News Column

Patent Issued for Using Expectation Measures to Identify Relevant Application Analysis Results

August 27, 2014

By a News Reporter-Staff News Editor at Journal of Engineering -- Symantec Corporation (Mountain View, CA) has been issued patent number 8806644, according to news reporting originating out of Alexandria, Virginia, by VerticalNews editors.

The patent's inventors are McCorkendale, Bruce (Manhattan Beach, CA); Mao, Jun (Culver City, CA).

This patent was filed on May 25, 2012 and was published online on August 12, 2014.

From the background information supplied by the inventors, news correspondents obtained the following quote: "Mobile computing devices such as smartphones and tablet computers are becoming more widely used every day. Android is an open-source, Linux based operating system for such mobile devices that is gaining an increasingly prevalent market share. A large community of developers write applications ('apps') that run on Android devices. Many of these apps are available either for purchase or for free through the online Android Market, which is run by Google. Android apps can also be downloaded from other online stores and additional third-party sites. With the open nature of the Android environment, anyone can create and distribute Android apps.

"Because of its openness, the Android platform is vulnerable to an attack called trojanization. To implement this attack, a malicious party starts with a legitimate app, downloaded from an online store or other source. The attacker strips the app's digital signature, adds additional (malicious) code to the app, resigns the app with an anonymous digital certificate, and redistributes the now malicious app to unsuspecting users through one of the existing channels. In effect, the attacker is taking advantage of the openness of the Android development and distribution environment to hide malicious code in an existing, legitimate app. Users seeking to download and run the legitimate app are tricked into downloading the trojanized version. When the trojanized app runs on the user's Android device, the new code the attacker added can execute malicious functionality, such as stealing contact information, logging data input, sending fraudulent communications, etc.

"Mobile security products exist for Android which analyze apps, and warn users of potentially malicious behavior. An Android app is distributed in the form of an APK (Android Application Package) file. These security products examine APK files and attempt to identify potentially malicious code. Such products typically examine the permissions that an app (or other type of application) requests, and then warn the user concerning the ways in which the requested permissions can be misused. For example, an app with permission to send text messages could fraudulently send numerous premium rate service messages, resulting in a large bill for the user. An app with GPS access and network communication privileges could track the user's location, and transmit this information to a malicious party. Likewise, apps with permissions allowing them to send emails, make phone calls, record audio and/or video, etc., can use these access privileges for malicious purposes.

"The use of such permissions is legitimately required by many benign apps, such as navigation apps, appointment dialers, camera apps, etc. The fact that an app requests a given permission (e.g., use of the phone on a mobile computing device) is not a cause for concern in and of itself. Certain types of apps, for example an appointment dialer, must use the phone to execute their primary functionality. On the other hand, other types of apps, for example a wallpaper app, would not be expected to use the phone. Thus, warning a user that an app requests permissions that can be used for malicious purposes is of limited helpfulness. Many benign apps have legitimate needs for these permissions. When presented with a warning that an app seeks various permissions that could enable malicious behavior, an average user does not know if the app does or does not have a legitimate reason for requesting the permissions. Note that the potential for attacks and the security analysis described herein are not limited to Android apps, but can also occur in the context of applications for other mobile or desktop computing environments.

"Some security products for mobile apps (as well as other types of applications) also analyze actions performed by applications, for example by running an application in a confined environment and monitoring what actions the application performs. As with the identification of permissions requested by apps discussed above, these products identify actions that could be used maliciously. For example, such analysis can identify that an application sends emails or text messages, records video or reads privacy sensitive information, such as the user's contacts or the device's International Mobile Equipment Identity (IMEI). As with requesting permissions, these actions have legitimate as well as malicious uses. For example, an application that accesses the user's contacts and sends email messages could send the user's private contact data to a malicious party. On the other hand, it would be legitimate (and necessary) for an email client to access the user's contacts and send emails.

"Simply informing the user that a given application requests permissions or performs actions that can potentially be used maliciously is not very useful to an average user. Because these permissions and actions have legitimate uses as well as the potential for malicious misuse, the user is not likely to know how to respond to a warning that an app requests certain privileges or performs certain actions. By heading all such warnings, the user will avoid benign apps that use the requested permissions and perform the detected actions for legitimate purposes. On the other hand, if the user ignores all such warnings, then the user receives no protection from the security product against downloading malware.

"It would be desirable to address these issues."

Supplementing the background information on this patent, VerticalNews reporters also obtained the inventors' summary information for this patent: "Differences between detected behaviors of an application and expected behaviors of the application are quantified, in order to determine whether the application is suspect of being malicious. The application is analyzed, thereby detecting behaviors of the application. The analyzing of the application can take the form of determining permissions that the application requests, determining data and/or system resources that the application attempts to access, and determining actions that the application executes. Application functionality can be detected through static analysis of the application, e.g., examining the binary image of the application, and/or through dynamic analysis of the application, e.g., running the application in an isolated environment and monitoring its behavior.

"Data indicative of the functionality of the application is mined from a plurality of sources. The mined data can comprise data that is indicative of how the application is represented by its publisher, for example in documentation or marketing material. Descriptions of the application by third parties can also be mined, such as reviews or discussions of the application on web forums. Web searches for the application can be made, and data mined from the search results. Additionally, the application itself can be mined for descriptive data, such as strings in the binary image and user interface text. Mining data indicative of the functionality of the application can comprise locating keywords, key phrases or other descriptive content indicative of one or more categories applicable to the application. In some embodiments, weights are applied to mined data, based on, for example, its content, source or context. In some embodiments, machine learning is utilized to adjust data mining over time, for example to glean more relevant data.

"The application is categorized based on the mined data. The categorization of the application indicates expected application behaviors. The categorizing of the application can take the form of applying at least one label indicative of one or more expected behaviors to the application. Multiple categories can be assigned to the application, wherein each assigned category correlates with at least one expected application behavior. In some embodiments, weights are applied to correlations between mined data and expected application behaviors. In some embodiments, machine learning is utilized to adjust application categorization over time, for example to improve accuracy.

"Measures of consistency between the detected behaviors of the application and the expected behaviors of the application are determined. Determining the measures of consistency comprises quantifying differences between detected behaviors of the application and expected behaviors of the application. Responsive to the determined measures of consistency, it is adjudicated whether the application is suspect of being malicious. For example, the application can be adjudicated as being benign, suspicious or malicious.

"The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter."

For the URL and additional information on this patent, see: McCorkendale, Bruce; Mao, Jun. Using Expectation Measures to Identify Relevant Application Analysis Results. U.S. Patent Number 8806644, filed May 25, 2012, and published online on August 12, 2014. Patent URL:

Keywords for this news article include: Legal Issues, Machine Learning, Symantec Corporation, Emerging Technologies.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Journal of Engineering

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters