CN107924492A - Classified using normalization the value of the confidence to mobile equipment behavior - Google Patents

Abstract

Method and system for classifying to mobile equipment behavior includes generation Complete Classification device model, and it is finite state machine that is benign or facilitating the whole or many features the mobile equipment feature related with the degradation of time that it, which is included suitable for being converted into lifting decision tree and/or its description with determining mobile equipment behavior,.Mobile equipment can receive Complete Classification device model together with S-shaped parameter, and the complete set of lifting decision tree is generated using the model, according to it by that set will reject to arrive and be suitable for effectively determining whether movement equipment behavior is benign and generate sorter model more concentrate or lean completely.It can be normalized using the result of concentration or lean sorter model using sigmoid function, wherein obtained normalization result is used to determine that behavior is benign or non-benign.

Description

Classified using normalization the value of the confidence to mobile equipment behavior

Related application

The application is entitled " the Methods and Systems of Using Boosted submitted on November 26th, 2013 Decision Stumps and Joint Feature Selection and Pruning Algorithms for the The U.S. Patent Application No. 14/090 of Efficient Classification of Mobile Device Behaviors ", The part continuation application of No. 261, it requires entitled " the Methods and Systems of submitted for 5th in September in 2013 Using Boosted Decision Stumps and Joint Feature Selection and Pruning The U.S. of Algorithms for the Efficient Classification of Mobile Device Behaviors " Provisional application the 61/874,129th, entitled " the On-Device Real-Time Behavior submitted on January 2nd, 2013 The U.S. Provisional Patent Application of Analyzer " the 61/748,217th and submitted on January 2nd, 2013 entitled " the U.S. Provisional Patent Application of Architecture for Client-Cloud Behavior Behavior Analyzer " The rights and interests of the priority of the 61/748th, No. 220, all these full contents are incorporated herein by reference.

Background technology

Honeycomb and wireless communication technique have gone through explosive growth in the past few years.More preferable communication, hardware, The network of bigger and more reliable agreement have promoted this growth.Therefore, wireless service provider can be their visitor now Family provides the unprecedented level of access to information, resource and communication.

In order to run neck and neck with these services, mobile electronic device is (for example, cell phone, tablet PC, meter on knee Calculation machine etc.) become than more powerful in the past and complicated.This complexity for Malware, software conflict, hardware fault and its Its similar mistake or phenomenon create new chance, and the long-term and duration performance and utilization of power to mobile equipment are horizontal to be produced Negative effect.Therefore, identification and correction may negatively affect mobile equipment long-term and duration performance and utilization of power it is horizontal Condition and/or mobile equipment behavior are beneficial to consumer.

The content of the invention

Various aspects include the method for generating lean behavior sorter model in a mobile device, and this method can include： Being received in the processor of mobile equipment includes the Complete Classification device model of finite state machine；And use Complete Classification device model To generate the lean sorter model in mobile equipment.Finite state machine can include suitable for conversion or be expressed as multiple liftings Each lifting decision tree in the information of decision tree, and lifting decision tree can include test condition and weighted value.In a side The behavior of mobile equipment is categorized as benign by face, the lean sorter model that this method can also be included the use of in mobile equipment Or non-benign (i.e. malice, performance degradation etc.).

In one aspect, the lean sorter model being generated based on the Complete Classification device model can include：Will The list of lifting decision tree is converted in the finite state machine that Complete Classification device model includes, and based in lifting decision tree The list lifting decision tree that includes generate lean sorter model.

On the one hand, can also be included to generate lean sorter model based on the Complete Classification device model：Determining should When evaluated excessive process resource, memory money to classify to the equipment behavior without the consumption computing device Source or multiple unique test conditions of energy resource；By sequentially traverse through it is described lifting decision tree list, and will with it is every The test condition that the lifting decision tree of a order traversal is associated is inserted into the list of the test condition, until the test Untill the list of condition includes the multiple unique test condition, to generate the list of test condition；And the generation lean Sorter model is surveyed with one only including test in multiple test conditions that the list of the test condition generated includes Those lifting decision trees of strip part.

On the one hand, the method may include the lean sorter model used in mobile equipment, with by that will collect To behavioural information be applied to each lifting decision tree in lean sorter model, calculate the behavioural information application that will be collected into The weighted average of the result of each lifting decision tree in lean sorter model, and weighted average and threshold value are carried out Compare, the behavior of mobile equipment is categorized as benign or non-benign.

On the one hand, the lean sorter model being generated based on the Complete Classification device model can include：Will be The finite state machine that Complete Classification device model includes is converted to the list of lifting decision tree；And based in lifting decision tree row The lifting decision tree that table includes, generation lean sorter model race, the lean sorter model race include lean grader Model and multiple extra lean sorter models, each lean classification in the multiple extra lean sorter model Device model includes unique test condition of varying number.

On the one hand, generating lean sorter model can include generating multiple lean sorter models, each lean point Class device model includes the use of different weighted values and different threshold values to test the decision tree of first condition.On the one hand, should Method can include recalculating multiple lean grader moulds with generating in a mobile device based on Complete Classification device model The threshold value that lifting decision tree in type is associated.On the one hand, this method can include based on Complete Classification device model come weight It is new to calculate the weighted value associated with the lifting decision tree in the multiple lean sorter models generated in a mobile device.

On the one hand, this method can include generating Complete Classification device model in the server by following operation： The corpus of the information on mobile equipment behavior, and the language based on the information on mobile equipment behavior are received in server Material storehouse includes being suitable for being converted to multiple data for lifting decision trees to generate finite state machine, and finite state machine is sent To mobile equipment as Complete Classification device model.On the one hand, each test condition in multiple test conditions is with identifying it Associated test condition by cause mobile equipment can determine mobile equipment behavior whether be benign possibility probable value Associated, the method is additionally included in is sent to mobile equipment before based on general using finite state machine as Complete Classification device model Rate value carrys out the tissue lifting decision tree in finite state machine.

On the other hand, this method can include the use of S-shaped parameter to calculate and using classifying for improved behavior The value of the confidence is normalized, it, which can be included in the processor of computing device from server, receives Complete Classification device model and S-shaped ginseng Number, normalization the value of the confidence is determined based on the S-shaped parameter, and based on the normalization the value of the confidence come to the computing device The equipment behavior classify.

On the one hand, this method can include by the way that the finite state machine included in Complete Classification device model is converted into Lifting decision tree lifts the list of decision tree to generate, and based on the lifting decision tree included in the list for lifting decision tree To generate lean sorter model race, wherein being classified based on normalization the value of the confidence to the equipment behavior of the computing device Including：Behavior vector information structure is applied to the first lean sorter model in the lean sorter model race to generate Analysis result, and determine whether second be applied to the behavior vector information structure in the lean sorter model race Lean sorter model, to generate new analysis result based on the normalization the value of the confidence.

On the other hand, this method can include generating the lean grader mould based on the Complete Classification device model Type, and can be included to carry out classification to the equipment behavior of the computing device based on normalization the value of the confidence：By behavior vector Message structure generates analysis as a result, and being determined using analysis result and normalization the value of the confidence applied to lean sorter model Equipment behavior is benign or non-benign.In another aspect, the essence is generated based on the Complete Classification device model Beneficial sorter model can include：The list of test condition is generated by following operation：Will be in the Complete Classification device model The finite state machine included is converted into multiple lifting decision trees to generate the list of lifting decision tree, it is determined that it is evaluated with Classify equipment behavior the multiple of the excessive process resource without consumption calculations equipment, memory resource or energy resource Unique test condition, by sequentially traversing through the list of lifting decision tree, and by the lifting decision tree with each order traversal Associated test condition is inserted into the list of the test condition, until the list of the test condition is including the multiple Untill unique test condition；And the generation lean sorter model is with only including testing in the list of the test condition Including multiple test conditions in a test condition those lifting decision trees.

On the other hand, by the behavior vector information structure be applied to the lean sorter model by determine it is described in terms of Whether the equipment behavior for calculating equipment is that non-benign can include：It is collected into what is included in the behavior vector information structure Behavioural information be applied in multiple lifting decision trees that the lean sorter model includes each lifting decision-making Tree；Calculate and the multiple lifting that the behavioural information being collected into is applied to include in the lean sorter model is determined The weighted average of the result of each lifting decision tree in plan tree；And by the weighted average compared with threshold value.

It yet still another aspect, the method may include generate the S-shaped parameter of renewal based on the normalization the value of the confidence；With And the S-shaped parameter of the renewal is sent to the server computing device.On the other hand, the method may include：From The server computing device receives the S-shaped parameter of renewal；Based on the renewal received from the server computing device S-shaped parameter, to determine new normalization the value of the confidence；And based on the new normalization the value of the confidence, to be set to the calculating The standby equipment behavior is classified.On the other hand, receiving the Complete Classification device model and the S-shaped parameter can wrap Reception finite state machine is included, the finite state machine includes being suitable for the information for being expressed as two or more lifting decision trees, Each lifting decision tree includes weighted value and test condition, and the test condition is with identifying that the test condition will cause the meter Calculate equipment and can determine that the equipment behavior of the computing device is the probable value phase of one of benign and non-benign possibility Association.

In addition aspect can include a kind of computing device, it includes：Divide completely for being received from server computing device The unit of class device model and S-shaped parameter；For determining the unit of normalization the value of the confidence based on the S-shaped parameter；And it is used for Based on the normalization the value of the confidence come the unit classified to the equipment behavior of the calculating.On the one hand, the calculating is set It is standby to include：For by by the finite state machine included in the Complete Classification device model be converted into lifting decision tree come The unit of the list of generation lifting decision tree；And for based on the lifting included in the list for lifting decision tree Decision tree, to generate the unit of lean sorter model race, wherein being used for based on the normalization the value of the confidence come to the equipment The unit that behavior is classified includes：For behavior vector information structure to be applied to the in the lean sorter model race One lean sorter model is to generate the unit of analysis result；And it is used to determine whether to answer the behavior vector information structure It is new to be generated based on the normalization the value of the confidence for the second lean sorter model in the lean sorter model race Analysis result unit.

On the other hand, the computing device can include：For generating lean based on the Complete Classification device model The unit of sorter model, and be wherein used for based on the normalization the value of the confidence the list classified to the equipment behavior Member includes：For behavior vector information structure to be generated the unit of analysis result applied to the lean sorter model；With And for using the analysis result and the normalization the value of the confidence come to determine the equipment behavior of the computing device be good Property or non-benign unit.On the other hand, for generating the lean classification based on the Complete Classification device model The unit of device model can include：For more by the way that the finite state machine included in the Complete Classification device model is converted into It is a to lift decision tree to generate the unit of the list of lifting decision tree；For it is determined that it is evaluated with to the equipment behavior into Multiple unique tests of the row classification without the excessive process resource of the consumption computing device, memory resource or energy resource The unit of condition；For the list by sequentially traversing through the lifting decision tree, and by the lifting with each order traversal The test condition that decision tree is associated is inserted into the list of the test condition, until the list of the test condition includes institute Untill stating multiple unique test conditions, to generate the unit of the list of test condition；And for generating the lean grader Model with only include a test condition of the test in multiple test conditions for including of list of the test condition that The unit of a little lifting decision trees.On the other hand, for the behavior vector information structure to be applied to the lean grader Whether model is that non-benign unit includes to determine the equipment behavior of the computing device：For will believe in behavior vector The behavioural information being collected into that breath structure includes is applied to the multiple lifting decision-makings included in the lean sorter model The unit of each lifting decision tree in tree；The behavioural information being collected into is applied in the lean point for calculating The average weighted unit of the result of each lifting decision tree in the multiple lifting decision tree that class device model includes； And for the unit by the weighted average compared with threshold value.

On the other hand, the computing device can include：For generating the S of renewal based on the normalization the value of the confidence The unit of shape parameter；And for the S-shaped parameter of the renewal to be sent to the unit of the server computing device.Another Aspect, the computing device can include：Unit for the S-shaped parameter that renewal is received from the server computing device；With In determining the unit of new normalization the value of the confidence based on the S-shaped parameter of the renewal；And for based on the new normalizing The unit for changing the value of the confidence to classify to the equipment behavior of the computing device.On the other hand, it is described for receiving Complete Classification device model and the unit of the S-shaped parameter include being used for the unit for receiving finite state machine, the finite state machine Including the information suitable for being expressed as two or more lifting decision trees, each lifting decision tree includes weighted value and test-strips Part, the test condition is with identifying that the test condition will cause the computing device to can determine that the equipment behavior is benign It is associated with the probable value of one of non-benign possibility.

Other side can include a kind of computing device, it includes：Processor, it is configured with processor-executable instruction To perform operation, the operation includes：Complete Classification device model and S-shaped parameter are received from server computing device；Based on the S Shape parameter come determine normalization the value of the confidence；And based on it is described normalization the value of the confidence come the equipment behavior to the computing device into Row classification.On the one hand, the processor can be configured with processor-executable instruction to perform operation, and the operation is also wrapped Include：By the way that the finite state machine included in the Complete Classification device model is converted into lifting decision tree, determine to generate lifting The list of plan tree；And based on the lifting decision tree included in the list for lifting decision tree, to generate lean point Lei Qi models race, and the processor can be configured with processor-executable instruction to perform operation so that based on described Normalization the value of the confidence includes to carry out classification to the equipment behavior：Behavior vector information structure is classified applied to the lean The first lean sorter model in device model race is to generate analysis result；And determine whether the behavior vector information knot Structure is applied to the second lean sorter model in the lean sorter model race, with based on the normalization the value of the confidence next life The analysis result of Cheng Xin.

On the other hand, the processor can be configured with processor-executable instruction to perform operation, the operation Further include：Lean sorter model is generated based on the Complete Classification device model, and the processor can be configured with Processor-executable instruction performs operation so as to the equipment behavior carries out classification bag based on the normalization the value of the confidence Include：Behavior vector information structure is applied to the lean sorter model to generate analysis result；And use the analysis As a result determine that the equipment behavior is benign or non-benign with the normalization the value of the confidence.

On the other hand, the processor can be configured with processor-executable instruction to perform operation so that be based on The Complete Classification device model includes to generate the lean sorter model：By will be wrapped in the Complete Classification device model The finite state machine included is converted into multiple lifting decision trees, to generate the list of lifting decision tree；It is it is determined that evaluated with right The equipment behavior is classified without excessive process resource, memory resource or the energy resource for consuming the computing device Multiple unique test conditions；By sequentially traverse through it is described lifting decision tree list, and by with each order traversal The test condition that lifting decision tree is associated is inserted into the list of the test condition, until the list bag of the test condition Untill including the multiple unique test condition, to generate the list of test condition；And the generation lean sorter model with Only include those liftings of a test condition of the test in multiple test conditions that the list of the test condition includes Decision tree.

On the other hand, the processor can be configured with processor-executable instruction to perform operation so that by institute State behavior vector information structure and be applied to the lean sorter model, to determine whether the equipment behavior is non-benign bag Include：The behavioural information being collected into included in the behavior vector information structure is applied in the lean sorter model Each lifting decision tree in the multiple lifting decision trees included；Calculate and be applied to the behavioural information being collected into The weighting of the result of each lifting decision tree in the multiple lifting decision tree that the lean sorter model includes It is average；And by the weighted average compared with threshold value.On the other hand, the processor be configured with processor can Execute instruction further includes to perform operation：The S-shaped parameter of renewal is generated based on the normalization the value of the confidence；And by described in more New S-shaped parameter is sent to the server computing device.

On the other hand, the processor can be configured with processor-executable instruction and be further included to perform operation：From The server computing device receives the S-shaped parameter of renewal；New normalization confidence is determined based on the S-shaped parameter of the renewal Value；And based on the new normalization the value of the confidence, to classify to the equipment behavior.On the other hand, the processing Device can be configured with processor-executable instruction to perform operation so that receive the Complete Classification device model and the S-shaped Parameter includes receiving finite state machine, and the finite state machine includes being suitable for being expressed as two or more lifting decision trees Information, each lifting decision tree includes weighted value and test condition, and the test condition is with identifying that the test condition will cause The computing device can determine that the equipment behavior is that the probable value of one of benign and non-benign possibility is associated.

Further aspect can include a kind of non-transitory for being stored thereon with processor executable software instruction and calculate Machine readable storage medium storing program for executing, the processor executable software instruction are configured such that the processor of computing device performs operation, The operation can include：Complete Classification device model and S-shaped parameter are received from server computing device；Based on the S-shaped parameter To determine normalization the value of the confidence；And classified based on the normalization the value of the confidence to equipment behavior.On the one hand, deposited The processor-executable instruction of storage is configured such that processor performs operation and further includes：By will be in the Complete Classification The finite state machine that device model includes is converted into lifting decision tree, to generate the list of lifting decision tree；And based on institute The lifting decision tree that the list of lifting decision tree includes is stated, to generate lean sorter model race, wherein based on described Normalization the value of the confidence includes to carry out classification to the equipment behavior：Behavior vector information structure is classified applied to the lean The first lean sorter model in device model race is to generate analysis result；And determine whether the behavior vector information knot Structure is applied to the second lean sorter model in the lean sorter model race, with based on the normalization the value of the confidence next life The analysis result of Cheng Xin.

On the other hand, the processor-executable instruction stored is configured such that processor performs operation, the behaviour Further include：Lean sorter model is generated based on the Complete Classification device model, and the processor stored can perform Instruction be configured such that processor performs operation so that based on it is described normalize the value of the confidence come to the equipment behavior into Row classification includes：Behavior vector information structure is applied to the lean sorter model to generate analysis result；And use The analysis result and the normalization the value of the confidence determine that the equipment behavior is benign or non-benign.

On the other hand, the processor-executable instruction stored is configured such that processor performs operation, makes The lean sorter model must be generated based on the Complete Classification device model to be included：By will be in the Complete Classification device mould The finite state machine that type includes is converted into multiple lifting decision trees, to generate the list of lifting decision tree；It is determined that commented Estimate to classify to the equipment behavior without excessive process resource, memory resource or the energy for consuming the computing device Measure multiple unique test conditions of resource；By sequentially traversing through the list of the lifting decision tree, and will be with each order The test condition that the lifting decision tree of traversal is associated is inserted into the list of the test condition, until the test condition Untill list includes the multiple unique test condition, to generate the list of test condition；And the generation lean grader Model with only include a test condition of the test in multiple test conditions for including of list of the test condition that A little lifting decision trees.

On the other hand, the processor-executable instruction stored is configured such that processor performs operation, institute Operation is stated to further include：The S-shaped parameter of renewal is generated based on the normalization the value of the confidence；And the S-shaped parameter by the renewal It is sent to the server computing device.On the other hand, the processor-executable instruction stored is configured such that processing Device performs operation, and the operation further includes：The S-shaped parameter of renewal is received from the server computing device；Based on the renewal S-shaped parameter determine new normalization the value of the confidence；And based on the new normalization the value of the confidence, to the equipment behavior Classify.

In addition aspect can include a kind of mobile computing device, it, which has, is configured with processor-executable instruction to hold The processor of the operation of the row above method.

Other side includes being stored thereon with the non-transitory computer-readable storage medium of processor executable software instruction Matter, the processor executable software instruction are configured such that the processor in mobile equipment performs the operation of the above method.

In addition aspect includes a kind of system, including：Mobile equipment including device handler；And it is configured with service To perform the server of operation, the operation includes device executable instruction：Receive the language material of the information on mobile equipment behavior Storehouse；Finite state machine is generated based on the corpus of information；And including suitable for be converted into it is multiple lifting decision trees data, Each lifting decision tree includes test condition and weighted value；And it is sent to the finite state machine as Complete Classification device model Mobile equipment.On the one hand, device handler can be configured with processor-executable instruction to perform operation, including receive Full sorter model, lean sorter model is generated based on the Complete Classification device model received in a mobile device, and is made The behavior for mobile equipment of being classified with lean sorter model is benign or non-benign.

On the one hand in system, device handler can be configured with processor-executable instruction to perform operation so that The lean sorter model is generated based on the Complete Classification device model to be included to include in Complete Classification device model Finite state machine is converted into the list of lifting decision tree, it is determined that the evaluated behavior with to mobile equipment classify without Consume multiple unique test conditions of the excessive process resource for moving equipment, memory resource or energy resource；Pass through order The list of ground traversal lifting decision tree, and the associated test condition of the lifting decision tree with each order traversal is inserted into In the list of the test condition, untill the list of the test condition includes the multiple unique test condition, next life Into the list of test condition；And the generation lean sorter model is with only including testing in the list of the test condition Including multiple test conditions in a test condition the lifting decision tree that includes of list in the lifting decision tree.

On the one hand in system, device handler can be configured with processor-executable instruction to perform operation so that Carrying out classification using behavior of the lean sorter model to mobile equipment includes：The behavioural information being collected into is applied to described Each lifting decision tree in lean sorter model；Calculate and the behavioural information being collected into is applied in the lean The weighted average of the result of each lifting decision tree in sorter model；And the weighted average and threshold value are carried out Compare.On the one hand in system, device handler can be configured with processor-executable instruction to perform operation so that be based on The Complete Classification device model includes to generate the lean sorter model：It will include in Complete Classification device model limited State machine is converted into the list of lifting decision tree；And determined based on the lifting included in the list for lifting decision tree Plan tree, to generate lean sorter model race, lean sorter model race includes lean sorter model and multiple extra Lean sorter model, each lean disaggregated model in multiple extra lean disaggregated models include the uniqueness of varying number Test condition.

On the one hand in system, device handler can be configured with processor-executable instruction to perform operation so that The lean sorter model is generated based on the Complete Classification device model to be included：Multiple lean sorter models are generated, often A lean sorter model includes the use of different weighted values and different threshold values to test the decision tree of first condition.One In aspect system, device handler can be configured with processor-executable instruction to perform operation, and the operation further includes：Weight Newly calculate associated with lifting decision tree threshold value in multiple lean sorter models and weighted value.

On the one hand in system, server can be configured with server executable instruction to perform operation so that multiple Each test condition in test condition is with identifying that its associated test condition will make mobile equipment can determine computing device Whether behavior is that the probable value of benign possibility is associated.On the one hand in system, server can be configured with server To perform operation, the operation further includes executable instruction：Shifting is being sent to using finite state machine as Complete Classification device model Before dynamic equipment, based on probable value come the tissue lifting decision tree in finite state machine.

Brief description of the drawings

The attached drawing for being incorporated herein and forming the part of this specification shows the illustrative aspect of claim, Yi Jiyu General description given above and embodiment described below are used for the feature for explaining claim together.

Fig. 1 is the communication system for the network components for showing the exemplary telecommunication system suitable for being used together with various aspects Block diagram.

Fig. 2 be show be configured to determine that specific mobile device behavior be malice, it is performance degradation, suspicious or good The block diagram of example logic component and information flow in the mobile equipment of the one side of property.

Fig. 3 is the block diagram for showing to include exemplary components and information flow in the one side system of the webserver, the net Network server is configured as combining mobile equipment to work together to determine that specific mobile equipment behavior is malice, performance drop It is level, suspicious or benign.

Fig. 4 is the block diagram of the example components and information flow in the one side system for show to include mobile equipment, the shifting Dynamic equipment is configured as generating target and lean (lean) sorter model according to Complete Classification device model, without re -training Data, behavior vector or sorter model.

Fig. 5 A are the process streams for showing to generate the one side movement device, method of lean sorter model in a mobile device Cheng Tu, the lean sorter model be included in the feature that the Complete Classification device model received from the webserver includes and The subset of data point.

Fig. 5 B are the another aspect movement device, methods for showing local generation lean sorter model in a mobile device Process flow diagram flow chart.

Fig. 5 C are one that the lean sorter model for being shown with locally generating is classified come the behavior to mobile equipment Aspect moves the process flow diagram flow chart of device, method.

Fig. 5 D are the processes for showing to generate the another aspect movement device, method of lean sorter model in a mobile device Flow chart.

Fig. 6 A are to show the one side webserver method that Complete Classification device model is generated in the webserver Process flow diagram flow chart, the Complete Classification device model include being suitable for the classification for being used to generate more collection by mobile equipment and being neutralized lean The lifting decision tree of device model.

Fig. 6 B are the processes for showing the illustrative methods for being suitable for generation lifting decision tree classifier according to various aspects Flow chart.

Fig. 7 is the process streams for being included lifting the illustrative methods of the sorter model of decision tree according to the generation of one side Cheng Tu.

Fig. 8 is can be generated by one side processor-server and generate lean grader by mobile device handler The diagram of the exemplary lift decision tree of model.

Fig. 9 is the example being configured as in the observer module of execution dynamic and adaptive observation shown according to one aspect The block diagram of property logical block and information flow.

Figure 10 be logical block in the computing system for realizing observer finger daemon shown according to another aspect and The block diagram of information flow.

Figure 11 is the process flow diagram flow chart for showing the one side method for performing adaptive observation on the mobile apparatus.

Figure 12-16 is to show use S-shaped (sigmoid) parameter according to various aspects to calculate and be put using normalization Letter value is for improved behavioural analysis and the process flow diagram flow chart of the method for classification.

Figure 17 applies to the blocks figure of the mobile equipment used in one aspect.

Figure 18 applies to the blocks figure of the server apparatus used in one aspect.

Embodiment

Various aspects will be described in detail with reference to the accompanying drawings.In the case of any possible, will be used throughout attached drawing identical Reference numeral refers to the same or similar part.Reference to particular example and implementation is to be for the purpose of illustration, and It is not intended to be limited to the scope of claim.

Represented " being used as example, example or explanation " using word " exemplary " herein.Here depicted as " exemplary " Any implementation be not necessarily to be construed as it is preferably or more favourable than other implementations.

Generally speaking, various aspects include being used to effectively identify, classify, model, prevent and/or correct often with the time Make the performance of mobile equipment and/or the webserver, the movement of the horizontal situation to degrade of utilization of power and/or mobile equipment behavior Equipment, system and method.The webserver can be configured as to be received on various bars from central database (for example, " cloud ") Part, feature, the information of behavior and corrective action, and use the information to generation Complete Classification device model (that is, data or behavior Model), which depict can be with the form or knot by mobile equipment rapid translating into one or more lean sorter models The large corpora of the behavioural information of structure.

On the one hand, Complete Classification device model can be the table of the large corpora of finite state machine description or behavioural information Show.On the one hand, finite state machine can include being suitable for the information for being expressed as multiple lifting (boosted) decision trees.For example, Finite state machine can be message structure, it can be represented as the family of lifting decision tree, its common identification, description, test Or assessment with determine to move equipment behavior be it is benign or with the time facilitate the related feature of mobile equipment performance degradation and Whole or many in data point.Then, the webserver can be sent to mobile equipment Complete Classification device model (that is, including Message structure of family of finite state machine and/or lifting decision tree etc.).

Mobile equipment can be configured as reception and generated using Complete Classification device model different complexities it is horizontal (or " lean degree ") lean sorter model or lean sorter model race.To achieve it, mobile equipment can reject bag It is contained in from the sane race of the lifting decision tree in the Complete Classification device model that the webserver receives and (referred to herein as " carries completely Rise decision tree classifier model "), include reducing the lifting decision tree of quantity with generation and/or assess the test-strips of limited quantity The lean sorter model of part.This rejecting to lifting decision tree classifier model completely can have been come by described below Into：Selection lifting decision tree；Identification is depending on the mobile device status identical with selected decision tree, feature, behavior or condition All other lifting decision tree (and therefore can be applied based on definitive result)；Include depending in lean sorter model In selected by identical mobile device status, feature, behavior or condition and all other lifting decision trees identified；And pin The selected lifting decision tree of limited quantity to being not yet contained in lean sorter model carrys out repetitive process.By this way, Lean sorter model can be generated, it includes different mobile device status, feature, behavior or the condition depending on limited quantity All lifting decision trees.Then mobile equipment can be come rapidly to movement using the lean sorter model that this is locally generated Equipment behavior is classified, without consuming excessive its process resource, memory resource or energy resource.

In one aspect, mobile equipment can use different mobile device status, feature, behavior or the condition of varying number To perform to the operation that lifting decision tree classifier model is repeatedly rejected completely, to generate the lean of different lean degree point The family of class device model.For creating the different mobile device status of lean sorter model, feature, behavior or the quantity of condition More, model will more be possible to accurately identify malice or suspicious actions, but disposal ability is more by what is be consumed.Therefore, one Aspect, mobile equipment, which can be configured as, routinely applies the most lean person in lean sorter model race (namely based on minimum The different mobile device status of amount, feature, the model of behavior or condition).If the knot generated by the sorter model of most lean Fruit is suspicious, then the stronger of the more equipment states of assessment, feature, behavior or condition can be applied by moving device handler (that is, less lean) sorter model, to determine that it is malice or benign that the behavior can be identified as.If by answering The result generated with the sorter model of less lean is still suspicious, then can apply even stronger (or even less smart Benefit) sorter model etc., until behavior be clearly categorized as it is malice or benign.

By being stored in central database (for example, " cloud ") on such behavior and the information of corrective action, and The mobile equipment of configuration and the webserver carry out intelligence to use the information being stored in central database with reference to working together each other Energy ground simultaneously efficiently identifies the factor for facilitating the performance of each mobile equipment and utilization of power level to degrade with the time, various aspects Mobile equipment is enabled more accurately and effectively to identify and respond the performance limitation of mobile equipment and undesirable operation bar Part.

In addition, include the sorter model of lifting decision tree by being generated in the webserver and these are classified Device/model is sent to mobile equipment, and various aspects allow to move quantity of the equipment by rejecting lifting decision tree in the above described manner Come quick in a mobile device and efficiently generate the sorter model of lean (or more concentrating), without accessing training data Or further communicate with the webserver, central database or cloud network/server.This significantly reduces mobile equipment to net The dependence of network, and further increase the performance and power consumption characteristics of mobile equipment.

Available in the future or expected many different honeycombs and mobile communication service and standard, it is all these to realize simultaneously Be benefited in all its bearings.Such service and standard include such as third generation partner program (3GPP), Long Term Evolution (LTE) System, third generation wireless mobile telecommunication technology (3G), forth generation wireless mobile telecommunication technology (4G), global system for mobile communications GSM), Universal Mobile Telecommunications System (UMTS), 3GSM, General Packet Radio Service (GPRS), CDMA (CDMA) system (example Such as cdmaOne, CDMA1020TM), for the enhancing data rate (EDGE) of GSM evolution, improved mobile telephone system (AMPS), digital AMPS (IS-136/TDMA), Evolution-Data Optimized (EV-DO), Digital Enhanced Cordless telecommunications (DECT), the whole world Microwave access mutual operability (WiMAX), WLAN (WLAN), Wi-Fi protection access I＆II (WPA, WPA2) and integrated number Word enhanced network (iden).Each technology in these technologies is directed to for example to voice, data, signaling and/or content Message sends and receives.It should be appreciated that the term related with single telecommunication standard or technology and/or times of ins and outs How the purpose being merely to illustrate is quoted, and is not intended to and the scope of claim is limited to specific communication system or technology, Unless it is expressly recited in claim language.

Term " mobile computing device " and " mobile equipment " are used interchangeably herein, to refer to cell phone, intelligence Phone, individual or mobile multimedia player, personal digital assistant (PDA), laptop computer, tablet PC, smartbook, Super basis, palmtop computer, push mail receiver, the cell phone with multimedia internet function, wireless trip Play controller and including memory with the performance for it be important programmable processor similar personal electronic equipments in Any one or all, and it is favourable to be operable so that electricity saving method under battery capacity.Although various aspects for The mobile computing device (such as smart phone) run with limited resources and on battery is particularly useful, but these aspects It is typically useful in any electronic equipment including processor and execution application program.

In general, the performance and power efficiency of mobile equipment degrade with the time.Recently, anti-virus company (for example, McAfee (McAfee), Symantec (Symantec) etc.) have begun to the movement that sales target is to slow down this degradation and prevent Virus, fire wall and security product.However, many solutions in these solutions are depended on to the meter in mobile equipment The periodicity for calculating intensive scanning engine performs, this may consume many processing of mobile equipment and battery resource, slow down or cause Make mobile equipment useless within the extended period, and/or user experience is degraded in other ways.In addition, these solution party Case is normally limited to detect known virus and Malware, and does not solve often combination to facilitate mobile equipment to degrade with the time Multiple complicated factors and/or interaction (for example, when performance degradation be not as virus or Malware caused by).Due to these and Other reasons, existing anti-virus, fire wall and security product do not provide enough solutions may facilitate movement to identify Equipment with the degradation of time many factors, for preventing mobile equipment from degrading, or for aging movement equipment is effectively extensive Its reset condition is arrived again.

There are various other solutions to be used for by using machine learning techniques or the mistake to performing on the computing device The behavior of journey or application program is modeled to detect Malware.However, many solutions in these solutions are not It is suitable for using on the mobile apparatus, because they need to assess very big data corpus, is limited to assessment and individually should With program or process, or need to perform computation-intensive process in a mobile device.In this way, realize or hold in a mobile device Solution as row may have significant negative and/or user to response, performance or the power consumption characteristics of mobile equipment Appreciable influence.Due to these and other reason, existing modeling and machine learning solution are not well suited for using Used in the complicated but resource-constrained system in modern mobile devices.

For example, the existing solution based on machine learning can include computing device being configured so that training data Corpus export feature vector model as input.However, such solution will not be generated including limited shape The Complete Classification device model (or sorter model race) of state machine (or other similar message structures), it is suitable for be converted into or table It is shown as the multiple lifting decision trees for including test condition and weighted value.At least due to this reason, mobile device handler is not Lean sorter model can be quickly and efficiently generated using such solution, which includes being used for Quickly and efficiently identification, the lifting decision tree for the one group of concentration analyzed and/or classify mobile equipment behavior, and to mobile equipment Response or performance or power consumption characteristics without significant, the passive or appreciable influence of user.

Mobile equipment is resource-constrained system, it is provided with relatively limited process resource, memory resource and energy Source.Modern mobile devices are also complicated system, and for assess all various data flows, data manipulation (read, write-in, Data encoding, data transfer etc.), process, component, behavior or factor (or combinations thereof) it is typically infeasible, these are probably Malice or facilitate the performance degradation of mobile equipment in other ways.Due to these and other reason, for user, operating system And/or be increasingly difficult to for application program (for example, anti-virus software etc.) source accurately and efficiently to identify problem and/or The enough remedial measures for the problem of providing to identifying.As a result, mobile device user is at present for preventing the property of mobile equipment The remedial measure that can degrade with utilization of power level with the time is seldom.

Various aspects include being used to effectively identify, classify, model, prevent and/or correct often making mobile equipment with the time Performance and/or the webserver of the horizontal situation to degrade of utilization of power and/or mobile equipment behavior, mobile equipment, system And method.

On the one hand, the observer process of mobile equipment, finger daemon, module or subsystem (collectively referred to herein as " module ") Can be in each horizontal to various API, register, counter or other components (collectively referred to herein as " instrument of mobile device system Change component ") carry out instrumentation or coordination.Observer module can be by collecting the behavioural information from instrumentation component come continuous The mobile equipment behavior of (or close to continuously) monitoring.Mobile equipment can also include analyzer module, and observer module can The behavioural information being collected into (for example, operated via memory write, function call etc.) to be sent to the analysis of mobile equipment Device module.Analyzer module can receive and usage behavior information next life embarks on journey for vector, and Behavior-based control vector generates space And/or temporal correlation, and use the information to determine specific mobile equipment behavior, subsystem, software application or process It is benign, suspicious, malice or performance degradation.

Analyzer module, which can be configured as, performs real-time behavioural analysis operation, this can include believing the behavior being collected into Breath is performed, carried out and/or using data, algorithm, grader or behavior model (collectively referred to herein as " sorter model "), to determine Mobile equipment behavior is benign or non-benign (for example, malice or performance degradation).Each sorter model can be with It is behavior model as described below：It includes to be used for assessing the certain party of mobile equipment behavior by mobile device handler The information in face.Sorter model can be pre-installed in the upper and lower load of mobile equipment, be received from the webserver, in mobile equipment Middle generation, or any combination thereof.Sorter model can be generated by using machine learning with other similar technologies.

Each sorter model can be classified as Complete Classification device model or lean sorter model.Complete Classification device Model can be the robust data model to generate according to large-scale training dataset, it may include thousands of features and billions of A entry.Lean sorter model can be the data model more concentrated from simplified data set generation, its only include with it is true Fixed specific mobile equipment behavior is benign or non-benign (for example, malice or performance degradation) most related spy Sign/entry.

As described above, it is understood that there may be thousands of a feature/factors and billions of a data points need to analyze correctly to know The reason for not moving the degradation of equipment or source.Therefore, each sorter model used by analyzer module must be a large amount of Feature, trained in factor and data point, be good to move equipment and can to make on specific mobile equipment behavior Property or non-benign (for example, malice or performance degradation) accurate decision.But since mobile equipment is resource-constrained System, so it is typically infeasible that all these features, factor and data point are assessed for analyzer module.Therefore, Analyzer module application lean sorter model is very important, these models concentrate on assessment when to mobile equipment behavior into The destination subset of all features, factor and data point analyzed in other ways will be needed during row classification.

Various aspects include being configured as being bonded to each other the mobile equipment and the webserver of work, with intelligence and efficiently Identification and definite mobile equipment behavior are benign or non-benign maximally related feature, factor and data point (for example, malice or property It can degrade).Include the sorter model of lifting decision tree by being generated in the webserver and by these grader/moulds Type is sent to mobile equipment, and various aspects allow mobile equipment quickly and efficiently to generate lean grader mould in a mobile device Type.

In in all fields, the webserver can be configured as from during cloud service/network or characterizing these rows The bulk information on mobile equipment behavior and state, feature and condition is received between by a definite date.The information can be mobile equipment row For the form of the very big cloud corpus of vector.The webserver can use the information to generation accurate description behavior vector Very big cloud corpus Complete Classification device model (that is, robust data/behavior model).The webserver can generate Full sorter model is with complete including any one movement equipment in multiple and different mobile equipment may be facilitated to degrade with the time Portion or most of feature, data point and/or factor.

On the one hand, the webserver can generate Complete Classification device model to show or represent including limited state machine table, Such as lifting decision tree or lifting decision tree race., can be limited by this by the application rejecting algorithm at mobile device handler State machine shows or represents quickly and efficiently to reject, change or be converted to be suitable for what is used or perform in a mobile device Lean sorter model.Finite state machine show or represent can be include test condition, status information, state transition rules and The message structure of other similar informations.On the one hand, finite state machine performance or expression can be information knots as described below Structure：It includes assessing or testing the large-scale race of the lifting decision tree of the condition of the behavior of mobile equipment, feature, factor or aspect Or sane race.

Mobile equipment can be configured as from the webserver and receive Complete Classification device model, and complete using receiving Full sorter model carrys out local generation lean sorter model (that is, data/behavior model) in a mobile device.Mobile equipment can To reject the subset to lifting decision tree by one group of lifting decision tree in the Complete Classification device model for being included in receiving, Subset identification, test, assessment and/or depending on the reduce quantity or different mobile device status of limited quantity, feature, OK For or condition.This rejecting of the complete set to lifting decision tree can be completed by described below：Selection lifting decision tree； All other lifting decision tree of the identification depending on the mobile device status identical with selected decision tree, feature, behavior or condition (and therefore can be applied based on a definitive result)；Include depending on identical mobile equipment in lean sorter model State, feature, the selected and all other lifting decision trees identified of behavior or condition；And repeat the process for The reduction quantity being not yet contained in lean sorter model/the selected lifting decision tree of limited quantity.By using difference For mobile device status, feature, behavior or the tested condition of quantity to repeat the process, can generate has essence in various degree The lean sorter model race of beneficial degree, the lean degree are determined by evaluated multiple states, feature, behavior or condition.Separately Outside, each lean sorter model in these lean sorter models can by some in identical feature or condition or Whole features or condition are tested or assessed as another lean sorter model, but use be assigned to test result, The different threshold values and/or different weights of feature or the importance of evaluation condition.In this way, generation or regeneration lean grader mould The process of type can include recalculating the threshold value and/or weight associated with decision tree.

Since these lean sorter models include the simplified subset of state, feature, behavior or the condition that must be tested (compared with Complete Classification device model), observer and/or analyzer module can make to be used to quickly and accurately determine to move Dynamic equipment behavior is benign or facilitates what mobile equipment performance degraded, without consuming the excessive processing money to mobile equipment Source, memory resource or energy resource.As described above, in lean sorter model race most lean (namely based on minimum number Test condition lean sorter model) can routinely be applied, until run into model cannot be classified as it is benign or dislike The behavior (and therefore model be classified as suspicious) of meaning, can apply more sane (that is, less lean) essence at this time Beneficial sorter model is benign or malice to attempt behavior being categorized as.The lean sorter model race in generation can be applied The application of inside sane all the time lean sorter model, untill realizing to the clearly classification of behavior.By this way, observe Device and/or analyzer module can be by that will be restricted to need to the use of most complete but resource-intensive lean sorter model Situation of the sane sorter model definitely to classify to behavior, to ask for balancing between efficiency and accuracy.

In all fields, mobile equipment can be configured as by described below to generate one or more lean graders Model：Finite state machine is represented/showed to be converted into lifting decision tree to generate one or more lean sorter models, will be complete It is depending on the mobile equipment shape of the difference of limited quantity that the complete set for the lifting decision tree that full sorter model includes, which is rejected, State, feature, behavior or the subset for lifting decision tree of condition or multiple subsets, and the subset or multiple using lifting decision tree Subset is intelligently monitored, analyzes and/or classifies to mobile equipment behavior.Using lifting decision tree allow observer and/ Or analyzer module generates and applies lean data model, without, with re -training data, this is significantly dropped with cloud or network service Low dependence of the mobile equipment to the webserver and cloud.This feedback eliminated between mobile equipment and the webserver is led to Letter, this further improves the performance and power consumption characteristics of mobile equipment.

Lifting decision tree is with proper what a node (and therefore with a test problem or test condition) and power One horizontal decision tree of weight values, and be therefore highly suitable for using in the binary classification to data/behavior.Also It is to say, behavior vector is applied to lifting decision tree produces binary answer (for example, yes/no).If for example, by lifting decision-making The problem of tree test/condition is that " Short Message Service (SMS) transmission frequency is less than x " per minute, then to lifting decision tree applicable value " 3 " will cause "Yes" answer (for " and the SMS less than 3 " is transmitted) or "No" answer and (passed for the SMS of " 3 or more " It is defeated).

It is effective to lift decision tree because they it is very simple and be it is original (and therefore need not be significant Process resource).Lifted decision tree still very can parallelization, and therefore can it is parallel/simultaneously (for example, passing through movement Multiple kernels or processor in equipment) apply or test many trees.

As described below, the webserver (or another computing device) can be from another more complicated mobile equipment behavior mould Type (such as lifting decision-tree model) generation lifting decision making tree type Complete Classification device model.Such complex model can will be The whole (or almost all) among equipment state, operation and the monitoring node of mobile equipment behavior is characterized in complicated categorizing system Interaction set associative gets up.As described above, server or other computing devices can be by applying machine learning techniques next life The model of the cloud corpus of the behavior vector for the mobile equipment collected into description from a large amount of mobile equipment, to generate complete complexity Sorter model.For example, lifted decision tree classifier model can by can the decision node of test condition follow the trail of number Hundred paths, are malice or benign determine to reach to current mobile device behavior.Many known study can be used This complicated model is generated in the server with correlation modeling technology.Although this complicated model can be by from from number The data of hundred mobile equipment are learnt effectively to accurately identify malicious act, but they set for specific movement Standby configuration and the application of behavior may need largely to handle, particularly if if model is related to the multi-level decision-making tree of complexity. Since mobile equipment is typically that resource is limited, equipment performance and battery life may be influenced using such model.

In order to which the Robust classification device model for being more advantageous to mobile equipment and using is presented, server is (for example, Cloud Server or net Network server) or another computing device (for example, will be coupled into the mobile equipment or computer of mobile equipment) can will be complicated Sorter model is converted into big lifting decision-tree model.Involved in decision tree it is simpler determine and in parallel processing The ability of sorter model as middle application can enable mobile equipment preferably from point performed by the webserver Be benefited in analysis.In addition, as discussed below, mobile equipment can be used hereafter using lifting decision tree Complete Classification device model The each side method of description generates lean sorter model.

On the one hand, the server of generation lifting decision tree Complete Classification device model or other computing devices can be by abiding by The each side process being described in more below is followed so to carry out.In short, server or other computing devices can select completely Node (for example, lifting decision-tree model) in complex classifier model, and application model are gone to determine node to predict maliciously For number percentage.In other words, server or other computing devices can select a branch of node, and follow All subsequent nodes and the path of the branch are connected to, to determine that branch causes the small portion to the definite number of malicious act Point.On the one hand, the sub-fraction of this number can be used for calculating " weight " factor for node.For example, with thereafter Continuous path causes the decision node of a branch of 80% number of malicious act conclusion may be related to 0.8 weighted factor Connection, it is the reliable indicator of potential malice (and being therefore suspicious) behavior to show the single decision node.Show as another , the branch in complex classifier model may again result in the decision node of malicious act conclusion in terms of malicious act is identified Almost without help, and it therefore may give low-down weighted factor or priority.

From each decision node follow the trail of result during, if decision node be not binary (that is, "Yes" or "No"), then various test conditions can be applied to each node by server or other computing devices.For example, complex classifier Model is adapted to a series of value (for example, quantity of the SMS message of transmission per minute), and wherein final conclusion depends on being somebody's turn to do Value.However, the scope of value and the binary nature of pixel operation of decision tree are inconsistent.Therefore, server or other computing devices can be A series of binary decisions of such Node Development or test, this contributes to the condition characterized by value.For example, server or other Computing device can be generated and be tested multiple threshold tests or condition by complex classifier model, such as " more than one ", " more In ten " and " being more than 100 ".Can by server based on its can according to the conclusion that draws of research complex model identifying or Threshold test as selection.It is then possible to each such test based on thresholding is considered as single decision tree, it can be by Test is with its definite predicted value and it is thus determined that it lifts factor.

Set by following in complex classifier model by the process of all decision nodes, server or other calculating The standby single-layer model that complicated multilevel policy decision model can be transformed into a large amount of lifting decision trees.Then, server or other meters Calculate equipment can by removing decision tree of its value less than threshold value come dressing mo del, so as to remove provide very small prediction or The test condition for benefit of classifying is (for example, " be powered”).

Although the quantity of the such tree obtained in Complete Classification device model is larger, the binary nature of pixel operation of tree can promote Into their application, particularly in resource-constrained processor.In one aspect, server or other computing devices can incite somebody to action Lifting decision tree Complete Classification device model is supplied to mobile equipment for its use.

The process of the macrotaxonomy device model of generation lifting decision tree can be generated by Cloud Server, wherein the cloud service Device analyzes the input from many mobile equipment and generates complete complex behavior sorter model, because such server will With process resource and the processing time for completing analysis.However, as described above, each side method can also be by another meter Equipment is calculated to perform, or even including mobile equipment.In terms of this, server (for example, cloud or webserver) can be by completely Complex behavior sorter model be delivered to another computing device, which handles mould with can then proceed in above-outlined Type, and lifting decision-tree model is converted into further detail below.Set for example, user is coupled to his/her movement Standby personal computer can download complete complex behavior sorter model, and then execution each side method can to generate For moving the large-scale lifting decision-tree model (for example, by wired or wireless data link) of equipment.As another example, move Dynamic equipment can download complete complex behavior sorter model, and then perform each side method, such as when equipment just quilt During period in late into the night when charging and being not used by, to generate the large-scale lifting decision-tree model that it is stored in memory. Since the process by server or the realization of another computing device is closely similar, so each side method is retouched in more detail below State to be performed by server.However, the description is for illustrative purposes, and it is not intended to and is limited to taking by each side method Performed on business device, unless clearly so recording in the claims.

In further, mobile equipment can be configured as using lifting decision tree receive or self-generating Macrotaxonomy device model come by select tested in decision tree limited quantity because usually building lean sorter model, and Training data is not accessed and does not consume excessive process resource, memory resource or the energy resource of mobile equipment.Analyzer Module can be identified Malware and equipment behavior is classified using the lean sorter model of selected lifting decision tree For malice or benign.Described more fully below, mobile equipment can be classified by as described below to generate lean Device model：Determine multiple (such as 15) features that monitoring will be tested, select fisrt feature and by the survey including this feature All lifting decision trees of examination are incorporated to lean grader (for example, with the threshold value based on the value obtained from the feature monitored All trees of test), and the process is repeated, until the quantity of the feature addressed in lean sorter model is identified Untill quantity.It is worth noting that, the quantity of the lifting decision tree in this lean sorter model may substantially exceed The quantity of feature.

On the one hand, mobile equipment can be configured as the Complete Classification device model for receiving and including finite state machine, this has Limit state machine is suitable for being converted into multiple lifting decision trees.Mobile equipment can generate lean point based on Complete Classification device model Class device model, it can be carried by the way that the finite state machine of Complete Classification device model is converted to lifting decision tree and using these Decision tree is risen as lean sorter model to realize.

Various aspects can be realized in various communication systems, such as the example communication system 100 shown in Fig. 1.Allusion quotation The cellular phone network 104 of type includes the multiple cellular basestations 106 for being coupled to network operation center 108, the network operation center 108 operations are with mobile equipment 102 (for example, cell phone, laptop computer, tablet PC etc.) and other network purposes Between ground for example audio call sum number is connected via telephone land line (for example, POTS networks (not shown)) and internet 110 According to.Communication between mobile equipment 102 and telephone network 104 can be completed via two-way wireless communication link 112, such as 4G, 3G, CDMA, TDMA, LTE and/or other cellular telephone communication technologies.Telephone network 104 can also include one or more Server 114, the server 114 are coupled to the network operation center 108 for the connection for being provided to internet 110 or in the nets In network operation center 108.

Communication system 100 can also include being connected to telephone network 104 and the webserver 116 to internet 110. Connection between the webserver 116 and telephone network 104 can be by internet 110 or by dedicated network (such as by dotted line Arrow is shown).The webserver 116 is also implemented as the service in the network infrastructure of cloud service provider network 118 Device.Communication between the webserver 116 and mobile equipment 102 can pass through telephone network 104, internet 110, private network Network (not shown) or any combination thereof realize.

Lean data/behavior model can be sent to mobile equipment 102 by the webserver 116, which can To receive and be identified using lean data/behavior model suspicious or performance degradation mobile equipment behavior, software application, process Deng.The webserver 116 can also send classification and modeling information replacing, updating, creating and/or tieing up to mobile equipment 102 Protect mobile device data/behavior model.

Mobile equipment 102 can collect behavior, state, classification, modeling, success rate and/or statistics in mobile equipment 102 Information, and the information being collected into is sent to the webserver 116 (for example, via telephone network 104) and is analyzed.Network Server 116 can use the information received from mobile equipment 102 update refine lean data/behavior model or point Class/modeling information with including further targetedly and/or reduction character subset.

On the one hand, mobile equipment 102 can be configured as using behavior, state, classification, the modeling, successfully being collected into Rate and/or statistical information generate, update or refine lean sorter model (or data/behavior model), it includes movement and sets In standby 102 further targetedly and/or reduction character subset.Which reduce in mobile equipment and the webserver The amount of feedback communication between 116, and improve the performance and power consumption characteristics of mobile equipment 102.

Fig. 2 shows example logic component and the information flow moved on the one hand in equipment 102, the movement equipment 102 Be configured to determine that whether specific mobile equipment behavior, software application or process are malice/performance degradations, it is suspicious or Benign.In the example shown in Fig. 2, mobile equipment 102 include measuring behavior device module 202, behavioural analysis device module 204, External context information module 206, classifier modules 208 and actuator module 210.On the one hand, classifier modules 208 can be with It is embodied as a part for behavioural analysis device module 204.On the one hand, behavioural analysis device module 204 can be configured as generation one A or multiple classifier modules 208, each classifier modules in the classifier modules can include one or more classification Device.

Each module in module 202-210 can with software, hardware or any combination thereof realize.In all fields, Module 202-210 can be implemented in the part of operating system (for example, in kernel, in kernel spacing, in the user space Deng), in separated program or application, in specialized hardware buffer or processor, or any combination thereof.On the one hand, mould One or more of block 202-210 module can be implemented as what is performed in the one or more processors of mobile equipment 102 Software instruction.

Measuring behavior device module 202 can be configured as instrumentation or coordination at each level/module of mobile equipment Application Programming Interface (API), and/monitored at module via instrumented API/in each level observe mobile device operation and Event (for example, system event, state change etc.), collects the information of the operations/events on observing, is intelligently collected by filtration The information arrived, the one or more observed results of information generation based on filtering, and the observed result of generation is stored in storage In device (for example, medium in journal file) and/or by the observed result generated send (for example, via memory write, function Call etc.) give behavioural analysis device module 204.

Measuring behavior device module 202 can be by collecting on the storehouse application programming in application framework or run-time library Interface (API), system call API, file system and networking subsystem operations, equipment (including sensor device) state change with And the information of other similar incidents, come monitor/observe mobile device operation and event.Measuring behavior device module 202 can also supervise File system activity is surveyed, it can include search file name, the classification of file access (personal information or general data file), wound Build or delete file (for example, the type such as exe, zip), file reading/access/search operation, change file permission etc..

Measuring behavior device module 202 can be with monitoring data network activity, it can include the type, agreement, end of connection Server/customer end, the quantity of connection, the amount of communication or frequency that slogan, equipment are connected to etc..Measuring behavior device module 202 Telephone network activity can be monitored, it can include the monitoring calling that send, receive or intercept and capture or message (for example, SMS etc.) Type and quantity (for example, the quantity (the number of premium calls placed) for the advanced call inserted).

Measuring behavior device module 202 can also monitor system resource use, it can include the number of the monitoring cross road (fork) Amount, memory access operation, the quantity of documents etc. opened.Measuring behavior device module 202 can monitor the state of mobile equipment, its It can include monitoring various factors, such as display is opening or closing, equipment is locked out or unlocks, remaining capacity, shines State of camera etc..Measuring behavior device module 202 can also be for example by monitoring to key service (browser, contract provider Deng) intention, the degree of interprocess communication, pop-up window etc. monitor interprocess communication (IPC).

Measuring behavior device module 202 can also monitor/observe the driver statistics and/or shape of one or more hardware componenies State, hardware component can include camera, sensor, electronic console, WiFi communication component, recording controller, memory control Device processed, system controller, access port, timer, ancillary equipment, wireless communication unit, external memory chip, voltage are adjusted Device, oscillator, phaselocked loop, peripheral bridge and for supporting the processor that runs on a mobile computing device and client Other likes.

Measuring behavior device module 202 can also monitor/observe expression mobile computing device and/or move equipment subsystem One or more hardware counters of state or situation.Hardware counter can include the special register of processor/kernel, its It is configured as being stored in counting or the state of the hardware correlated activation occurred in mobile computing device or event.

Measuring behavior device module 202 can also monitor/observe the action or operation of software application, from application download server (such asApp Store servers) download software, the mobile facility information used by software application, call information, Text message transmission information (for example, SendSMS, BlockSMS, ReadSMS etc.), media information transmission information (for example, ReceiveMMS), user account information, positional information, camera information, accelerometer information, browser information, based on browsing The content of the communication of device, the content of voice-based communication, short-distance wireless communication (for example, bluetooth, WiFi etc.), based on text Communication content, the content of the audio file of record, telephone directory or associated person information, contacts list etc..

Measuring behavior device module 202 can monitor/observe the transmission or communication of mobile equipment, including with voice mail (VoiceMailComm), device identifier (DeviceIDComm), user account information (UserAccountComm), calendar letter Cease (CalendarComm), positional information (LocationComm), the audio-frequency information (RecordAudioComm) of record, acceleration The communication of degree meter information (AccelerometerComm) etc..

Measuring behavior device module 202 can monitor/observe compass information, mobile equipment setting, battery life, gyroscope Information, pressure sensor, magnet sensor, screen activity etc. use and renewal/change.Measuring behavior device module 202 can be with Monitoring/observation sends software application and notice (AppNotifications) from software application to, using renewal etc..OK It can monitor/observe for observer module 202 and is related with the first software application of the second software application of request download and/or installation Condition or event.Measuring behavior device module 202 can monitor/observe the condition or event related with user's checking, such as defeated Enter password etc..

Measuring behavior device module 202 can also monitor/observe the multiple horizontal situations or event in mobile equipment, including Application level, radio level and sensor levels.Application level observation can include observing user via facial recognition software, The social stream of observation, is observed by annotation input by user, observation is with using PassBook (Pay-in Book)/Google Wallet (Googles Wallet) related/Paypal (shellfish precious) event etc..Application level observation can also be directed to use with virtual private networks including observation (VPN) event and with synchronous, phonetic search, voice control (for example, locking locking/unlocking electricity by saying a word Words), language translator, unloading for the data that calculate, video flowing, camera in the case of no User Activity use, There is no the microphone in the case of User Activity the related event such as to use.

The horizontal appearance (presence) for observing any one or more that can include determining that in the following of radio, In the presence of (existence) or quantity：User mutual before establishing Radio Communications Link or sending information with mobile equipment, Double/multi-user's identity module (SIM) card, the Internet radio, mobile phone splice (tethering), and unloading is for calculating Data, equipment state communication, as game console or home controller, vehicle communication, moves equipment synchronization etc..Wirelessly Electric horizontal observation can also include monitoring to for positioning, reciprocity (p2p) communication, synchronization, the vehicles to vehicle communication And/or the use of the radio-cell (WiFi, WiMax, bluetooth etc.) of machine to machine (m2m).The horizontal observation of radio can be with Including the use of monitoring network flow, statistics or profile.

Sensor levels observation can include monitoring magnet sensor or other sensors to determine the use of mobile equipment And/or external environment condition.For example, mobile device handler can be configured as definite phone whether in leather sheath (for example, via quilt Be configured to sensing leather sheath in magnet magnet sensor) or in the pocket of user (for example, via by camera or light level The light quantity that device detects).Detect mobile equipment in leather sheath may with identification suspicious actions it is related, for example, due to user Actively use related activity and function (for example, shooting photo or video, send message, to carry out voice communication, recorded voice Deng) it is probably to occur while mobile equipment is in leather sheath, this is probably the sign (example that malicious process is performed in equipment Such as, track or spy upon user).

The other examples observed with the sensor levels used or external environment condition is related can include：Detect near-field communication (NFC), information is collected from credit card scanner, barcode scanner or mobile tag reader, detects Universal Serial Bus (USB) presence in power charge source, detects that keyboard or ancillary equipment are coupled to mobile equipment, has detected mobile equipment Computing device (for example, via USB etc.) is coupled to, determines whether LED, flash of light, flash lamp or light source have been changed or disabled (for example, malice disables urgent signaling application etc.), detects that loudspeaker or microphone have been opened or have powered, detect charging or Power events, detect that mobile equipment is used as game console etc..Sensor levels observation can also include：From medical treatment or defend Raw health care sensor collects information from scanning user's body, and information is collected from the external sensor of insertion USB/ audio jacks, Information is collected from tactile or tactile sensor (for example, via vibrator interface etc.), collects Warm status on mobile equipment Information etc..

In order to which the quantity of monitored factor is reduced to manageable level, on the one hand, measuring behavior device module 202 Rough observation can be performed by the initial behavior of monitoring/observation or sets of factors, the behavior or factor are possible to facilitate The small subset for all factors that mobile equipment degrades.On the one hand, measuring behavior device module 202 can be from the webserver 116 And/or the component in cloud service or network 118 receives initial behavior and/or sets of factors.On the one hand, initial behavior/factor Set can specify in the data/behavior model received from the webserver 116 or cloud service/network 118.In a side Face, can specify initial row as/sets of factors in simplified characteristic model (RFM).

Behavioural analysis device module 204 and/or classifier modules 208 can receive observation knot with subordinate act observer module 202 Fruit, the information received (that is, observed result) is carried out with the contextual information received from external context information module 206 Compare, and recognition subsystem, process and/or the associated application of the observed result with receiving, these observed results are facilitated (may either facilitate) equipment with the degradation of time or its may cause in other ways in equipment the problem of.

On the one hand, behavioural analysis device module 204 and/or classifier modules 208 can include being used to utilize limited information Set (that is, rough observed result) come identify facilitate or may facilitate equipment with the time degrade or its may be in other ways The intelligence of the behavior of the problem of causing in equipment, process or program.For example, behavioural analysis device module 204 can be configured as point Analyse the information (example being collected into from various modules (for example, measuring behavior device module 202, external context information module 206 etc.) Such as, in the form of observed result), learn the normal operating behavior of mobile equipment, and based on comparative result come generate one or Multiple behavior vectors.The behavior vector of generation can be sent to classifier modules 208 and is used for into one by behavioural analysis device module 204 Step analysis.

Classifier modules 208 can be vectorial with reception behavior features, and by them compared with one or more behavioral modules, To determine that specific mobile equipment behavior, software application or process are performance degradation/malice, benign or suspicious.

When it is malice or performance degradation that classifier modules 208, which determine behavior, software application or process, classifier modules 208 can notify actuator module 210, which can perform various actions or operation and be confirmed as disliking to correct The mobile equipment behavior and/or execution operation of meaning or performance degradation identify healing, curing, isolating or repairing in other ways The problem of.

When it is suspicious that classifier modules 208, which determine behavior, software application or process, classifier modules 208 can lead to Knowing and doing is observer module 202, and behavior observer module 202 can adjust granularity (that is, the mobile equipment behavior quilt of its observation The careful degree of observation) and/or based on the information received from classifier modules 208 (for example, the result of analysis operation in real time) To change the behavior observed, generation or new or extra behavioural information is collected, and new/extra information is sent to Behavioural analysis device module 204 and/or classifier modules 208 are used for further analysis/classification.In behavior observer module 202 This feedback communication between classifier modules 208 enables mobile equipment 102 recursively to increase the granularity of observation (i.e., Carry out finer or more detailed observation) or change the feature/behavior observed, until identifying suspicious or performance degradation Mobile equipment behavior source untill, untill reaching processing or battery consumption threshold value, or at mobile equipment Reason device determines that the source of suspicious or performance degradation mobile equipment behavior cannot be identified according to further increase observation granularity Untill going out.Such feedback communication also enables mobile equipment 102 locally to adjust or change in a mobile device data/OK For model, process resource, memory resource or energy resource without consuming excessive mobile equipment.

On the one hand, measuring behavior device module 202 and behavioural analysis device module 204 can be provided either individually or collectively pair The real-time behavioural analysis of the behavior of computing system, to identify suspicious actions from limited and rough observed result, with dynamic Ground determines behavior to observe in more detail, and dynamically determines the careful degree needed for observation.By this way, measuring behavior Device module 202 enables mobile equipment 102 to efficiently identify and prevent that problem occurs on the mobile apparatus, without equipment On a large amount of processors, memory or battery resource.

Fig. 3 and Fig. 4 shows example components and information flow in one side system 300, and the system 300 includes network Server 116, it is configured as working together with reference to cloud service/network 118, with intelligence and efficiently identify positive malice or The mobile equipment behavior in software application and/or suspicious or performance degradation mobile equipment 102 for writing bad, without consuming Excessive process resource, memory resource or the energy resource of mobile equipment.In the example shown in Fig. 3, the webserver 116 Including cloud module 302,304 module of model generator and training data module 306.Mobile equipment 102 includes measuring behavior device mould Block 202, classifier modules 208 and actuator module 210.On the one hand, classifier modules 208 can be contained in behavior analyzer In module 204 (figure 2 illustrates) or as one part.On the one hand, 304 module of model generator can be real-time online Grader.

Cloud module 302 can be configured as from cloud service/network 118 and receive bulk information, and generate complete or steady Strong data/behavior model, it includes facilitating mobile equipment with the institute in the feature, data point and/or factor of the degradation of time Have or most of.

304 module of model generator can be configured as based on the complete model generated in cloud module 302 to generate essence Beneficial data/behavior model.On the one hand, the spy of the one or more reductions of generation can be included by generating lean data/behavior model Model (RFM) is levied, it is included in the subset of the feature that the complete model generated by cloud module 302 includes and data point.One Aspect, model generator 304 can generate the lean number for including initial characteristics set (for example, characteristic model of initial reduction) According to/behavior model, the initial characteristics set includes being confirmed as having enabling classifier modules 208 finally definite specific Mobile equipment behavior is the information of benign or malice/performance degradation maximum probability.Model generator 304 can be by generation Lean model is sent to measuring behavior device module 202.

Measuring behavior device module 202 can monitor/observe mobile equipment behavior, generation observation based on the model received As a result, and observed result is sent to classifier modules 208.Classifier modules 208 can perform real-time analysis operation, it can Including data/behavior model is applied to the behavioural information being collected into by measuring behavior device module 202, equipment is moved with definite Behavior is benign, suspicious or malice/performance degradation.When classifier modules 208 are classified without enough information Or conclusively when definite behavior is benign or malice, classifier modules 208 can determine that mobile equipment behavior is suspicious 's.

When it is suspicious that classifier modules 208, which determine equipment behavior, classifier modules 208 can be configured as in fact When analysis operation result send measuring behavior device module 202 to.Measuring behavior device module 202 can be based on from classifier modules To adjust the granularity of its observation, (that is, observation movement is set 208 information received (for example, result based on real-time analysis operation) The careful degree of standby behavior) and/or change the behavior observed, new or extra behavioural information is generated or collects, and will be newly / extra information is sent to classifier modules and is used for further analysis/classification (for example, in the form of new model).With this Kind mode, mobile equipment 102 can recursively increase the granularity (that is, carrying out finer or more detailed observation) of observation or change Become feature/behavior of observation, untill identifying the source of suspicious or performance degradation mobile equipment behavior, until reaching Untill processing or battery consumption thresholding, or until mobile device handler determines suspicious or performance degradation mobile equipment behavior Source cannot be identified according to further increase observation granularity untill.

The result and/or the success rate associated with the application of model that mobile equipment 102 can be operated are sent to net Network server 116.The webserver 116 can (for example, via training data module 306) be based on be used for by model generator 304 result/success rates used generate training data.Model generator can generate the mould of renewal based on training data Type, and the model of renewal is sent to mobile equipment 102.

In the example shown in Figure 4, feedback communication is not present between mobile equipment 102 and the webserver 116.It is more true Say with cutting, mobile equipment 102 includes lean model generator module 402, it is configured as being based in complete model maker 404 Complete or more sane model middle generation and received from the webserver 116 generates concentration/targetedly behavior Model.That is, the webserver 116 can be configured as is sent to mobile equipment 102 by Complete Classification device model, and Mobile equipment 102 can be configured as based on Complete Classification device model to generate lean sorter model.Due in grader mould Used in type (or comprising) lifting decision tree, therefore the excessive processing of mobile equipment or the feelings of battery resource can not consumed This point is realized under condition.That is, the sorter model for the lifting decision tree being included in by generation in the webserver 116 And these grader/models are sent to mobile equipment 102, various aspects allow lean model generator module 402 to pass through Reject be contained in Complete Classification device model lifting decision tree quantity without access training data or further with network Server 116 or cloud network/server 118 communicate, and lean is quickly and efficiently generated in mobile equipment 102 (or more Add concentration) sorter model.Dependence this significantly reduces mobile equipment to network service, and further improve shifting The performance and power consumption characteristics of dynamic equipment 102.

Fig. 5 A show the grader/behavior model for generating lean or concentration in a mobile device (for example, being generated in model Model generated in device module 402 etc.) one side method 500.Method 500 can be held by the process kernel in mobile equipment OK.

In the block 502 of method 500, process kernel, which can receive, is or including finite state machine, lifting decision tree list Or the Complete Classification device model of other similar information structures.On the one hand, Complete Classification device model includes finite state machine, this has Limit state machine include be suitable for represent it is multiple lifting decision trees information and/or it include be suitable for by movement equipment be converted into it is more The information of a lifting decision tree.On the one hand, finite state machine can be (or can include) in order or preferential lifting is determined The list of plan tree.Each lifting decision tree in lifting decision tree can include test condition and weighted value.

As described above, lifting decision tree is (and therefore with a test problem or survey with just what a node Strip part) and weighted value a horizontal decision tree, and be therefore highly suitable in the binary classification to data/behavior Use.This means by feature vector or behavior vector be applied to lifting decision tree cause binary answer (for example, "Yes" or "No").For example, if the problem of by lifting decision tree test/condition is that " frequency of SMS transmission is less than x " per minute, to carrying Rise decision tree applicable value " 3 " will cause "Yes" answer (for " and less than 3 " SMS transmit) or "No" answer (for " 3 or more " SMS transmission).

Fig. 5 A are returned to, in the block 504 of method 500, process kernel can determine the unique test-strips number of packages that should be evaluated Amount, malice or benign is categorized as by mobile equipment behavior exactly, without consume mobile equipment excessive process resource, Memory resource or energy resource.This can include determining that available process resource, memory resource and/or energy in mobile equipment The amount of resource is measured, the amount of the process resource of the mobile equipment needed for test condition, memory resource or energy resource, passes through test Condition come the associated priority and/or complexity of the behavior or condition that determine with to analyze or assess in a mobile device, with And selection/determine the quantity of unique test condition, so that being provided in the available processes resource of movement equipment, memory resource or energy The consumption in source, by the accuracy of the behavior realized according to test condition classification and the importance or preferential of the behavior by condition test Ask for balancing or trade off between level.

In block 506, process kernel can travel through the list of lifting decision tree from starting, to utilize institute's quantification Unique test condition fills the list of selected test condition.On the one hand, process kernel can also be selected test-strips Each test condition in part determines absolute or relative priority value, and incites somebody to action absolute or relative priority value with it in selected survey Corresponding test condition in examination condition list is stored in association.

In block 508, process kernel can generate lean sorter model, which is included in test institute All lifting decision trees for selecting the Complete Classification device model of in test condition test condition to include.On the one hand, locate Reason kernel can generate lean sorter model and lift decision-making with the order according to importance or priority value to include or represent Tree.

In optional piece 510, the quantity of unique test condition can be increased, to be directed in block 506 by repeating traversal The operation of the list of the lifting decision tree of large number of test condition generates another more sane (that is, less lean) essence Beneficial sorter model, and another lean sorter model is generated in block 508.These operations can be repeated to generate lean point Lei Qi models race.

Fig. 5 B show to generate the another aspect method 511 of data model in a mobile device.Method 511 can be set by movement Process kernel in standby performs.In the block 512 of method 511, process kernel can receive dividing completely including finite state machine Class device model.Finite state machine can be the message structure for including being suitable for being converted into the information of multiple lifting decision trees.In block In 514, process kernel can be converted to the finite state machine included in Complete Classification device model including test condition and power The lifting decision tree of weight values.

On the one hand, in block 512, process kernel can also be calculated or determined the lifting generated according to finite state machine and determine The priority value of each lifting decision tree in plan tree.Process kernel can determine the priority of lifting decision tree, so that balance Balance between accuracy that the mobile process resource of equipment, the consumption of memory resource or energy resource, behavior are classified etc.. Process kernel is also based on their associated weighted value, importance that is opposite or predicting test condition, to determine to carry The priority of decision tree is risen, to classify etc. exactly to behavior.

Also in block 512, process kernel can generate first list (or other information structure), it includes, reference, identification And/or tissue is according to its priority and/or the lifting decision tree generated with the order of its importance from finite state machine.For example, First list can be generated as ordered list by process kernel, it includes the tree with limit priority as first item, so It is with time tree of high priority value etc. afterwards.The significance sequence is also conceivable to the information collected from cloud corpus, and Specific to the information for the equipment for being carrying out rejecting algorithm on it.

In block 516, the uniqueness that should be assessed when application lean sorter model can be calculated or determined in process kernel The quantity (i.e., it is possible to mobile device status, feature, behavior or condition for being tested in decision tree is lifted) of test condition.Meter Calculate or determine that the quantity of this unique test condition can be related to process resource in the mobile equipment needed for application model, storage The consumption of device resource or energy resource and to realize lean sorter model behavior classification accuracy between ask for balance or Compromise.It is such to determine can include determining that available process resource in mobile equipment, memory resource and/or energy resource Amount, determines the priority and/or complexity associated with the behavior to be analyzed, and makes available resources and the priority of behavior And/or complicated sexual balance.

In block 518, process kernel can by sequentially traverse through lifting decision tree first list and will with it is each The test condition value insertion second list that the lifting decision tree of traversal is associated, to generate second list.Process kernel can be after It is continuous to travel through first list and insert values into second list, until the length of second list is equal to definite unique test-strips Untill the quantity of part, or untill second list includes unique test condition of all definite quantity.

In block 520, process kernel can generate lean classification based on the lifting decision tree included in first list Device model.On the one hand, process kernel can generate lean sorter model only to include what test included in second list The lifting decision tree (that is, the list of the test condition generated in block 518) of a test condition in test condition.

In optional piece 522, the quantity of unique test condition being increased, being directed to will pass through traversal in repeatable block 518 The operation of the list of the lifting decision tree of greater amount of test condition generates another more sane (that is, less lean) essence Beneficial sorter model, and another lean sorter model is generated in block 520.These operations can be repeated to generate lean point Lei Qi models race.

Fig. 5 C are shown using lean sorter model come the one side method 524 of the behavior for mobile equipment of classifying.Method 524 can be performed by the process kernel in mobile equipment.

In the block 526 of method 524, process kernel can perform observation with from each level of mobile device system Carry out instrumented various parts and collect behavioural information.On the one hand, this can be via the measuring behavior discussed above with reference to Fig. 2 Device module 202 is completed.In block 528, process kernel can generate the behavioural information for characterizing observed result, being collected into And/or the behavior vector of mobile equipment behavior.In addition in block 528, process kernel can be used and received from the webserver Complete Classification device model generate the lean sorter model or lean grader of different complexities horizontal (or " lean degree ") Model race.In order to accomplish this point, process kernel can reject the lifting decision tree race included in Complete Classification device model, with Generation includes the lean sorter model for the test condition for reducing the lifting decision tree of quantity and/or assessing limited quantity.

In block 529, process kernel can select the lean sorter model race not yet by mobile equipment evaluation or application In most lean grader (namely based on the model of minimal number of different mobile device status, feature, behavior or condition). On the one hand, this can select the first sorter model to complete by process kernel in the ordered list of sorter model.

In block 530, the behavioural information being collected into or behavior vector can be applied to selected lean point by process kernel Each lifting decision tree in class device model.Since lifting decision tree is binary decision, and same test is based on by selection Many binary decisions of condition generate lean sorter model, so behavior vector is applied in lean sorter model The process of lifting decision tree can perform in parallel work-flow.Alternatively, it can truncate or filter the behavior applied in block 530 Vector, should so as to further reduce to be only included in the test condition parameters for the limited quantity that lean sorter model includes With the amount of calculation of the model.

In block 532, process kernel can be calculated or determined is applied to lean grader mould by the behavioural information being collected into The weighted average of the result of each lifting decision tree in type.In block 534, weighted average that process kernel will can calculate Value is compared with threshold value.In definite block 535, process kernel can determine the result of the comparison and/or by using institute Whether the lean sorter model of selection is suspicious come the result generated.For example, process kernel can determine these the result is that It is no to can be used for being categorized as behavior using high confidence level malice or benign, and it will then be considered as the behavior if not Suspicious.

If process kernel definitive result is suspicious (for example, determining block 535="Yes"), process kernel can repeat Operation in block 529-534 is to select and using stronger (that is, less lean) sorter model, it assesses more equipment State, feature, behavior or condition, until behavior is categorized as using high confidence level it is malice or benign untill.If processing Kernel definitive result is not suspicious (for example, determining block 535="No"), such as determines that behavior can by using high confidence level With being classified as malice or benign, then in block 536, process kernel can use the comparative result generated in block 534 The behavior of mobile equipment is categorized as benign or potential malice.

In figure 5d in shown alternative aspect method 540, the operation described above with reference to block 518 and 520 can pass through It is described below to realize：It is sequentially selected the lifting decision tree not yet in lean sorter model；Identification depend on it is selected The identical mobile device status of the decision tree selected, feature, behavior or condition all other lifting decision tree (and therefore can be with Applied based on a definitive result)；Lean sorter model include depend on identical mobile device status, feature, Behavior or the selected and all other lifting decision tree of condition；And repetitive process reaches the quantity equal to definite test condition Number.Because all lifting decision trees depending on the test condition identical with selected lifting decision tree are added every time Into lean sorter model, so limitation performs the test that the number of the process will be limited in lean sorter model and include The quantity of condition.

As shown in Figure 5 D, in block 542, process kernel, which can be calculated or determined, to be assessed in lean sorter model Unique test condition (that is, mobile device status, feature, behavior or the condition that can be tested in decision tree is lifted) quantity (N).Unique test condition that this quantity is calculated or determined may relate to provide in the processing of the mobile equipment needed for application model Source, memory resource or energy resource consumption and will be by between accuracy that the behavior that lean sorter model is realized is classified Ask for balancing or trade off.It is such determine can include determining that available process resource in mobile equipment, memory resource and/or The amount of energy resource, determines the priority and/or complexity associated with the behavior to be analyzed, and makes available resources and behavior Priority and/or complicated sexual balance.

In block 544, the value of loop count variable can be equal to zero (0) by process kernel, or with other sides Formula, which starts, to perform the loop of quantification n times.In block 546, process kernel can select the complete set in lifting decision tree Lifting decision tree that is that conjunction includes or according to its generation and being not included in lean sorter model list.Pass through that for the first time In loop will be in lean sorter model list without lifting decision tree, therefore will selection first lifting decision tree.Such as this Mentioned by text, there is the first lifting decision tree that Complete Classification device model is configured such that in set completely identification to dislike Meaning or the highest possibility of benign behavior.In block 548, process kernel can determine the test associated with selected decision tree Condition.In block 550, process kernel can identify all decision-makings including in Complete Classification device model or according to its generation Tree, it is depended on including or the test test condition identical with the test condition of selected decision tree.In block 552, processing Kernel can by it is selected lifting decision tree and depend on including or test same test condition all liftings identified Decision tree is added to lean sorter model list.

In block 554, process kernel can be incremented by the value of loop count variable.In definite block 556, process kernel can be with Determine whether the value of loop count variable is greater than or equal to the quantity N of the unique test condition determined in block 542.When in processing Core determine the value of loop count variable be no more than or equal to unique test condition quantity (that is, determining block 556="No") when, Process kernel can be with the operation in repeatable block 546-554.When process kernel determines that the value of loop count variable is greater than or equal to solely During quantity (that is, the determining block 556="Yes") of special test condition, in block 558, process kernel can generate lean grader mould Type in lean sorter model list to include all lifting decision trees.

This method 540 can be used for multiple times to come by varying the quantity N of unique test condition in lean sorter model To generate the lean sorter model race with different degrees of robustness or lean degree.For example, in optional piece 560, it is mobile Device handler can increase the quantity N of the unique test condition determined in block 542, and more test conditions are incorporated to generate Another lean sorter model.In optional definite block 562, whether processor can determine to accelerate N more than test The maximum quantity (max N) of condition.Can based on assessment be difficult to needed for classification behavior maximum performance loss or resource investment come (for example, by developer, service provider, user or via algorithm) determine the test condition of maximum quantity.If increased number Amount N is less than maximum quantity max N (that is, determining block 562="No"), then can repeat the operation of above-mentioned block 544-560 with life Into another lean sorter model.Once unique test condition of maximum quantity is included in lean sorter model (that is, determining block 562="Yes"), then generating the process of lean sorter model can terminate.

Although Fig. 5 A, 5B and 5D are described by repeating to travel through the whole process gathered completely for lifting decision tree to generate Lean sorter model race, but similar result can be realized by described below：Start from the lean grader mould of generation Type (that is, the model generated in any piece in block 508,520 and 558), and for depending on not yet in the lean of generation The test condition that sorter model includes be added to model lifting decision tree test condition addition quantity, carried to travel through Rise the complete set of decision tree.

In addition, although Fig. 5 A, 5B and 5D describe generation from most lean to most sane lean sorter model race, also It can be generated simply by described below from most steadily and surely to the lean sorter model of most lean：With the test of maximum quantity Condition starts (for example, N=max N), and reduces quantity every time.

Fig. 6 A show the one side method 600 that Complete Classification device is generated in server or cloud.Method 600 can be by coupling The process kernel in the server computing device of cloud network is closed to perform.

In block 602, process kernel can collect the corpus of behavioral data from many mobile equipment, including largely set Standby state, configuration and behavior, and about whether the information for detecting malicious act.In block 604, process kernel can identify Specific two-dimensional problem/the test-strips that can be tested in the equipment state in the corpus from behavioral data, configuration and behavior Part., usually will a large amount of such two-dimensional problem/test conditions of identification in order to characterize all devices state, configuration and behavior.So Afterwards, in block 606, for each two-dimensional problem identified, process kernel can be with test database with definite malicious act pair The fraction or percentage of the number for the malicious act that should be answered in one or the other in the answer of two-dimensional problem.In block 608 In, process kernel can will have the power that be determined based on corresponding percentage of the corresponding two-dimensional problem selected as of highest with malicious act First decision tree of weight values.In block 610, process kernel can lift the weight of sample/test condition of mistake classification, as follows Literary reference chart 6B is described.

Then, the process kernel of server can be with the process of multiple scanning two-dimensional problem, it is assumed that the answer of first problem It is the value (for example, "No") unconnected to malicious act, it is corresponding with highest with malicious act in this case to identify The problem of.Then, this problem is arranged to second two-dimensional problem in model, and wherein its weighted value is based on its correspondence hundred Ratio is divided to determine.Then, the process of server multiple scanning two-dimensional problem -- assuming that the answer of first problem/test condition It is the value (for example, "No") unconnected to malicious act -- it is corresponding with highest with malicious act to identify in this case Next problem/test condition.Then described problem/test condition is exactly the 3rd two-dimensional problem/test condition in model, Wherein its weighted value is to correspond to percentage based on it come definite.Continued by all two-dimensional problem/test conditions identified This process builds complete set.

During two-dimensional problem/test condition is generated, server can assess with scope (for example, communication frequency, Or the quantity of the communication in preceding time interval) data, and formulate a series of two-dimensional problem/test conditions, it is with side The mode of classification behavior is helped to include the scope.Therefore, a two-dimensional problem/test condition is probably that equipment is within first five minute The no data transfer (it may have low correlation) that have sent more than zero, second two-dimensional problem/test condition is probably to set It is standby whether to have have sent more than 10 data transfers (it have medium correlation) in first five minute, and the 3rd is asked Topic/test condition be probably equipment whether have sent within first five minute more than 100 data transfers (its may have height Correlation).

Some rejectings of a final basket/test condition can by Complete Classification device set be sent to mobile equipment it It is preceding to be completed by server, such as to remove its definite weight or correlation to malicious act less than threshold value (for example, less than system Count conspicuousness) those problem/test conditions.If for example, it is about 50/50 with the correlation of malicious act, then use The decision tree may have seldom benefit, because it is malice or benign that these answers, which cannot all help to answer current behavior, Problem.

Fig. 6 B are shown to be suitable for lifting the exemplary of decision tree/grader according to what various aspects used suitable for generation Method for improving 620.Operation 622 in, processor can generate and/or perform decision tree/grader, from perform decision tree/point Class device collects training sample, and generates new sorter model (h1 (x)) based on training sample.Training sample can include The information being collected into from mobile equipment behavior, the previous observations of software application or process or the analysis in mobile equipment.Can be with base In previous grader includes the problem of or the type of test condition and/or classification based on subordinate act analyzer module 204 The accuracy or performance characteristics that execution/application of past data/behavior model or grader in device module 208 is collected into, come Generate training sample and/or new sorter model (h1 (x)).In operation 624, processor can lift (or increase) by generating Decision tree/grader (h1 (x)) mistake classification entry weight, to generate second new tree/grader (h2 (x)). On the one hand, can be based on the previous of grader be performed or is used the error rate of (h1 (x)) and generate training sample and/or newly Sorter model (h2 (x)).On the one hand, can be based on being confirmed as having facilitating mistake in previous execution or using grader Rate or the attribute classified to the mistake of data point by mistake, to generate training sample and/or new sorter model (h2 (x)).

In one aspect, the entry of mistake classification can be weighted based on its relative precision or validity.In operation 626 In, processor can lift the weight for the entry that (or increase) is classified by the second tree/grader (h2 (the x)) mistake generated, with Generate the 3rd new tree/grader (h3 (x)).In operation 628, the operation of 624-626 can be repeated to generate the new of " t " quantity Tree/grader (h_t(x))。

By lifted or increased by the first decision tree/grader (h1 (x)) mistake classify entry weight, the second tree/ Grader (h2 (x)) more accurately can classify the entity classified by the first decision tree/grader (h1 (x)) mistake, But some entities in the entity correctly classified by the first decision tree/grader (h1 (x)) may also be carried out with wrong classification. Similarly, the three-tree/grader (h3 (x)) can be more accurately to being classified by the second decision tree/grader (h2 (x)) mistake Entity is classified, and some entity mistakes point in the entity to correctly being classified by the second decision tree/grader (h2 (x)) Class.That is, spanning tree/grader h1 (x)-h_t(x) race may not cause the system of global convergence, but cause can With the multiple decision tree/graders performed parallel.

Fig. 7 shows the exemplary method 700 of generation sorter model, which includes lifting decision tree, and It can be used for intelligent and efficient in the case where not consuming excessive process resource, memory resource or the energy resource of mobile equipment It is suspicious or performance degradation in software application that is ground identification active malice or writing bad and/or mobile equipment 102 Mobile equipment behavior.In the operation 1 of method 700, the offline grader in the webserver can be based on from cloud service/network The information received generates complete or sane sorter model.For example, Complete Classification device can include 40 (40) of test 100 lifting decision trees of a unique conditions.In the operation 2 of method 700, Complete Classification device model can be sent to movement Analyzer/classifier modules 208 in equipment 102.In the operation 3 of method 700, analyzer/classifier modules 208 can be with base Generated in analysis Complete Classification device model to lift one group of lean data/behavior model grader of form of decision tree.This can To be realized by performing " combined feature selection function and rejecting " operation, which allows mobile equipment：Lean mould in generating run Type is without accessing cloud training data；Each application dynamically reconfigures grader to strengthen classification accuracy；And Specify the certainty complexity for each grader (for example, O (blaze))." combined feature selection function and rejecting " operation can be with Including performing feature selecting operation.

Fig. 8 shows exemplary lift decision tree 800, it can be generated and by device handler by one side processor-server To generate lean sorter model in a mobile device.In the example shown in Fig. 8, lifting decision tree 800 includes multiple determine Plan node W1-W4, each decision node, which is included in when being performed or realized by processor, may cause decisive binary to answer (example Such as, true or false, malice or benign etc.) the problem of or test condition (such as F1, F3, F5).Each decision node W1-W4 can be with It is associated with weighted value.

Fig. 8 also shows the method 802 that " combined feature selection function and the rejecting " for performing and being discussed above with reference to Fig. 7 operates.Side Method 802 can include the analyzer module of mobile equipment, it is used for the lean for determining its needs generation two unique conditions of test Grader, in this case, feature selecting operation can include the list of 100 lifting decision trees of traversal, before discovery Untill two unique conditions (for example, F1 and F3 in Fig. 8).Then analyzer/classifier modules 208 can be tested only by feature The condition that selection operation (for example, F1 and F3) identifies, this can by travel through 100 lifting decision trees whole lists and Any tree for deleting test different condition (for example, F5) is realized.It is remaining lifting decision tree (that is, test condition " F1 " and The tree of " F3 ") lean grader is may be used as without re -training data.Analyzer/classifier modules 208 can believe behavior Breath is applied to each lifting decision tree (that is, the tree of test condition " F1 " and " F3 ") in remaining lifting decision tree, calculates The weighted average of all answers received from remaining tree, and determine that mobile equipment behavior is to dislike using weighted average It is meaning or benign.

Once having generated lifting decision tree by feature selecting and rejecting process, selected decision tree can be used Work can be with the grader or behavior model compared with current device state, setting and behavior.Since decision tree is independent Binary is tested, therefore can perform row of the behavior (may be summarized to be behavior vector) that will be observed that compared with model parallel For analytic process.Further, since tree is very simple (being substantially binary), therefore the processing that execution is each set is very simple, Therefore can be rapidly completed with less processing expense.Each decision tree can provide the answer with weighted value, and Can will be malice on behavior or benign final decision is determined as the resultful weighted sum of institute, this is also simply to count Calculate.

Can be based on the information being collected into from previous observation or to mobile equipment behavior, software in a mobile device Using or process analysis, to calculate the weight associated with node.It is also based on the data corpus (example of how many unit Such as, the cloud corpus of data or behavior vector) structure lifting decision tree is used to, to calculate the power associated with each node Weight.

Fig. 9 shows the measuring behavior for being configured as performing dynamic and the computing system of adaptive observation according to one aspect Example logic component and information flow in device module 202.Measuring behavior device module 202 can include adaptive filter module 902nd, Throttle module 904, observer mode module 906, advanced behavioral value module 908, behavior vector generator 910 and safety Buffer 912.Advanced behavioral value module 908 can include spatial coherence module 914 and temporal correlation module 916.

Observer mode module 906 can from each introduces a collection receive control information, its can include analyzer module (for example, Above with reference to the behavioural analysis device module 204 of Fig. 2 descriptions) and/or using API.Observer mode module 906 can will be on each The control information of kind observer pattern is sent to adaptive filter module 902 and advanced behavioral value module 908.

Adaptive filter module 902 can receive data/information from multiple sources, and intelligently filter the letter received Cease the smaller information subset selected to generate from the information of reception.The filter can be based on receiving from analyzer module Information or control are adapted to by the process of the higher level of API transmission.Filtered information can be sent to section Flow module 904, it can be responsible for control from the information content of filter outflow, to ensure that advanced behavioral value module 908 will not become It must spread unchecked or overload with request or information.

Advanced behavioral value module 908 can receive the data/information from Throttle module 904, from observer pattern The control information of module 906, and the contextual information of other components from mobile equipment.Advanced behavioral value module 908 Room and time correlation can be performed using the information received, may cause equipment in sub-optimum level to detect or identify The advanced behavior of upper execution.The result of room and time correlation can be sent to behavior vector generator 910, behavior vector Maker 910 can receive relevant information and generation description particular procedure, the behavior vector of the application or behavior of subsystem. On the one hand, behavior vector generator 910 can generate behavior vector so that particular procedure, application or subsystem it is each advanced Behavior is the element of behavior vector.On the one hand, the behavior vector of generation can be stored in safety buffer 912.It is advanced The example of behavioral value can include the presence of detection particular event, the amount or frequency of another event, between multiple events Relation, the order that event occurs, time difference between the generation of some events etc..

In in all fields, measuring behavior device module 202 can perform progressive remodeling and control observation granularity.Also It is to say, measuring behavior device module 202 can dynamically identify the corelation behaviour to be observed, and dynamically determine the row identified For the careful degree that will be observed.By this way, measuring behavior device module 202 enable the system at various levels (for example, Multiple rough and fine levels) monitor the behavior for moving equipment.Measuring behavior device module 202 can enable a system to adapt to just In the content of observation.Measuring behavior device module 202 can be enabled a system to based on the concentration letter obtained from extensive true source Subset is ceased to dynamically change the factor/behavior being observed.

As described above, measuring behavior device module 202 can perform adaptive observation technology, and based on being connect from each introduces a collection Received information carrys out control observation granularity.For example, advanced behavioral value module 908 can be from Throttle module 904, observer pattern 906 receive information of module, and receive contextual information from other components (for example, sensor) of mobile equipment.As an example, Performing the advanced behavioral value module 908 of temporal correlation can detect that camera has been used, and mobile equipment just attempts Picture is uploaded onto the server.Advanced behavioral value module 908 can also carry out spatial coherence to determine in mobile equipment Using whether in equipment have taken photo in leather sheath and when being attached to the waistband of user.Advanced behavioral value module 908 can be with Determine whether advanced behavior that this detects (for example, in leather sheath while use during camera) is acceptable or common Behavior, this can be by by the past behavior of current behavior and mobile equipment and/or the access information being collected into from multiple equipment (for example, information that packet server of comforming receives) is compared realization.Take pictures and uploaded while due in leather sheath To server be a kind of uncommon behavior (as can from leather sheath in the case of determined by the normal behaviour that observes Like that), so in this case, advanced behavioral value module 908 may be identified as potential threat behavior and start Appropriate response (for example, closing camera, sending alarm etc.).

On the one hand, measuring behavior device module 202 can be realized in some.

Figure 10 is illustrated in greater detail to patrol in more detail in the computing system 1000 for realizing one side observer finger daemon Collect component and information flow.In the example shown in Figure 10, computing system 1000 includes the behavioral value device 1002 in user's space Module, 1004 module of database engine and behavioural analysis device module 204, and circular buffer 1014 in kernel spacing, mistake 1016 modules of filter rule, regular 1018 modules of throttling and safety buffer 1020.Computing system 1000 can also include observation Device finger daemon, it includes behavioral value device 1002 and database engine 1004 in user's space, and in kernel spacing Safety buffer manager 1006, rule management 1008 and system health monitor 1010.

Various aspects can provide in the mobile equipment comprising webkit, SDK, NDK, kernel, driver and hardware Cross-layer is observed, to characterize system action.Measuring behavior can carry out in real time.

Observer module can perform adaptive observation technology and control observation granularity.As described above, exist a large amount of (that is, thousands of) may facilitate the factor of the degradation of mobile equipment, and monitoring/observation to facilitate the degradation of equipment performance All difference factors are probably infeasible.In order to overcome this point, various aspects dynamically identify the corelation behaviour to be observed, And dynamically determine the careful degree of the behavior identified to be observed.

Figure 11 shows the exemplary method 1100 for being used to perform dynamic and adaptive observation according to one aspect.In block 1102 In, mobile device handler can may facilitate the subset of a large amount of factor/behaviors of the degradation of mobile equipment by monitoring/observation To perform rough observation.In block 1103, mobile device handler can be used to characterize rough sight based on rough observation to generate Survey and/or the behavior of mobile equipment behavior is vectorial.In block 1104, mobile device handler can be identified with may potentially promote Subsystem, process and/or the application associated into the rough observation of the degradation of mobile equipment.This can be for example by will be from multiple The information that source receives is compared to realize with the contextual information received from the sensor of mobile equipment.In block 1106 In, mobile device handler can be based on observing come process performing analysis operation roughly.On the one hand, as block 1103 and 1104 A part, mobile device handler can be performed above with reference to one or more of Fig. 2-10 operations discussed operation.

In definite block 1108, mobile device handler can determine whether to identify with result that Behavior-based control is analyzed With correction suspicious actions or potential problems.Determine to identify and school when the result of mobile device handler Behavior-based control analysis When positive suspicious actions or potential problems (that is, determining block 1108="Yes"), in block 1118, processor can initiate to correct the row For process and back to block 1102 to perform extra rough observation.

Determine that suspicious actions or potential problems cannot be identified when the result of mobile device handler Behavior-based control analysis And/or during correction (that is, determining block 1108="No"), in definite block 1109, mobile device handler may determine whether to deposit In the possibility of problem.On the one hand, mobile device handler can run into potential problems and/or ginseng by calculating mobile equipment Whether more than predetermined threshold possibility of problems is determined with the probability of suspicious actions and the probability that determines to calculate.When The probability that mobile device handler determines to calculate is not more than predetermined threshold and/or can not possibly exist and/or can detect can When the behavior of doubting or potential problems (that is, determining block 1109="No"), processor may return to block 1102 to perform additionally thick Slightly observe.

When mobile device handler determine there may be and/or detectable suspicious actions or potential problems (that is, determine block 1109="Yes") when, in block 1110, mobile device handler can perform deeper log recording/observation or final login Subsystem, process or the application identified.In block 1112, mobile device handler can to identify subsystem, process Or the deeper and more detailed observation of application execution.In block 1114, mobile device handler can be based on deeper and more detailed Observe to perform further and/or deeper behavioural analysis.In definite block 1108, mobile device handler can base again Determine whether suspicious actions or potential problems can be identified and correct in the result of deeper behavioural analysis.When mobile equipment Processor determines suspicious actions or potential problems cannot be identified and correct (i.e., really based on the result of deeper behavioural analysis Determine block 1108="No") when, processor can be asked with the operation in repeatable block 1110-1114 until careful degree is enough to identify It is entitled only, either until determine problem cannot using extra details come the presence that identifies or have no problem untill.

When mobile device handler determines that suspicious actions or potential problems can be with based on the result of deeper behavioural analysis During identified and correction (that is, determining block 1108="Yes"), in block 1118, mobile device handler can perform operation and come school Direct problem/behavior, and processor may return to block 1102 to perform extra operation.

On the one hand, as method 1100 block 1102-1118 a part, mobile device handler can be performed to being The real-time behavioural analysis of the behavior of system, to identify suspicious actions from limited and rough observation, is wanted with dynamically determining The behavior observed in more detail, and dynamically determine the accurate careful degree needed for observation.This enables mobile device handler Efficiently identify and prevent problem, without using substantial amounts of processor, memory or battery resource in equipment.

As described above, various aspects include method and are configured as realizing the computing device of the method, for using Behavior-based control and machine learning techniques come efficiently identify, classify, model, prevent and/or correct would generally with the time and Make condition and the behavior of horizontal performance, the power utilization of computing device, Web vector graphic level, security and/or privacy degradation. To achieve it, computing device can perform real-time behavior monitoring and analysis operation, it can include monitoring and be set in calculating The activity of one or more software applications of standby upper operation is (for example, by monitoring in hardware, driver, kernel, NDK, SDK And/or the API Calls of Webkit levels etc.), the movable whole monitored of the one or more software applications of generation characterization or The behavior vector information structure (" behavior vector ") of subset, is applied to Machine learning classifiers model by the behavior vector of generation (" sorter model ") next life embarks on journey for vector information results of structural analysis, and using analysis result come by behavior vector (with And the activity therefore characterized by the associated software application of the vector and/or the activity with being monitored) be categorized as it is benign or non- Benign.

Also as discussed above, various aspects are included in the method that sorter model is generated in computing device, it can be wrapped Include：Complete Classification device model is received from server computing device, the row of lifting decision tree are generated using Complete Classification device model Table by the finite state machine included in Complete Classification device model (for example, by being converted into multiple lifting decision trees, wherein each Lifting decision tree includes test condition and weighted value etc.), and based on the lifting decision tree that lifting decision tree list includes come Generate lean sorter model (or lean sorter model race).Computing device can locally be generated using these and lean point Class device model assesses the destination subset of the feature included in Complete Classification device model, for example, be confirmed as with to the specific meter The behavior calculated in equipment carries out maximally related feature of classifying.In certain embodiments, computing device can by perform operation come Using lean sorter model, the operation includes：The behavioural information that behavior vector information structure is included is applied in essence The lifting decision tree that beneficial sorter model includes, calculates the behavioural information that will be collected into and is applied in lean sorter model The weighted average of the result of each lifting decision tree, and weighted average and threshold value are compared to determine mobile equipment Whether behavior is non-benign.In other words, behavior vector being applied to sorter model can generate with zero (0) and one (1) analysis result of numerical value (P) form between.Configuring computing devices are depended on how, close to the value of zero (for example, 0.1) It can indicate that by the behavior of behavior vector representation be benign, and the value close to 1 (such as 0.9) can be with indication action right and wrong Benign (vice versa).

Most lean grader in lean sorter model race is (that is, including minimum decision node or assessment minimum number Test condition lean sorter model) can routinely be applied, until run into model cannot be categorized as it is benign or non- Untill benign behavior (or behavior vector), it can select and classify using more sane (that is, less lean) lean at this time Device model, it is benign or malice to attempt behavior being categorized as.That is, in order to save resource, computing device processor can Classified so that behavior vector to be applied to assess to the lean of the small subset (for example, 20 features) of all available feature/factors first Device model (otherwise referred to as " characteristic model of reduction " or " RFM "), then using the sorter model gradually increased, until place Reason device with high confidence level determine the behavior be it is benign or non-benign untill (for example, until obtained numerical value P is less than Xiamen Limit value or higher than upper threshold).

For example, behavior vector can be applied to the grader of 20 features (i.e. RFM-20) of assessment by computing device first Model.If analysis result is less than the first threshold value (for example, P<0.1), then computing device can utilize high confidence level by the row It is benign without further analysis to be categorized as.Similarly, if analysis result higher than the second threshold value (for example,>0.9), Then the behavior will can be categorized as non-benign without further analysis by computing device using high confidence level.In the opposing party Face, and when analysis result falls between the first thresholding and the second thresholding (for example, P >=0.1 | | P<=0.9), computing device may (enough) high confidence levels cannot be utilized to be categorized as behavior benign or non-benign.In this case, computing device can be with Behavior vector is applied to larger sorter model (for example, RFM-40 or sorter model of 40 features of assessment) with generation New analysis result, and repeat operation discussed above.Computing device can repeat these operations, until analysis result indicates It is benign or non-benign (for example, until P using high confidence level behavior<0.1||P>0.9).

Although said system is typically effective, numerical value (P) not always real probable value.As a result, this number Value (P) may not always represent that behavior is benign or non-benign possibility exactly.This is because to calculate P, system can Can be firstly the need of using such asFormula calculate confidence value (c).Due to the uniqueness of benign and non-benign application Behavior, one be likely to accumulate in using the confidence value (c) of the formula in very close 1 or very close 0 two extreme values Around extreme value.As a result, there may be result of the high aggregation around two extreme values, (that is, the P values obtained can using above-mentioned formula Energy very close 1 or very close is 0).

In view of these are true, computing device can be configured as using S-shaped parameter (α and β) to calculate normalization the value of the confidence (c^), it is and benign or non-benign behavior to be categorized as using normalization the value of the confidence (c^), preferably to determine to be It is no continue assessment behavior (such as, if more sane sorter model of selection etc.).

On the one hand, computing device may be configured to calculate normalization the value of the confidence (c^) using the following formula：

As shown in above formula, normalization the value of the confidence (c^) can pass through S-shaped parameter alpha and β and original the value of the confidence (c) To define.Computing device can be configured as execution operation to realize above-mentioned formula, to calculate normalization the value of the confidence (c^).Meter Calculate equipment and can use normalization the value of the confidence (c^) to determine the larger or sane sorter model of selection, or currently It is benign or non-benign whether analysis result indicates that the behavior can be classified as using sufficiently high confidence level.

By using normalization the value of the confidence (c^), computing device can be reduced by the vectorial quantity of mistake classification, reduced Report the quantity of (false positive) by mistake, reduce and fail to report the quantity of (false negative), and reduce that be classified as can The number that doubtful and needs are further analyzed using more sane sorter model.As a result, computing device can be more accurately Effectively classify to equipment behavior, preferably determine that behavior is benign or non-benign, and more effectively true It is fixed whether to carry out extra analysis, such as select and use bigger or more sane sorter model, it will cause equipment behavior More accurately classification.

In some respects, computing device, which can be configured as to combine, receives new sorter model from server computing device To receive renewal or modification S-shaped parameter alpha and β.In some respects, computing device can be configured as based on historical information (for example, collected from previous perform, the previous application of behavior model, it is previously determined go out normalization the value of the confidence etc.), new letter Breath, machine learning, context modeling and the change detected in available information, mobile device status, environmental condition, net Network situation, move equipment performance, battery consumption levels etc., on the computing device local update or modification S-shaped parameter alpha and βization.

In some respects, computing device can be configured as is sent to clothes by local update or the S-shaped parameter alpha and β of modification Business device computing device, the server computing device can receive and using these parameters (for example, being set by using from many other Standby other S-shaped parameters received carry out crowdsourcing to parameter) update sorter model and/or for the grader in server Model generates new S-shaped parameter alpha and β.Such feedback communication allows system constantly to refine and adjust its model and operation, uses Classify in improving (for example, more accurate, more efficient etc.) behavior.

Figure 12 shows the method 1200 classified according to one aspect using normalization the value of the confidence (c^) for improving behavior. In block 1202, the processor of computing device can be received from server computing device Complete Classification device model and S-shaped parameter (such as α and β).In embodiment, Complete Classification device model can include finite state machine, it includes being suitable for being expressed as multiple liftings The information of decision tree.Each lifting decision tree can include test condition and weighted value, and each test condition can with it is general Rate value is associated, and the probable value identifies that its associated test condition will make computing device can determine that the behavior is benign And one of non-benign possibility.

In block 1204, processor can determine or calculate normalization the value of the confidence based on the S-shaped parameter received, such as By using the following formula：

In block 1206, computing device can classify equipment behavior using normalization the value of the confidence.For example, one Aspect, computing device can be by being converted into multiple carry by the finite state machine included in the Complete Classification device model received Decision tree is risen to generate the list of lifting decision tree, is generated based on the lifting decision tree included in the list for lifting decision tree Lean sorter model race, is applied to the first lean grader in sorter model race by behavior vector data/message structure Model is to generate analysis result, and determines whether behavior vector data/message structure being applied in sorter model race Second lean sorter model, to generate new analysis result based on normalization the value of the confidence, and in response to based on use compared with The normalization the value of the confidence for the accuracy that increase behavior is classified is determined by strong sorter model, the analysis knot based on generation Behavior is categorized as one of benign or non-benign by fruit.

Figure 13 is shown normalizes method of the value of the confidence (c^) for improving behavior classification according to the use of another aspect 1300.In block 1302, the processor of computing device can receive Complete Classification device model and S-shaped ginseng from server computing device Number.In block 1304, processor can generate lean sorter model based on the Complete Classification device model received.In block In 1306, processor can determine/calculate normalization the value of the confidence based on the S-shaped parameter received.In block 1308, processor Behavior vector information structure can be applied to lean sorter model to generate analysis result.In block 1310, processor can To determine that the behavior of computing device is benign or non-benign using analysis result and normalization the value of the confidence.

Figure 14 is shown normalizes method of the value of the confidence (c^) for improving behavior classification according to the use of another aspect 1400.In block 1402, the processor of computing device can receive Complete Classification device model and S-shaped ginseng from server computing device Number.In block 1404, processor can be changed by the finite state machine that will include in the Complete Classification device model received The list of lifting decision tree is generated into multiple lifting decision trees.In block 1406, processor can be based in lifting decision tree The list lifting decision tree that includes generate lean sorter model race.In block 1408, processor can be based on receiving To S-shaped parameter determine/calculate the one or more of one or more of lean sorter model lean sorter model Normalize the value of the confidence.For example, on the one hand, processor can be calculated classifies for all leans in lean sorter model race The single normalization the value of the confidence of device model.On the other hand, processor can be calculated for each in lean sorter model race The normalization the value of the confidence of lean sorter model.

In block 1408, behavior vector information structure can be applied to the first lean in sorter model race by processor Sorter model is to generate analysis result.In block 1410, processor may determine whether behavior vector information structure application The second lean sorter model in sorter model race, with based on normalization the value of the confidence (for example, with the first lean grader Normalization the value of the confidence that model or the second lean sorter model are associated) generate new analysis result.

Figure 15 is shown normalizes method of the value of the confidence (c^) for improving behavior classification according to the use of another aspect 1500.In block 1502, the processor of computing device can receive Complete Classification device model and S-shaped ginseng from server computing device Number.In block 1504, processor can determine/calculate normalization the value of the confidence based on the S-shaped parameter received.In block 1506 In, behavior vector information structure can be applied to sorter model to generate new analysis result by processor.In block 1508, Processor can update or change the S-shaped parameter received based on analysis result and/or definite normalization the value of the confidence.In block In 1510, the S-shaped parameter of renewal can be sent to server computing device by processor.That is, in block 1510, calculate Local update or the S-shaped parameter alpha and β of modification can be sent to server computing device by equipment, which can To receive and using these parameters (for example, being carried out by using from other S-shaped parameters that many other equipment receive to parameter Crowdsourcing), update sorter model for the sorter model in server and/or generate new S-shaped parameter alpha and β.This allows System constantly refines and adjusts its model and operation is used to improve (for example, more accurate, more efficient etc.) behavior classification.

Figure 16 is shown normalizes method of the value of the confidence (c^) for improving behavior classification according to the use of another aspect 1600.In block 1602, the processor of computing device can receive Complete Classification device model and S-shaped ginseng from server computing device Number.In block 1604, processor can determine/calculate normalization the value of the confidence based on the S-shaped parameter received.At optional piece In 1606, behavior vector information structure can be applied to sorter model to generate new analysis result by processor.In block In 1608, processor can receive the S-shaped parameter of renewal from server computing device.In block 1610, processor can be based on The S-shaped parameter of the renewal received determines/calculates new normalization the value of the confidence.In block 1612, processor can be based on new Behavior of the normalization the value of the confidence to computing device classify, such as by the way that behavior vector information structure is applied to grader Model combines new normalization the value of the confidence to generate analysis result, using the analysis result being previously generated, by another behavior vector Message structure is applied to identical or different sorter model to generate new analysis result etc..

Various aspects can be realized on a variety of computing devices, show that it shows in the form of smart phone in fig. 17 Example.Smart phone 1700 can include the processor for being coupled to internal storage 1704, display 1706 and loudspeaker 1708 1702.In addition, smart phone 1700 can include may be coupled to wireless data link be used for send and receive electromagnetic radiation Antenna 1710, and/or be coupled to cell phone/transceiver 1712 of processor 1702.Smart phone 1700 is usually also Including for receiving menu selection buttons or rocker switch XX20 input by user.

Typical smart phone 1700 further includes acoustic coding/decoding (CODEC) circuit 1716, it will be received from microphone To sound figure turn to suitable for the packet that is wirelessly transferred, and by the voice data received packet decoded with Generation is supplied to the analog signal of loudspeaker to generate sound.In addition, processor 1702, transceiver 1712 and CODEC One or more of 1716 can include digital signal processor (DSP) circuit (not separately shown).

The a part of of each side method can realize in client-server architecture, wherein some processing in processing Occur in the server, such as safeguard the database of normal operating behavior, it can be set when performing each side method by movement Standby processor accesses.Such aspect can realize on any of various commercially available server apparatus, such as Server 1800 shown in Figure 18.Such server 1800 generally includes the processor for being coupled to volatile memory 1802 1801 and the large capacity nonvolatile memory of such as disc driver 1803.Server 1800 can also include being coupled to processing Floppy disk, compact disk (CD) or the DVD disc driver 1804 of device 1801.Server 1800 can also include being coupled to The network access port 1806 of processor 1801, for establishing with network 1805 (for example, being coupled to other broadcast system computers With the LAN of server) data connection.

Processor 1702,1801 can be configured any to compile with what is performed various functions by software instruction (application) Journey microprocessor, microcomputer or processor chip or multi-chip, the function include various aspects described below Function.In some movement equipment, multiple processors 1702 can be provided, such as are exclusively used in a processing of wireless communication function Device and a processor for being exclusively used in operation other application.In general, software application can be accessed and loaded into processor 1702nd, in 1801 before can be stored in internal storage 1704,1802,1803.Processor 1702,1801 can include foot To store the internal storage of application software instructions.

Various undesirable mobile device operations and characteristic, example are referred to using term " performance degradation " in this application As longer processing time, slower real-time responsiveness, relatively low battery life, the loss of private data, the economy of malice are living Dynamic (for example, sending unwarranted high price SMS message), refusal service (DoS), is carried out with requisition movement equipment or using phone Espionage or the movable related operation of Botnet etc..

For performing the computer program code or " journey of the operation for execution various aspects on a programmed processor Sequence code " can be write with high-level programming language, such as C, C++, C#, Smalltalk, Java, JavaScript, Visual Basic, structured query language (for example, Transact-SQL), the various programming languages of Perl or other.Storage is in this application The program code on computer-readable recording medium or program used can refer to the machine language that its form can be understood by processor Say code (such as object code).

Many mobile computing device operating system nucleus are organized into user's space (wherein non-privileged code operation) and interior Nuclear space (wherein authorization code operation).In Android (Android)It is this in other general public license (GPL) environment Separation is especially important, is permitted wherein the code as a part for kernel spacing must be GPL, and in the user space The code of operation may not be what GPL permitted.It should be appreciated that the various software part/modules discussed here can be empty in kernel Between or user's space in realize, unless explicitly stated otherwise herein.

Preceding method describes and process flow diagram flow chart is only provided as illustrated examples, it is no intended to it is required that or implying each side The step of face, must be performed by given order.As the skilled person will recognize, can perform in any order The order of step in foregoing aspect." afterwards ", " then ", the word such as " next " be not intended to be limited to the order of step； These words are used only to instruct reader throughout the description to method.In addition, for example using article " one (a) ", " one (an) " or Any reference of the singulative of " being somebody's turn to do (the) " to claim elements is not necessarily to be construed as the key element being limited to odd number.

As used in this specification, term " component ", " module ", " system ", " engine ", " maker ", " management Device " etc. is intended to include computer related entity, such as, but not limited to, is configured as performing the hardware of specific operation or function, consolidates Part, the combination of hardware and software, software or executory software.For example, component can be but not limited to run on a processor Process, processor, object, executable program, execution thread, program and/or computer.By way of explanation, operate in Application and computing device on computing device can be said to component.One or more components may reside within process and/or In the thread of execution, and component can be located on a processor or kernel and/or be distributed in two or more processors Or between kernel.In addition, these components can be stored with the various non-transitory meters of various instructions and/or data structure from it Calculation machine computer-readable recording medium performs.Component can pass through locally and/or remotely process, function or the invocation of procedure, electronic signal, data Packet, memory read/write and other known network, computer, processor and/or the relevant communication means of process come Communicate.

Can be by with reference to various illustrative components, blocks, module, circuit and the algorithm steps that each side disclosed herein describes It is embodied as the combination of electronic hardware, computer software or both.In order to clearly demonstrate this interchangeability of hardware and software, Various illustrative component, block, module, circuit and steps have been generally described according to its function above.As for so Function be implemented as hardware or software, depending on application-specific and apply design constraint over the whole system.This area Technical staff can be directed to each application-specific and realize described function in a manner of flexible, but such realize decision-making not It should be interpreted to cause the scope for deviateing claim.

It is used for realization the various illustrative logicals with reference to each side disclosed herein description, logical block, module and circuit Hardware, which can be utilized, to be realized or is performed with lower component：It is designed to perform general processor, the numeral of functions described herein Signal processor (DSP), application specific integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic Equipment, discrete gate or transistor logic, discrete hardware components.General processor can be multiprocessor, but It is in the scheme of replacement, processor can be any traditional processor, controller, microcontroller or state machine.Processor The combination of computing device is also implemented as, for example, the combination of DSP and multiprocessor, multiple multiprocessors are one or more more The combination of processor and DSP core, or any other such configuration.Alternatively, can be by the electricity specific to given function Road performs some steps or method.

In one or more illustrative aspects, described function can be come with hardware, software, firmware, or any combination thereof Realize.If implemented in software, can be stored in using function as one or more processors executable instruction or code non- On temporary computer-readable recording medium or non-transitory processor readable storage medium.Method disclosed herein or algorithm Step can be embodied in may reside within that non-transitory is computer-readable or processor readable storage medium on processor can hold In row software module.Non-transitory is computer-readable or processor readable storage medium can be can be by computer or processor Any storage medium of access.By example and unrestricted, this non-transitory is computer-readable or processor readable medium can To be set including RAM, ROM, EEPROM, flash memory, CD-ROM or other optical disc memory apparatus, disk storage equipment or other magnetic storages It is standby, or can be used for by can by the instruction of computer access or data structure in the form of storage desired program code appoint What other media.As used herein, disk and CD include compact disk (CD), laser shadow disk, CD, digital versatile disc (DVD), floppy disk and Blu-ray Disc, wherein disk usually magnetically reproduce data, and CD then optically reproduces number with laser According to.Combination of the above should also be as being included in non-transitory is computer-readable and processor readable medium within the scope of.In addition, side The operation of method or algorithm, which can be used as code and/or one of instruction or any combination or gather, resides in non-transitory processor On computer-readable recording medium and/or computer-readable medium, it can be incorporated into computer program product.

Being previously described so that any person skilled in the art can carry out or the right to use for disclosed aspect is provided Profit requires.To the various modifications in terms of these, it will be apparent to those skilled in the art, and without departing substantially from In the case of the scope of claim, generic principles defined herein can be applied to other side.Therefore, present disclosure is not Aspects illustrated herein is restricted to, but is met consistent with appended claims and principle disclosed herein and novel feature Widest scope.

Claims (30)

1. a kind of method for analyzing the behavior in computing device, including：

In the processor of computing device Complete Classification device model and S-shaped parameter are received from server computing device；

Normalization the value of the confidence is determined based on the S-shaped parameter；And

Classified based on the normalization the value of the confidence to the equipment behavior of the calculating.

2. according to the method described in claim 1, further include：

By the way that the finite state machine included in the Complete Classification device model is converted into lifting decision tree, determine to generate lifting The list of plan tree；And

Based on the lifting decision tree that includes of list in the lifting decision tree, to generate lean sorter model race,

Wherein, included based on the normalization the value of the confidence to carry out classification to the equipment behavior：

Behavior vector information structure is applied to the first lean sorter model in the lean sorter model race to generate Analysis result；And

The second lean for determining whether to be applied to the behavior vector information structure in the lean sorter model race is classified Device model, to generate new analysis result based on the normalization the value of the confidence.

3. according to the method described in claim 1, further include：Lean grader mould is generated based on the Complete Classification device model Type, wherein, included based on the normalization the value of the confidence to carry out classification to the equipment behavior of the computing device：

Behavior vector information structure is applied to the lean sorter model to generate analysis result；And

Using the analysis result and the normalization the value of the confidence come to determine the equipment behavior of the computing device be benign Or it is non-benign.

4. according to the method described in claim 3, wherein, the lean grader is generated based on the Complete Classification device model Model includes：

By the way that the finite state machine included in the Complete Classification device model is converted into multiple lifting decision trees, carried to generate Rise the list of decision tree；

It is determined that the evaluated excessive processing to classify to the equipment behavior without consuming the computing device provides Multiple unique test conditions in source, memory resource or energy resource；

By sequentially traversing through the list of the lifting decision tree, and the lifting decision tree with each order traversal is associated Test condition be inserted into the list of the test condition, until the list of the test condition includes the multiple unique survey Untill strip part, to generate the list of test condition；And

The lean sorter model is generated only to include multiple test-strips that test includes in the list of the test condition Those lifting decision trees of a test condition in part.

5. according to the method described in claim 3, wherein, the behavior vector information structure is applied to the lean grader Model, to determine whether the equipment behavior of the computing device is non-benign include：

The behavioural information being collected into included in the behavior vector information structure is applied in the lean grader mould Each lifting decision tree in multiple lifting decision trees that type includes；

Calculate the behavioural information being collected into applied to the multiple lifting included in the lean sorter model The weighted average of the result of each lifting decision tree in decision tree；And

By the weighted average compared with threshold value.

6. according to the method described in claim 1, further include：

The S-shaped parameter of renewal is generated based on the normalization the value of the confidence；And

The S-shaped parameter of the renewal is sent to the server computing device.

7. according to the method described in claim 1, further include：

The S-shaped parameter of renewal is received from the server computing device；

Based on the S-shaped parameter of the renewal received from the server computing device, to determine new normalization the value of the confidence； And

Based on the new normalization the value of the confidence, to classify to the equipment behavior of the computing device.

8. according to the method described in claim 1, wherein, receiving the Complete Classification device model and the S-shaped parameter includes connecing Finite state machine is received, the finite state machine includes being suitable for the information for being expressed as two or more lifting decision trees, each Lifting decision tree includes weighted value and test condition, and the test condition is with identifying that the test condition will cause the calculating to set The standby equipment behavior that can determine the computing device is that the probable value of one of benign and non-benign possibility is associated.

9. a kind of computing device, including：

For receiving Complete Classification device model and the unit of S-shaped parameter from server computing device；

For determining the unit of normalization the value of the confidence based on the S-shaped parameter；And

For based on the normalization the value of the confidence come the unit classified to the equipment behavior of the calculating.

10. computing device according to claim 9, further includes：

For being carried by the way that the finite state machine included in the Complete Classification device model is converted into lifting decision tree to generate Rise the unit of the list of decision tree；And

For generating lean sorter model based on the lifting decision tree included in the list for lifting decision tree The unit of race,

Wherein, for based on the normalization the value of the confidence come the unit classified to the equipment behavior of the computing device Including：

For by behavior vector information structure be applied to the lean sorter model race in the first lean sorter model with Generate the unit of analysis result；And

It is used to determine whether the second lean being applied to the behavior vector information structure in the lean sorter model race Sorter model, to generate the unit of new analysis result based on the normalization the value of the confidence.

11. computing device according to claim 9, further includes：For generating essence based on the Complete Classification device model The unit of beneficial sorter model, and wherein, for being classified based on the normalization the value of the confidence to the equipment behavior Unit include：

For behavior vector information structure to be generated the unit of analysis result applied to the lean sorter model；And

For being to determine the equipment behavior of the computing device using the analysis result and the normalization the value of the confidence Benign or non-benign unit.

12. computing device according to claim 11, wherein, it is described for being generated based on the Complete Classification device model The unit of lean sorter model includes：

For by the way that the finite state machine included in the Complete Classification device model is converted into multiple lifting decision tree next life Into the unit of the list of lifting decision tree；

For it is determined that being evaluated to classify to the equipment behavior without the excessive place for consuming the computing device Manage the unit of multiple unique test conditions of resource, memory resource or energy resource；

For the list by sequentially traversing through the lifting decision tree, and by the lifting decision tree phase with each order traversal Associated test condition is inserted into the list of the test condition, until the list of the test condition is including the multiple only Untill special test condition, to generate the unit of the list of test condition；And

For the multiple surveys for generating the lean sorter model only to include including test in the list of the test condition The unit of those lifting decision trees of a test condition in strip part.

13. computing device according to claim 11, wherein, it is described for the behavior vector information structure to be applied to Whether lean sorter model is that non-benign unit includes with the definite equipment behavior：

The behavioural information being collected into for will include in the behavior vector information structure is applied to classify in the lean The unit of each lifting decision tree in multiple lifting decision trees that device model includes；

It is for calculating that the behavioural information being collected into is the multiple applied to including in the lean sorter model Lift the average weighted unit of the result of each lifting decision tree in decision tree；And

For the unit by the weighted average compared with threshold value.

14. computing device according to claim 9, further includes：

For generating the unit of the S-shaped parameter of renewal based on the normalization the value of the confidence；And

For the S-shaped parameter of the renewal to be sent to the unit of the server computing device.

15. computing device according to claim 9, further includes：

Unit for the S-shaped parameter that renewal is received from the server computing device；

For determining the unit of new normalization the value of the confidence based on the S-shaped parameter of the renewal；And

For based on the new normalization the value of the confidence, come the list classified to the equipment behavior of the computing device Member.

16. computing device according to claim 9, wherein, for receiving the Complete Classification device model and S-shaped ginseng Several units includes being used for the unit for receiving finite state machine, and the finite state machine includes being suitable for being expressed as two or more The information of a lifting decision tree, it is each to lift decision tree and include weighted value and test condition, the test condition with identify described in Test condition will cause the computing device can determine the equipment behavior of the computing device be it is benign and it is non-benign it The probable value of one possibility is associated.

17. a kind of computing device, including：

Processor, it is configured with processor-executable instruction to perform the operation including the following：

Complete Classification device model and S-shaped parameter are received from server computing device；

Normalization the value of the confidence is determined based on the S-shaped parameter；And

Classified based on the normalization the value of the confidence to the equipment behavior of the computing device.

18. computing device according to claim 17, wherein, the processor is configured with processor-executable instruction Perform the operation for further including the following：

By the way that the finite state machine included in the Complete Classification device model is converted into lifting decision tree, determine to generate lifting The list of plan tree；And

Based on the lifting decision tree that includes of list in the lifting decision tree, to generate lean sorter model race, And wherein, the processor is configured with processor-executable instruction to perform operation so that based on the normalization confidence Value includes to carry out classification to the equipment behavior：

Behavior vector information structure is applied to the first lean sorter model in the lean sorter model race to generate Analysis result；And

Determine whether the behavior vector information structure being applied to the lean sorter model race

In the second lean sorter model, to generate new analysis result based on the normalization the value of the confidence.

19. computing device according to claim 17, wherein：

The processor is configured with processor-executable instruction to perform operation, and the operation is further included to be divided completely based on described Class device model generates lean sorter model, and

The processor is configured with processor-executable instruction to perform operation so that based on it is described normalization the value of the confidence come pair The equipment behavior of the computing device, which carries out classification, to be included：

Behavior vector information structure is applied to the lean sorter model to generate analysis result；

And

Using the analysis result and the normalization the value of the confidence come to determine the equipment behavior of the computing device be benign Or it is non-benign.

20. computing device according to claim 19, wherein, the processor is configured with processor-executable instruction Perform operation so that the lean sorter model is generated based on the Complete Classification device model to be included：

By the way that the finite state machine included in the Complete Classification device model is converted into multiple lifting decision trees, carried to generate Rise the list of decision tree；

It is determined that the evaluated excessive processing to classify to the equipment behavior without consuming the computing device provides Multiple unique test conditions in source, memory resource or energy resource；

By sequentially traversing through the list of the lifting decision tree, and the lifting decision tree with each order traversal is associated Test condition be inserted into the list of the test condition, until the list of the test condition includes the multiple unique survey Untill strip part, to generate the list of test condition；And

The lean sorter model is generated only to include multiple test-strips that test includes in the list of the test condition Those lifting decision trees of a test condition in part.

21. computing device according to claim 19, wherein, the processor is configured with processor-executable instruction Perform operation so that the behavior vector information structure is applied to the lean sorter model to determine the computing device The equipment behavior whether be non-benign include：

The behavioural information being collected into included in the behavior vector information structure is applied in the lean grader mould Each lifting decision tree in multiple lifting decision trees that type includes；

Calculate the behavioural information being collected into applied to the multiple lifting included in the lean sorter model The weighted average of the result of each lifting decision tree in decision tree；And

By the weighted average compared with threshold value.

22. computing device according to claim 17, wherein, the processor is configured with processor-executable instruction Perform the operation for further including the following：

The S-shaped parameter of renewal is generated based on the normalization the value of the confidence；And

The S-shaped parameter of the renewal is sent to the server computing device.

23. computing device according to claim 17, wherein, the processor is configured with processor-executable instruction Perform the operation for further including the following：

The S-shaped parameter of renewal is received from the server computing device；

New normalization the value of the confidence is determined based on the S-shaped parameter of the renewal；And

Based on the new normalization the value of the confidence, to classify to the equipment behavior of the computing device.

24. computing device according to claim 17, wherein, the processor is configured with processor-executable instruction Perform operation so that receiving the Complete Classification device model and the S-shaped parameter includes receiving finite state machine, the limited shape State machine includes being suitable for the information for being expressed as two or more lifting decision trees, and each lifting decision tree includes weighted value and survey Strip part, the test condition is with identifying that the test condition will enable the processor to determine the institute of the computing device Stating the probable value that equipment behavior is one of benign and non-benign possibility is associated.

25. a kind of non-transitory computer-readable storage media for being stored thereon with processor executable software instruction, the place Reason device executable software instruction is configured such that the processor of computing device performs the operation for including the following：

Complete Classification device model and S-shaped parameter are received from server computing device；

Normalization the value of the confidence is determined based on the S-shaped parameter；And

Classified based on the normalization the value of the confidence to the equipment behavior of the computing device.

26. non-transitory computer-readable storage media according to claim 25, wherein, the processor stored can be held Row instruction is configured such that the processor performs the operation for further including the following：

By the way that the finite state machine included in the Complete Classification device model is converted into lifting decision tree, determine to generate lifting The list of plan tree；And

Based on the lifting decision tree that includes of list in the lifting decision tree, to generate lean sorter model race,

Wherein, included based on the normalization the value of the confidence to carry out classification to the equipment behavior of the computing device：

Behavior vector information structure is applied to the first lean sorter model in the lean sorter model race to generate Analysis result；And

The second lean for determining whether to be applied to the behavior vector information structure in the lean sorter model race is classified Device model, to generate new analysis result based on the normalization the value of the confidence.

27. non-transitory computer-readable storage media according to claim 25, wherein：

The processor-executable instruction stored is configured such that the processor performs operation, and the operation, which further includes, to be based on The Complete Classification device model generates lean sorter model, and

The processor-executable instruction stored is configured such that the processor performs operation so that based on the normalization The value of the confidence includes to carry out classification to the equipment behavior：

Behavior vector information structure is applied to the lean sorter model to generate analysis result；

And

Using the analysis result and the normalization the value of the confidence come to determine the equipment behavior of the computing device be benign Or it is non-benign.

28. non-transitory computer-readable storage media according to claim 27, wherein, the processor stored can be held Row instruction is configured such that the processor performs operation so that generates the lean based on the Complete Classification device model Sorter model includes：

By the way that the finite state machine included in the Complete Classification device model is converted into multiple lifting decision trees, carried to generate Rise the list of decision tree；

It is determined that the evaluated excessive processing to classify to the equipment behavior without consuming the computing device provides Multiple unique test conditions in source, memory resource or energy resource；

By sequentially traversing through the list of the lifting decision tree, and the lifting decision tree with each order traversal is associated Test condition be inserted into the list of the test condition, until the list of the test condition includes the multiple unique survey Untill strip part, to generate the list of test condition；And

The lean sorter model is generated only to include multiple test-strips that test includes in the list of the test condition Those lifting decision trees of a test condition in part.

29. non-transitory computer-readable storage media according to claim 25, wherein, the processor stored can be held Row instruction is configured such that the processor performs the operation for further including the following：

The S-shaped parameter of renewal is generated based on the normalization the value of the confidence；And

The S-shaped parameter of the renewal is sent to the server computing device.

30. non-transitory computer-readable storage media according to claim 25, wherein, the processor stored can be held Row instruction is configured such that the processor performs the operation for further including the following：

The S-shaped parameter of renewal is received from the server computing device；

New normalization the value of the confidence is determined based on the S-shaped parameter of the renewal；And

Based on the new normalization the value of the confidence, to classify to the equipment behavior of the computing device.