the mobile device by identifying hot application programming interfaces (APIs) and hot action patterns that are invoked or used most frequently by software applications of the mobile device and storing information regarding these hot APIs and hot action patterns separately and more efficiently.

主权项

1. A method of analyzing behaviors within a mobile device, comprising:
identifying hot application programming interfaces (APIs) by identifying in a processor of the mobile device APIs that are used most frequently by software applications executing on the mobile device; storing information regarding usage of identified hot APIs in a hot API log in a memory of the mobile device; and performing behavior analysis operations based on the information stored in the hot API log to identify mobile device behaviors that are inconsistent with normal operation patterns, the behavior analysis operations comprising:
collecting behavior information from the hot API log;generating a behavior vector data structure that characterizes the collected behavior information via a plurality of numerical values; andcomparing the behavior vector data structure to contextual information; anddetermining whether a mobile device behavior is not benign based on the comparison, wherein the hot API log is organized so that values of generic fields that remain the same across invocations of an API are stored in a separate table as values of specific fields that are specific to each invocation of the API, and wherein the values of the specific fields are stored in a table along with hash keys to the separate table that stores the values of the generic fields.