TW201710960A - Using normalized confidence values for classifying mobile device behaviors - Google Patents

Abstract

Methods and systems for classifying mobile device behavior include generating a full classifier model that includes a finite state machine suitable for conversion into boosted decision stumps and/or which describes all or many of the features relevant to determining whether a mobile device behavior is benign or contributing to the mobile device's degradation over time. A mobile device may receive the full classifier model along with sigmoid parameters and use the model to generate a full set of boosted decision stumps from which a more focused or lean classifier model is generated by culling the full set to a subset suitable for efficiently determining whether mobile device behavior are benign. Results of applying the focused or lean classifier model may be normalized using a sigmoid function, with the resulting normalized result used to determine whether the behavior is benign or non-benign.

Description

Using standardized trust values as mobile device behavior classification Related application

The present application is filed on November 26, 2013, entitled "Methods and Systems of Using Boosted Decision Stumps and Joint Feature Selection and Pruning Algorithms for the Efficient Classification of Mobile Device Behaviors", U.S. Patent Application Serial No. 14/090,261. The continuation section, which claims U.S. Provisional Application No. 61/874,129, entitled "Methods and Systems of Using Boosted Decision Stumps and Joint Feature Selection and Pruning Algorithms for the Efficient Classification of Mobile Device Behaviors", filed on September 5, 2013. The US Provisional Patent Application No. 61/748,217, entitled "On-Device Real-Time Behavior Analyzer", filed on January 2, 2013, and the title of "Architecture for Client-Cloud" filed on January 2, 2013. The priority of U.S. Provisional Patent Application Serial No. 61/748,220, the entire disclosure of which is incorporated herein by reference.

In recent years, cellular and wireless communication technologies have grown explosively. Better communications, hardware, larger networks, and increasingly trustworthy agreements have contributed to this growth. As a result, wireless service providers are now able to provide their consumers with unprecedented levels of access to information, resources and communications.

In keeping with the promotion of such services, mobile electronic devices (eg, cellular Words, tablets, laptops, etc.) have become more powerful and complex than before. This complexity has created new opportunities for malware, software conflicts, hardware defects, and other similar errors or phenomena that adversely affect the long-term and continuous performance and power utilization levels of mobile devices. Thus, identifying and correcting conditions and/or mobile device behaviors that may adversely affect the long-term and continuous performance and power utilization levels of the mobile device are beneficial to the consumer.

Various aspects include a method of generating a reduced behavior classifier model in a mobile device, the methods comprising: receiving a full classifier model including a finite state machine in a processor of the mobile device, and using the complete The classifier model produces a reduced classifier model in the mobile device. The finite state machine may include information suitable for conversion or expression as a plurality of boosted single layer decision trees, and each of the enhanced single layer decision trees may include a test condition and a weighted value. In one aspect, the method can further include using the reduced classifier model in the mobile device to classify behavior of one of the mobile devices as benign or non-benign (ie, malicious, performance degraded, etc. ).

In one aspect, generating the reduced classifier model based on the full classifier model can include converting the finite state machine included in the full classifier model into a list of enhanced single layer decision trees, and based on the reinforcement list The reduced single-level decision tree in the hierarchical decision tree list produces the reduced classifier model.

In one aspect, generating the reduced classifier model based on the full classifier model can further include: determining that the evaluation should be performed without consuming an excessive amount of processing resources, memory resources, or energy resources of the mobile device The number of unique test conditions for classifying a mobile device behavior; generating a list of test conditions that traverse the enhanced single-level decision tree list in sequence and associated with each successively traversed enhanced single-level decision tree The test condition is inserted into the test condition list until the test condition list can include the determined number of unique test conditions; and the reduced classifier model is generated to only The method includes testing the enhanced single layer decision tree of one of a plurality of test conditions included in the generated test condition list.

In one aspect, the method can include using the reduced classifier model in the mobile device to classify behavior of one of the mobile devices as benign or non-benign, the operation being performed by: collecting the Behavioral information is applied to each of the enhanced single-level decision trees in the reduced classifier model; a weighted average of the results of applying the collected behavioral information to each of the enhanced single-level decision trees in the reduced classifier model is calculated And comparing the weighted average to a threshold.

In one aspect, generating the reduced classifier model based on the full classifier model can include: converting the finite state machine included in the full classifier model into a strengthened single layer decision tree list; and based on being included in the The enhanced single-level decision tree in the enhanced single-level decision tree list produces a reduced classifier model family comprising the reduced classifier model and a plurality of additional reduced classifier models, the plurality of additional reduced classifications Each of the model models includes a different number of unique test conditions.

In one aspect, generating a reduced classifier model can include generating a plurality of reduced classifier models, each of which includes a single layer decision tree that tests a first condition using a different weight value and a different threshold. In one aspect, the method can include recalculating a threshold associated with the enhanced single-level decision tree in the plurality of reduced classifier models generated in the mobile device based on the full classifier model. In one aspect, the method can include recalculating weighting values associated with the enhanced single-level decision tree in the plurality of reduced classifier models generated in the mobile device based on the full classifier model.

In one aspect, the method can include generating the full classifier model in a server by: receiving an information corpus about one of the mobile device behaviors in the server, and based on the behavior of the mobile device The information corpus generates the finite state machine to include data suitable for conversion to the plurality of enhanced single layer decision trees, and the finite state machine is sent to the mobile device as the full classifier model. In one aspect, the plural Each of the test conditions is associated with a probability value that identifies that its associated test condition will enable the mobile device to determine whether a mobile device behavior is benign, the method further comprising: The enhanced single layer decision tree in the finite state machine is organized based on the probability value before the state machine sends to the mobile device as the full classifier model.

In another aspect, the method can include calculating a normalized confidence value using the S-type parameter and using the normalized confidence value for the improved behavior classification, which can include: one in the processor of the computing device The server receives a full classifier model and S-type parameters; determines a standardized trust value based on the S-type parameters; and based on the standardized trust value, a device behavior classification of the computing device.

In one aspect, the method can include: generating a list of enhanced single-level decision trees by converting a finite state machine included in the full classifier model to an enhanced single-level decision tree; and based on the enhancement The enhanced single-level decision tree in the single-level decision tree list produces a reduced classifier model family, wherein the device behavior classification based on the standardized trust value comprises: applying a behavior vector information structure to the A first reduced classifier model in the family of classifier models to generate an analysis result; and determining whether to apply the behavior vector information structure to one of the reduced classifier model families based on the normalized trust value Model to generate new analysis results.

In another aspect, the method can include generating a reduced classifier model based on the full classifier model, and the device behavior classification based on the standardized trust value of the computing device can include: a behavior vector information structure The reduced classifier model is applied to generate an analysis result; and the analysis result and the standardized trust value are used to determine whether the device behavior is benign or non-benign. In another aspect, generating the reduced classifier model based on the full classifier model can include: generating by converting a finite state machine included in the full classifier model into a plurality of enhanced single layer decision trees A list of enhanced single-level decision trees; the decision should be evaluated to consume no excess of the computing device The number of unique test conditions for classifying the behavior of the device in the case of a source, a memory resource, or an energy resource; generating a list of test conditions that traverse the list of enhanced single-level decision trees in order, and will be aligned with each a test condition associated with the traversed enhanced single layer decision tree is inserted into the test condition list until the test condition list includes the number of unique test conditions; and the reduced classifier model is generated to include only the test included in the One of the plurality of test conditions in the test condition list enhances the single-layer decision tree.

In another aspect, applying the behavior vector information structure to the reduced classifier model to determine whether the device behavior of the computing device is non-benign may include: collecting the information included in the behavior vector information structure The behavior information is applied to each of a plurality of enhanced single-layer decision trees included in the reduced classifier model; calculating the collected behavior information to apply the plurality of reinforcement sheets included in the reduced classifier model A weighted average of one of the results of each of the layer decision trees; and comparing the weighted average to a threshold.

In another aspect, the method can include generating an updated S-type parameter based on the normalized confidence value; and transmitting the updated S-type parameter to the server computing device. In another aspect, the method can include: receiving an updated S-type parameter from the server computing device; determining a new standardized trust based on the updated S-type parameter received from the server computing device The value; and the confidence value based on the new standardization is the device behavior classification. In another aspect, receiving the full classifier model and the S-type parameters can include receiving a finite state machine, the finite state machine comprising two or more suitable for expressing each comprising a weighted value and a test condition Information for a plurality of enhanced single-layer decision trees associated with identifying a probability value that the test condition will enable the computing device to determine whether the device behavior is one of benign and non-benign.

Other aspects can include a computing device comprising: means for receiving a full classifier model and S-type parameters from a server computing device; means for determining a standardized confidence value based on the S-type parameters; And for the reliability value based on the standardization The component of the behavior classification. In one aspect, the computing device can include: means for generating a list of enhanced single-level decision trees by converting a finite state machine included in the full classifier model to an enhanced single-level decision tree; and Means for generating a family of reduced classifier models based on the enhanced single-level decision trees included in the list of enhanced single-level decision trees, wherein the means for classifying the device behavior based on the standardized trust value comprises: a component for applying a behavior vector information structure to the first reduced classifier model of the reduced classifier model family to generate an analysis result; and for determining whether the behavior vector information structure is based on the normalized trust value A second reduced classifier model applied to one of the reduced classifier model families to generate a new analysis result.

In another aspect, the computing device can include: means for generating a reduced classifier model based on the full classifier model, and wherein the means for classifying the device behavior based on the standardized trust value comprises: And a component for applying the behavior vector structure to the reduced classifier model to generate an analysis result; and for using the analysis result and the standardized trust value to determine whether the device behavior is benign or non-benign. In another aspect, the means for generating the reduced classifier model based on the full classifier model can include: for converting a finite state machine included in the full classifier model into a plurality of enhancements A single-layer decision tree produces a component that enforces a single-level decision tree list; is used to determine that the device should be evaluated to consume the processing resources, memory resources, or energy resources without consuming an excessive amount of the computing device. a component of the number of unique test conditions of the classification; a component for generating a list of test conditions, the generation traversing the list of enhanced single-level decision trees by sequence, and associating with each of the enhanced single-level decision trees traversed sequentially a test condition is inserted into the test condition list until the test condition list includes the number of unique test conditions; and is used to generate the reduced classifier model to include only a plurality of tests included in the test condition list One of the test conditions enhances the components of the single-level decision tree. In another aspect, the component for applying the behavior vector information structure to the reduced classifier model to determine whether the device behavior is non-benign may include Included: a component for applying the collected behavior information included in the behavior vector information structure to each of a plurality of enhanced single-level decision trees included in the reduced classifier model; The collected behavior information is applied to a component of a weighted average of one of the results of each of the plurality of enhanced single-layer decision trees included in the reduced classifier model; and for using the weighted average with A component that compares the thresholds.

In another aspect, the computing device can include means for generating an updated S-type parameter based on the normalized confidence value; and means for transmitting the updated S-type parameter to the server computing device . In another aspect, the computing device can include: means for receiving an updated S-type parameter from the server computing device; for determining a new normalized confidence value based on the updated S-type parameter a component; and a component for classifying the behavior of the device based on the new standardized trust value. In another aspect, the means for receiving the full classifier model and the s-type parameters can include means for receiving a finite state machine, the finite state machine comprising means adapted to express each comprising a weighted value and Information of two or more enhanced single-layer decision trees of a test condition associated with identifying that the test condition will enable the computing device to determine whether the device behavior is one of benign and non-benign A probability value of likelihood.

Other aspects can include a computing device including a processor configured by processor executable instructions to perform operations comprising: receiving a full classifier model and S-type parameters from a server computing device And determining a standardized trust value based on the S-type parameters; and the trust value based on the standardization is a device behavior classification. In one aspect, the processor is configurable via processor executable instructions to perform operations further comprising: converting a finite state machine included in the full classifier model to an enhanced single layer decision tree Generating a list of enhanced single-level decision trees; and generating a family of reduced classifier models based on the enhanced single-layer decision trees included in the list of enhanced single-level decision trees, and the processor is executable by the processor Configuring to perform an operation such that the trusted value based on the normalization classifies the device behavior includes: applying a behavior vector information structure to the A first reduced classifier model in the family of classifier models to generate an analysis result; and determining whether to apply the behavior vector information structure to one of the reduced classifier model families based on the normalized trust value Model to generate new analysis results.

In another aspect, the processor is configurable via processor-executable instructions to perform operations further comprising: generating a reduced classifier model based on the full classifier model, and the processor is Executing an instruction configuration to perform an operation such that the trusted value based on the normalization classifies the device behavior classification by applying a behavior vector information structure to the reduced classifier model to generate an analysis result; and using the analysis result and the reliability of the standardization Value to determine whether the device behavior is benign or non-benign.

In another aspect, the processor is configurable via processor-executable instructions to perform operations such that generating the reduced classifier model based on the full classifier model comprises: being included in the full classifier model A finite state machine converts into a plurality of enhanced single-layer decision trees to generate a list of enhanced single-layer decision trees; the decision should be evaluated to consume processing resources, memory resources, or energy resources that do not consume an excessive amount of the computing device. The number of unique test conditions for classifying the behavior of the device; generating a list of test conditions that traverse the list of enhanced single-level decision trees in order, and associating with each enhanced hierarchical decision tree traversed sequentially a test condition is inserted into the test condition list until the test condition list includes the number of unique test conditions; and the reduced classifier model is generated to include only a plurality of test conditions included in the test condition list One of them enhances the single-layer decision tree.

In another aspect, the processor is configurable via processor-executable instructions to perform operations such that applying the behavior vector information structure to the reduced classifier model to determine whether the device behavior is non-benign includes: The collected behavior information included in the behavior vector information structure is applied to each of a plurality of enhanced single-layer decision trees included in the reduced classifier model; the calculation applies the collected behavior information to Weighting one of the results of each of the plurality of enhanced single-layer decision trees in the reduced classifier model Average; and compare the weighted average to a threshold. In another aspect, the processor is configurable via processor executable instructions to perform operations further comprising: generating an updated S-type parameter based on the normalized confidence value; and updating the S-type The parameters are sent to the server computing device.

In another aspect, the processor is configurable via processor executable instructions to perform operations further comprising: receiving an updated S-type parameter from the server computing device; based on the updated S-type parameter Determining a new standardized trust value; and based on the new standardized trust value is the device behavior classification. In another aspect, the processor is configurable via processor-executable instructions to perform operations such that receiving the full classifier model and the S-type parameters includes receiving a finite state machine, the finite state machine including Expressed as information comprising two or more enhanced single-layer decision trees each comprising a weighted value and a test condition, the test condition being associated with identifying the test condition will enable the computing device to determine whether the device behavior is benign and A probability value of a likelihood of one of non-benign.

Other aspects may include a non-transitory computer readable storage medium having processor executable software instructions stored thereon, the processor executable software instructions being configured to cause a processor of a computing device to perform the following items Operation: receiving a full classifier model and S-type parameters from a server computing device; determining a standardized trust value based on the S-type parameters; and determining a device behavior classification based on the standardized trust value. In one aspect, the stored processor-executable instructions are configurable to cause the processor to perform operations further comprising: converting a finite state machine included in the full classifier model to A single-level decision tree is enhanced to generate a list of enhanced single-level decision trees; and a reduced classifier model family is generated based on the enhanced single-layer decision trees included in the list of enhanced single-level decision trees, wherein the trust based on the standardization The value classification of the device includes: applying a behavior vector information structure to the first reduced classifier model of the reduced classifier model family to generate an analysis result; and determining whether the behavior vector is based on the normalized trust value The information structure is applied to one of the reduced classifier model families, the second streamline classifier Model to generate new analysis results.

In another aspect, the stored processor-executable instructions are configurable to cause the processor to perform operations further comprising: generating a reduced classifier model based on the full classifier model, and storing the The processor-executable instructions are configurable to cause the processor to perform an operation such that the trusted value based on the normalization is a classification of the device behavior comprising: applying a behavior vector information structure to the reduced classifier model to generate an analysis result; And using the results of the analysis and the normalized confidence value to determine whether the device behavior is benign or non-benign.

In another aspect, the stored processor-executable instructions are configurable to cause the processor to perform operations such that generating the reduced classifier model based on the full classifier model comprises: A finite state machine in a complete classifier model converts into a plurality of reinforced single-level decision trees to generate a list of enhanced single-layer decision trees; the decision should be evaluated to consume processing resources and memory without consuming excessive amounts of the computing device The number of unique test conditions for classifying the behavior of the device in the case of resources or energy resources; generating a list of test conditions that traverse the list of enhanced single-level decision trees in order, and will be reinforced with each sequentially traversed list a test condition associated with the layer decision tree is inserted into the test condition list until the test condition list includes the number of unique test conditions; and the reduced classifier model is generated to include only the test included in the test condition list One of the plurality of test conditions enhances the single-layer decision tree.

In another aspect, the stored processor-executable instructions are configurable to cause the processor to perform operations further comprising: generating an updated S-type parameter based on the normalized confidence value; and The updated S-type parameters are sent to the server computing device. In another aspect, the stored processor-executable instructions are configurable to cause the processor to perform operations further comprising: receiving an updated S-type parameter from the server computing device; The updated S-type parameter determines a new standardized trust value; and the trust value based on the new standardization is the device behavior classification.

Other aspects include a mobile computing device having a processor configured by processor executable instructions to perform the operations of the methods described above.

Other aspects include a non-transitory computer readable storage medium having stored thereon processor executable software instructions configured to cause a processor of a mobile device to perform the operations of the methods described above.

Other aspects include a system including a mobile device including a device processor and a server configured via server executable instructions to perform operations including: receiving behavior regarding the mobile device An information corpus; generating a finite state machine based on the information corpus and including data adapted to be converted into a plurality of enhanced single layer decision trees each including a test condition and a weight value; and transmitting the finite state machine to the The mobile device acts as a complete classifier model. In one aspect, the apparatus processor is configurable via processor executable instructions to perform operations comprising: receiving the full classifier model; generating a one in the mobile device based on the received full classifier model Streamlining the classifier model; and using the reduced classifier model to classify behavior of one of the mobile devices as benign or non-benign.

In an aspect system, the device processor is configurable via processor executable instructions to perform an operation such that generating the reduced classifier model based on the full classifier model comprises: including in the full classifier model The finite state machine is converted into a list of enhanced single layer decision trees; the decision should be evaluated to classify the behavior of the mobile device without consuming excessive processing resources, memory resources or energy resources of the mobile device; a test condition list, the generation traversing the enhanced single layer decision tree list in sequence, and inserting the test condition associated with each successively traversed enhanced single layer decision tree into the test condition list until the test The condition list includes the determined number of unique test conditions; and the reduced classifier model is generated to include only one of the plurality of test conditions included in the list of test conditions generated Decision tree.

In an aspect system, the device processor is configurable via processor executable instructions to perform operations such that using the reduced classifier model to classify the behavior of the mobile device comprises applying the collected behavior information to the Streamlining each of the enhanced single-level decision trees in the classifier model; calculating a weighted average of the results of applying the collected behavior information to each of the enhanced single-level decision trees in the reduced classifier model; and weighting the weighting The average is compared to a threshold. In an aspect system, the device processor is configurable via processor executable instructions to perform an operation such that generating the reduced classifier model based on the full classifier model comprises: including in the full classifier model Converting the finite state machine into a list of enhanced single layer decision trees; and generating a reduced classifier model family based on the enhanced single layer decision trees included in the list of enhanced single layer decision trees, the reduced classifier model family including the streamlining A classifier model and a plurality of additional streamlined classifier models, each of the plurality of additional streamlined classifier models including a different number of unique test conditions.

In an aspect system, the device processor is configurable via processor executable instructions to perform operations such that generating the reduced classifier model based on the full classifier model comprises: generating a plurality of reduced classifier models, each of which includes A single layer decision tree for testing a first condition using a different weighting value and a different threshold. In an aspect system, the device processor is configurable via processor executable instructions to perform operations further comprising: recalculating associated with the enhanced single layer decision trees in the plurality of reduced classifier models Threshold and weighting values.

In an aspect system, the server can be configured via server executable instructions to perform operations such that each of the plurality of test conditions associated with identifying its associated test condition will enable the mobile device to determine A probability that a mobile device behaves as a benign likelihood. In an aspect system, the server can be configured via server executable instructions to perform operations further comprising: prior to transmitting the finite state machine to the mobile device as the full classifier model, based on probability Values to organize the enhanced single layer decision trees in the finite state machine.

100‧‧‧Communication system

102‧‧‧Mobile devices

104‧‧‧Phone network

106‧‧‧Cell base station

108‧‧‧Network Operations Center

110‧‧‧Internet

112‧‧‧Wireless communication link

114‧‧‧Server

116‧‧‧Web server

118‧‧‧Cloud Service Provider Network

202‧‧‧ Behavior Observer Module

204‧‧‧Behavioral Analyzer Module

206‧‧‧External Content Information Module

208‧‧‧ classifier module

210‧‧‧Actuator Module

300‧‧‧ system

302‧‧‧Cloud Module

304‧‧‧Model Generator Module

306‧‧‧ Training Data Module

402‧‧‧Reduced Model Generator Module

404‧‧‧Complete model generator

500‧‧‧ method

502‧‧‧ Block

504‧‧‧ Block

506‧‧‧ Block

508‧‧‧ Block

510‧‧‧ Block

511‧‧‧ method

512‧‧‧ Block

514‧‧‧ Block

516‧‧‧ Block

518‧‧‧ Block

520‧‧‧ Block

522‧‧‧ Block

524‧‧‧ method

526‧‧‧ Block

528‧‧‧ Block

529‧‧‧ Block

530‧‧‧ Block

532‧‧‧ Block

534‧‧‧ Block

535‧‧‧ Block

536‧‧‧ Block

540‧‧‧ method

542‧‧‧ Block

544‧‧‧ Block

546‧‧‧ Block

548‧‧‧ Block

550‧‧‧ Block

552‧‧‧ Block

554‧‧‧ Block

556‧‧‧ Block

558‧‧‧ Block

560‧‧‧ Block

562‧‧‧ Block

600‧‧‧ method

602‧‧‧ Block

604‧‧‧ Block

606‧‧‧ Block

608‧‧‧ Block

610‧‧‧ Block

620‧‧‧Instance reinforcement method

622‧‧‧ operation

624‧‧‧ operation

626‧‧‧ operation

628‧‧‧ operation

700‧‧‧ method

800‧‧‧Strengthen single-layer decision tree

802‧‧‧ method

902‧‧‧Adaptive screening module

904‧‧‧Throttle Module

906‧‧‧Observation mode module

908‧‧‧High-level behavior detection module

910‧‧‧ Behavior Vector Generator

912‧‧‧Safety buffer

914‧‧‧ Spatial correlation module

916‧‧‧Time correlation module

1000‧‧‧Computation System

1002‧‧‧ Behavioral Detector

1004‧‧‧Database Engine

1006‧‧‧Security Buffer Manager

1008‧‧‧Rules Manager

1010‧‧‧System Health Monitor

1014‧‧‧ ring buffer

1016‧‧‧Filtering rules

1018‧‧‧ throttle rules

1020‧‧‧Safety buffer

1100‧‧‧ method

1102‧‧‧ Block

1103‧‧‧ Block

1104‧‧‧ Block

1106‧‧‧ Block

1108‧‧‧ Block

1109‧‧‧ Block

1110‧‧‧ Block

1112‧‧‧ Block

1114‧‧‧ Block

1118‧‧‧ Block

1200‧‧‧ method

1202‧‧‧ Block

Block 1204‧‧‧

1206‧‧‧ Block

1300‧‧‧ method

1302‧‧‧ Block

1304‧‧‧ Block

1306‧‧‧ Block

1308‧‧‧ Block

1310‧‧‧ Block

1400‧‧‧ method

1402‧‧‧ Block

1404‧‧‧ Block

1406‧‧‧ Block

Block 1408‧‧‧

1410‧‧‧ Block

1412‧‧‧ Block

1500‧‧‧ method

1502‧‧‧ Block

1504‧‧‧ Block

1506‧‧‧ Block

1508‧‧‧ Block

1510‧‧‧ Block

1600‧‧‧ method

1602‧‧‧ Block

1604‧‧‧ Block

1606‧‧‧ Block

1608‧‧‧ Block

1610‧‧‧ Block

Block 1612‧‧‧

1700‧‧‧Smart Phone

1702‧‧‧ Processor

1704‧‧‧Internal memory

1706‧‧‧ display

1708‧‧‧Speakers

1710‧‧‧Antenna

1712‧‧‧Wireless Transceiver

1716‧‧‧Sound Encoding/Decoding (CODEC) Circuit

1800‧‧‧Server

1801‧‧‧ processor

1802‧‧‧ volatile memory

1803‧‧‧Disk machine

1804‧‧‧ compact disc (CD) or DVD player

1805‧‧‧Network

1806‧‧‧Network access

The exemplification of the scope of the claims, which is incorporated in the specification, and the claims

1 is a block diagram of a communication system illustrating network components of an example telecommunications system suitable for use with various aspects.

2 is a block diagram illustrating example logic components and information flows in an aspect mobile device configured to determine whether a particular mobile device behavior is malicious, performance degraded, suspicious, or benign.

3 is a block diagram illustrating example components and information flows in a system including a network server configured to operate in conjunction with a mobile device to determine malicious behavioral degradation of a particular mobile device. , suspicious or benign.

4 is a block diagram illustrating example components and information flows in a system including a mobile device configured to generate a full classifier model without retraining data, behavior vectors, or classifier models Targeted and streamlined classifier model.

5A is a program flow diagram illustrating a method of generating a reduced classifier model in a mobile device, the reduced classifier model including a subset of features and data points, the subset being included in a complete receipt from a web server In the classifier model.

FIG. 5B is a flow chart showing a procedure for another aspect of the mobile device method for generating a reduced classifier model in a mobile device.

5C is a program flow diagram illustrating a method of classifying a mobile device using a reduced classifier model generated in a native manner to classify behavior of a mobile device.

5D is a process flow diagram illustrating another aspect of a mobile device method for generating a reduced classifier model in a mobile device.

6A is a program flow diagram illustrating a method of generating a full classifier model network server in a network server, the full classifier model including being adapted for use with a mobile device An enhanced single-level decision tree that produces a more centralized and streamlined classifier model.

6B is a program flow diagram illustrating an example method suitable for generating a enhanced single layer decision tree classifier, in accordance with various aspects.

7 is a flow diagram of a program for generating an example method including a classifier model that enforces a single layer decision tree, according to an aspect.

8 is an illustration of an example enhanced single layer decision tree that may be generated by an aspect server processor and used by a mobile device processor to generate a reduced classifier model.

9 is a block diagram illustrating example logic components and information flows in an observer module configured to perform dynamic and adaptive observations, according to an aspect.

Figure 10 is a block diagram showing the logic components and information flow in a computing system implementing an Observer Assistant program in accordance with another aspect.

11 is a flow diagram of a procedure illustrating an aspect method for performing adaptive observations on a mobile device.

12 through 16 are flow diagrams of a process for calculating a standardized confidence value using S-type parameters and using standardized normalized values for improved behavioral analysis and classification, in accordance with various aspects.

Figure 17 is a block diagram of components suitable for use in an aspect of a mobile device.

Figure 18 is a block diagram of components suitable for use in an aspect of a server device.

Various aspects will be described in detail with reference to the accompanying drawings. Wherever possible, the same reference numerals are used to the References to specific examples and implementations are for illustrative purposes and are not intended to limit the scope of the claimed invention.

The word "exemplary" is used herein to mean "serving as an instance, instance, or description." Any implementation described herein as "exemplary" is not necessarily to be construed as preferred or advantageous.

In summary, various aspects include a network for efficiently identifying, classifying, modeling, preventing, and/or correcting conditions and/or mobile device behaviors that often degrade the performance and/or power utilization levels of mobile devices over time. Route server, mobile device, system and method. The web server can be configured to receive information about various conditions, characteristics, behaviors, and corrective actions from a central repository (eg, "cloud") and use this information to generate a full classifier model (ie, Data or behavioral model), the full classifier model describes a large behavioral information corpus in a format or structure that can be quickly converted into one or more reduced classifier models by a mobile device.

In one aspect, the full classifier model can be a finite state machine description or representation of a large behavioral information corpus. In one aspect, the finite state machine may include information suitable for expression as a plurality of enhanced single layer decision trees. For example, a finite state machine can be an information structure that can be expressed as a family of enhanced single-layer decision trees that collectively identify, describe, test, or evaluate and determine whether the behavior of the mobile device is benign or The passage of time contributes to all or many of the characteristics and data points associated with the degradation of the performance of the mobile device. The web server can then send the full classifier model (i.e., the information structure including the finite state machine and/or the enhanced single layer decision tree family, etc.) to the mobile device.

The mobile device can be configured to receive the full classifier model and use it to generate a reduced classifier model or a reduced classifier model family with varying complexity (or "thinness") levels. To achieve this, the mobile device can eliminate the robust enhanced single-layer decision tree family included in the complete classifier model received from the network server (in this article, "fully enhanced single-layer decision tree classifier model"), A reduced classifier model comprising a reduced number of enhanced single layer decision trees and/or a limited number of test conditions is generated. This culling of a fully enhanced single-layer decision tree classifier model can be achieved by selecting an enhanced single-layer decision tree; identifying all other mobile device states, characteristics, behaviors, or conditions that are identical to the selected single-level decision tree. Strengthening a single-layer decision tree (and thus may be applied based on a decision); will depend on the selection of the same mobile device state, characteristics, behavior, or condition All identified other enhanced single-level decision trees are included in the reduced classifier model; and the procedure is repeated for a limited number of selected enhanced single-level decision trees that are not yet included in the reduced classifier model. In this way, a reduced classifier model can be generated that includes all of the enhanced single-layer decision trees that depend on a limited number of different mobile device states, characteristics, behaviors, or conditions. The mobile device can then use the reduced classifier model generated by the local end to quickly classify the mobile device behavior without consuming excessive amounts of processing resources, memory resources, or energy resources.

In one aspect, the mobile device can perform the operation of rejecting the fully enhanced single-layer decision tree classifier model several times using different numbers of different mobile device states, features, behaviors, or conditions to produce a reduced classification with different levels of simplification. Family of models. The greater the number of different mobile device states, features, behaviors, or conditions used to generate a reduced classifier model, the more likely the model will accurately identify malicious or suspicious behavior, but will consume more processing power. Thus, in one aspect, the mobile device can be configured to conventionally apply the most compact model of the reduced classifier model family (i.e., a model based on a minimum number of different mobile device states, characteristics, behaviors, or conditions). If the results produced by the most streamlined classifier model are suspicious, the mobile device processor can apply a more robust (ie, less compact) classifier model to evaluate more device states, characteristics, behaviors, or conditions to It is determined that the behavior can be identified as malicious or benign. If the results produced by applying a less compact classifier model are still suspicious, an even more robust (and less compact) classifier model or the like can be applied until the behavior is determined to be classified as malicious or benign.

By storing information about such behaviors and corrective actions in a central repository (ie, "cloud"), and configuring the mobile device and network server to work in conjunction with each other, it will be stored in the central repository. The information is used to intelligently and efficiently identify the factors that contribute to the degradation of the performance and power utilization levels of each mobile device over time. Various aspects enable mobile devices to more accurately and efficiently identify performance limitations and discrepancies of mobile devices. The required operating conditions and respond to such operating conditions.

In addition, by generating a classifier model including an enhanced single-layer decision tree in the web server and transmitting the classifiers/models to the mobile device, the various aspects allow the mobile device to not access the training material or Further communicating with the web server, the central repository, or the cloud network/server, culling a number of enhanced single-layer decision trees in the manner described above, resulting in a streamlined (or more concentrated) of the mobile device quickly and efficiently Classifier model. This significantly reduces the dependence of the mobile device on the network and further improves the performance and power consumption characteristics of the mobile device.

Several different cellular and mobile communication services and standards are available or expected in the future, all of which can be implemented and benefit from a variety of aspects. These services and standards include, for example: Third Generation Partnership Project (3GPP), Long Term Evolution (LTE) systems, Third Generation Wireless Mobile Telecommunications (3G), Fourth Generation Wireless Mobile Telecommunications (4G), Global Mobile Communications System (GSM), Global Mobile Telecommunications System (UMTS), 3GSM, General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA) systems (eg, cdmaOne, CDMA1020TM), GSM Evolution Enhanced Data Rate (EDGE) ), Advanced Mobile Phone System (AMPS), Digital AMPS (IS-136/TDMA), Evolution Data Optimized (EV-DO), Digital Enhanced Wireless Telecommunications (DECT), Worldwide Interoperability for Microwave Access (WiMAX), Wireless Local Area Network (WLAN), Wi-Fi Protected Access I&II (WPA, WPA2), and integrated digital enhanced network (iden). Each of these technologies involves, for example, the transmission and reception of voice, material, messaging, and/or content messages. It should be understood that any reference to terms and/or technical details relating to individual telecommunication standards or technologies is used for illustrative purposes only, and is not intended to limit the scope of the claims to Specific communication system or technology.

The terms "mobile computing device" and "mobile device" are used interchangeably herein to refer to any or all of the following: cellular phones, smart phones, personal or mobile multimedia players, personal data assistants. (PDA), laptop, tablet, smart laptop, ultrabook, palmtop, wireless email receiver, A cellular phone with a multimedia internet capability, a wireless game controller, and a memory, a programmable processor (for which performance is important), and operating under battery power to benefit the power saving method Similar to personal electronic devices. While the various aspects are particularly applicable to mobile computing devices, such as smart phones, that have limited resources and are executed on a battery, such aspects are generally useful for any electronic device that includes a processor and executes an application.

In general, the performance and power efficiency of mobile devices degrade over time. Recently, anti-virus companies (eg, McAfee, Symantec, etc.) have begun marketing anti-virus, firewall, and encryption products designed to mitigate this downgrade. However, many of these solutions rely on the periodic execution of a computationally intensive scanning engine on a mobile device that can consume many of the processing and battery resources of the mobile device, thereby causing the mobile device to slow or render the mobile device useless for an extended period of time. And/or otherwise downgrade the user experience. In addition, such solutions are often limited by detecting known viruses and malicious code, and do not address multiple complex factors and/or interactions that are often combined, thereby contributing to the degradation of mobile devices over time (eg, when Downgrade is not caused by viruses or malicious code). For these and other reasons, existing anti-virus, firewall, and encryption products do not provide a number of factors for identifying degradations that can cause a mobile device to degrade over time, to prevent a mobile device from degrading, or to act on aging The device effectively restores the appropriate solution to its original condition.

There are various other solutions for detecting malware by using machine learning techniques or models that establish the behavior of programs or applications executing on a computing device. However, many of these solutions are not suitable for use on mobile devices due to their need to evaluate a very large data corpus and are limited to evaluating individual applications or programs, or requiring the execution of computationally intensive programs in mobile devices. . Likewise, implementing or executing such a solution in a mobile device can have a significant negative impact on the responsiveness, performance, or power consumption characteristics of the mobile device and/or a user perceptible impact. For these and other reasons, existing Modeling and machine learning solutions are not suitable for complex and resource-constrained systems of modern mobile devices.

For example, existing machine learning based solutions may include configuring a computing device to use a training material corpus to derive a model that considers the input as a feature vector. However, this solution does not produce a complete classifier model (or class of classifier models) including a finite state machine (or other similar information structure) suitable for conversion to or expression as a plurality of enhanced single-layer decision trees, such enhancements The single layer decision trees each include test conditions and weighting values. For at least this reason, such solutions cannot be used by mobile device processors to quickly and efficiently generate a streamlined classifier model comprising a centralized set of enhanced single-layer decision trees for rapid and efficient identification Analyze mobile device behavior and/or classify mobile device behavior without significant negative or user perceptible impact on the responsiveness or performance or power consumption characteristics of the mobile device.

Mobile devices are systems with limited resources for relatively limited processing resources, memory resources, and energy resources. Modern mobile devices are also complex systems, and they are often not practicable, making it impossible to evaluate various data streams, data operations (read, write, data encoding, etc.) that can be malicious or otherwise contribute to the performance degradation of mobile devices. The owner of the data transfer, etc., program, component, behavior, or factor (or combination thereof). For these and other reasons, it is more difficult for users, operating systems and/or applications (eg, anti-virus software, etc.) to accurately and efficiently identify the source of the problem and/or provide an appropriate remedy for the identified problem. Measures. Therefore, mobile device users currently have few remedies for preventing the degradation of the performance of the mobile device and the degradation of the power utilization level over time.

Various aspects include network servers for efficiently identifying, classifying, modeling, blocking, and/or correcting conditions and/or mobile device behaviors that often degrade the performance and/or power utilization levels of mobile devices over time, Mobile devices, systems and methods.

In one aspect, the mobile device's observer program, sprite assisted program, module or subsystem (collectively referred to herein as "modules") can be used at various levels of the mobile device system. Use tools to coordinate or coordinate various APIs, registers, counters, or other components (collectively referred to herein as "metering components"). The observer module can continuously (or nearly continuously) monitor the behavior of the mobile device by collecting behavioral information from the instrumentation component. The mobile device can also include an analyzer module, and the observer module can communicate the collected behavior information (eg, via a memory write operation, a function call, etc.) to the analyzer module of the mobile device. The analyzer module can receive behavioral information and use it to generate behavioral vectors, generate spatial and/or temporal correlations based on behavioral vectors, and use this information to determine specific mobile device behavior, subsystems, software applications, or program benign , suspicious, malicious, or degraded.

The analyzer module can be configured to perform immediate behavior analysis operations, which can include performing, executing data, algorithms, classifiers or behavioral models (collectively referred to herein as "classifier models") and/or applying them Information on the behavior collected to determine whether the behavior of the mobile device is benign or not benign (eg, malicious or degraded). Each classifier model can be a behavioral model that includes information that can be used by a mobile device processor to evaluate a particular aspect of a mobile device's behavior. The classifier model can be pre-installed on the mobile device, downloaded on the mobile device, received from the network server, generated in the mobile device, or any combination thereof. The classifier model can be generated by using machine learning and other similar techniques.

Each classifier model can be classified as a full classifier model or a reduced classifier model. The full classifier model can be a robust data model that is generated as a function of a large training data set, which can include thousands of features and billions of inputs. The reduced classifier model can be a more focused data model produced by a reduced data set that only includes features/inputs that are most relevant to determining whether a particular mobile device behavior is benign or not benign (eg, malicious or performance degradation).

As noted above, there may be thousands of features/factors and billions of data points that need to be analyzed to correctly identify the cause or source of degradation of the mobile device. Therefore, each classifier model used by the analyzer module must be trained for a very large number of features, factors, and data points so that the mobile device can be benign or not benign with respect to the behavior of the particular mobile device. Make precise decisions (for example, malicious or degraded). However, because mobile devices are resource-constrained systems, such mobile devices are often not implementable, and the analyzer module is unable to evaluate all of these features, factors, and data points. Thus, for the analyzer module, the application focuses on evaluating the simplification of the model, which is important for all features, factors, and data points that would otherwise be analyzed when classifying the behavior of the mobile device.

Various aspects include mobile devices that are configured to work in conjunction with one another to intelligently and efficiently identify features, factors, and data points that are most relevant to determining whether a mobile device behavior is benign or not benign (eg, malicious or performance degraded). And web server. Various aspects allow a mobile device to quickly and efficiently generate a streamlined classifier in a mobile device by generating a classifier model including a hardened single layer decision tree in a network server and transmitting the classifiers/models to the mobile device model.

In various aspects, the network server can be configured to receive a large amount of information from the cloud service/network relating to the behavior of the mobile device and during the course of their behavior or characterizing the status, characteristics and conditions of their behavior. This information can be in the form of a very mobile device behavior vector cloud corpus. The web server can use this information to generate a full classifier model (ie, robust data/behavior model) that accurately describes the maximal behavior vector cloud corpus. The web server can generate a full classifier model that includes all or most of the features, data points, and/or factors that can contribute to the degradation of any of a number of different mobile devices over time.

In one aspect, the web server can generate a full classifier model that includes finite state machine representations or representations such as enhanced single layer decision trees or enhanced single layer decision tree families. This finite state machine representation or representation can be quickly and efficiently culled, modified, or converted to a reduced classifier model suitable for use or execution in a mobile device by applying a cull algorithm at the mobile device processor. A finite state machine expresses or represents an information structure that includes test conditions, status information, state transition rules, and other similar information. In one aspect, the finite state machine expresses or represents an information structure that is a large or robust enhanced single-layer decision tree family that includes conditions, characteristics, factors, or aspects of behaviors that each evaluates or tests the mobile device.

The mobile device can be configured to receive the full classifier model from the network server and locally generate a reduced classifier model (ie, data/behavior model) in the mobile device using the received full classifier model. The mobile device may identify, test, evaluate, and/or rely on reducing or a limited number of different mobile device states, characteristics, behaviors, or conditions by culminating the enhanced single layer decision tree set included in the received full classifier model The enhanced single-layer decision tree subset is used to generate these local-level reduced classifier models. This culling of a fully enhanced single-layer decision tree set can be achieved by selecting an enhanced single-layer decision tree; identifying all other enhanced monolayers that depend on the same mobile device state, characteristics, behavior, or condition as the selected single-layer decision tree. a decision tree (and thus may be applied based on a decision result); including selected and all identified other enhanced single-level decision trees depending on the same mobile device state, characteristics, behavior or condition in the reduced classifier model; This procedure is repeated for a reduced/limited number of selected enhanced single layer decision trees that are not yet included in the reduced classifier model. By repeating the procedure using a different number of mobile device states, features, behaviors or conditions under test, a reduced family of classifier models with different degrees of simplification determined by the number of evaluated states, characteristics, behaviors or conditions can be generated. Additionally, each of these reduced classifier models may test or evaluate some or all of the same features or conditions as another reduced classifier model, but using the assigned test results, features, or conditions. Different thresholds of importance and/or different weights. Likewise, the process of generating or regenerating a reduced classifier model can include recalculating thresholds and/or weights associated with a single layer decision tree.

Since these reduced classifier models include reduced states, features, behaviors, or subsets of conditions that must be tested (as compared to a full classifier model), the observer and/or analyzer modules can use the models to The fast and accurate determination of the behavior of the mobile device is a benign or degraded performance of the mobile device without consuming excessive amounts of processing resources, memory resources or energy resources of the mobile device. As described above, the most compact model of the reduced classifier model family (i.e., the reduced classifier model based on a minimum number of test conditions) can be routinely applied until the model cannot be classified as benign or malicious (and thus by The Until the model is classified as suspicious, a more robust (ie, less concise) streamlined classifier model can be applied in an attempt to classify the behavior as benign or malicious. An even more robust streamlined classifier model within the resulting reduced classifier model family can be applied until a definitive classification of behavior is reached. In this way, the observer and/or analyzer module can impact efficiency and accuracy by limiting the use of the most complete but resource-intensive reduced classifier model to the need for a robust classifier model to definitively classify the behavior of one of the behaviors. The balance between sex.

In various aspects, the mobile device can be configured to generate one or more reduced classifier models by converting the finite state machine representation/expression into an enhanced single layer decision tree; to be fully included in the full classifier model The enhanced single-layer decision tree set is culled into one or more subsets of the reinforced single-layer decision tree that depend on a limited number of different mobile device states, features, behaviors, or conditions; and the use of the or a plurality of enhanced single-layer decision tree subsets Intelligently monitor, analyze, and/or classify mobile device behavior. The use of enhanced single-layer decision trees allows the observer and/or analyzer modules to be generated without the need to communicate with the cloud or the network and apply a reduced data model to retrain the data, which significantly reduces the mobile device to the network server and Dependence in the cloud. This eliminates the feedback communication between the mobile device and the network server, further improving the performance and power consumption characteristics of the mobile device.

The enhanced single-layer decision tree is a hierarchical decision tree that has exactly one node (and therefore a test problem or test condition) and a weighted value, and is therefore more suitable for data/behavior binary classification. That is, applying a behavior vector to the enhanced single-layer decision tree yields a binary answer (eg, yes or no). For example, if the problem/condition of "single message service (SMS) transmission is less than x per minute" by strengthening the single-layer decision tree test, then applying the value "3" to the enhanced single-layer decision tree will result. "Yes" answer (for "less than 3" SMS transmissions) or "No" for answers ("3 or more" SMS transmissions).

The enhanced single-layer decision tree is effective because it is extremely simple and primitive (and therefore does not require a lot of processing resources). Enhanced single-layer decision trees can also be extremely parallel, and therefore Many single layer trees can be applied or tested in parallel/simultaneously (eg, by multiple cores or processors in a mobile device).

As described below, the web server (or another computing device) can generate an enhanced single layer decision tree type full classifier model with another, more sophisticated mobile device behavior model, such as a reinforced decision tree model. Such complex models may correlate device states, operations, and complete (or near-perfect) interaction sets in the monitored nodes in a complex classification system. As noted above, a server or other computing device can generate a fully complex classifier model by applying machine learning techniques to generate a model of a cloud corpus that describes the behavior vectors of mobile devices collected from a large number of mobile devices. As an example, the enhanced decision tree classifier model can track hundreds of paths via decision nodes of testable conditions to achieve a malicious or benign decision of the current mobile device behavior. Several known learning and correlation modeling techniques can be used to generate these complex models in the server. While such complex models can be quite effective in accurately identifying malicious behavior by learning from hundreds of mobile devices, the application to their configuration and behavior of a particular mobile device may require significant processing, in particular In the case where the model involves a complex multi-level decision tree. Since mobile devices typically have limited resources, using these models can affect device performance and battery life.

To present a robust classifier model that is more advantageous for use by mobile devices, a server (eg, a cloud server or a network server) or another computing device (eg, a mobile device or a computer that will be coupled to a mobile device) The complex classifier model can be transformed into a large-strength single-level decision tree model. The simpler decisions involved in a single layer decision tree and the ability to apply such classifier models in parallel programs can enable mobile devices to better benefit from analysis performed by a web server. Again, as discussed below, the enhanced single layer decision tree full classifier model can be used by the mobile device to generate a reduced classifier model using the aspect methods described below.

In one aspect, a server or other computing device that produces a robust single-level decision tree full classifier model can accomplish this by following the pattern procedure described in more detail below. In summary, a server or other computing device may select a node within a fully complex classifier model (eg, a reinforced decision tree model) and apply the model to determine the percentage of time that the node predicted malicious behavior. In other words, the server or other computing device may select one of the branches of the node and follow all subsequent nodes and paths connected to the branch to determine the percentage of time that the branch caused the determination of the malicious behavior. In one aspect, the percentage of this time can be used to calculate the "weight" factor of the node. For example, a decision path for a follow-up path of a branch that results in a malicious behavior within 80% of the time can be associated with a weighting factor of 0.8, indicating that the single decision node is trustworthy for a potentially malicious (and therefore suspicious) behavior. indicator. As another example, a branch in a complex classifier model can also result in a decision node for malicious behavior that will provide little help in identifying malicious behavior, and thus can give very low weighting factors or priorities.

In the process of tracking the results from each decision node, if the decision node is not binary (ie, "yes" or "no"), the server or other computing device can apply various test conditions to each node. . For example, a complex classifier model can accommodate a range of values (eg, the number of SMS messages transmitted per minute), with the final conclusion depending on the value. However, the range of values does not conform to the binary nature of the single-layer decision tree. Thus, a server or other computing device may develop a range of binary decisions or tests for such nodes that facilitate characterization of the condition. For example, a server or other computing device can generate and test a number of threshold tests or conditions via a complex classifier model, such as "more than one", "more than ten", and "more than 100". These threshold tests can be identified or selected by the server based on its conclusions that are accessible from the study of complex models. Each such threshold-based test can then be considered a single single-level decision tree that can be tested to determine its predictive value and thus its enhancement factor.

By following this procedure through all of the decision nodes in the complex classifier model, the server or other computing device can transform the complex multi-layer decision model into a single layer model with a large number of enhanced single layer decision trees. The server or other computing device can then be removed by the value below A single-level decision tree of limits to trim the model (eg, "power on?") by removing test conditions that provide minimal predictive or categorical benefits.

Although the resulting number of such single-layer trees can be large in a full classifier model, the binary nature of a single-layer tree can facilitate its application, especially in resource-constrained processors. In one aspect, a server or other computing device can provide an enhanced single layer decision tree full classifier model to the mobile device for use by the mobile devices.

The procedure for generating a large classifier model that enforces a single-layer decision tree can be generated by a cloud server that analyzes input from many mobile devices and produces a complete complex behavioral classifier model, since such servers will have processing resources and processing time. Complete the analysis. However, as described above, the aspect method can also be performed by another computing device including even the mobile device. In this aspect, a server (eg, a cloud or network server) can deliver a complete complex behavior classifier model to another computing device, which can then be summarized as outlined above and summarized in more detail below. The model is processed to transform it into a reinforced single-level decision tree model. For example, a personal computer (the user couples the personal computer to its mobile device) can download a full complex behavioral classifier model, and then perform an aspect method to generate a large enhanced single layer decision tree model, where the personal computer makes The large enhanced single layer decision tree model can be used for the mobile device (eg, via a wired or wireless data link). As another example, the mobile device can download a full complex behavioral classifier model and then perform an aspect method, such as during a night when the device is charging and not being used, to generate a large enhancement that is stored in the memory. Single layer decision tree model. Since the procedures implemented by the server or another computing device are very similar, the aspect method is described in more detail below as being performed by a server. However, the description is for the purpose of example and is not intended to limit the manner of the method to the execution on the server unless specifically recited in the claims.

In another aspect, the mobile device can be configured to be selected in a single layer decision tree without accessing the training material and consuming no excessive amounts of processing resources, memory resources, or energy resources of the mobile device. a limited number of factors to test, using received or self A large classifier model that enhances the single-layer decision tree is built to build a simplified classifier model. The analyzer module can use a reduced classifier model of the selected enhanced single-layer decision tree to identify malicious code and classify device behavior as malicious or benign. As described more fully below, the mobile device can generate a reduced classifier model by determining the number of features to be monitored that are to be monitored (eg, 15); selecting the first feature, and including the test of the feature ( For example, all of the enhanced single-level decision trees of the threshold test based on all single-layer trees of values obtained from the monitored features are merged into the reduced classifier; and the procedure is repeated until the number of features resolved in the reduced classifier model is The number of judgments is up. The number of enhanced single-level decision trees in this reduced classifier model can be significantly greater than the number of features is meaningless.

In one aspect, the mobile device can be configured to receive a full classifier model including a finite state machine suitable for conversion to a plurality of enhanced single layer decision trees. The mobile device can generate a reduced classifier model based on the full classifier model by converting the finite state machine of the full classifier model into an enhanced single layer decision tree, and using the enhanced single layer decision tree as a reduced classifier model to realise.

Various aspects can be implemented within a variety of communication systems, such as the example communication system 100 illustrated in FIG. A typical mobile telephone network 104 includes a plurality of cell base stations 106 coupled to a network operations center 108 that operate, such as via a telephone landline (e.g., a POTS network, not shown) and the Internet. Road 110 connects voice calls and data between mobile devices 102 (e.g., cellular phones, laptops, tablets, etc.) and other network destinations. Communication between the mobile device 102 and the telephone network 104 can be accomplished via a two-way wireless communication link 112, such as 4G, 3G, CDMA, TDMA, LTE, and/or other mobile telephone communication technologies. The telephone network 104 can also include one or more servers 114 coupled to the network operations center 108 or located within the network operations center, the one or more servers providing connections to the Internet 110.

Communication system 100 can further include a network server 116 coupled to telephone network 104 and to Internet 110. The connection between the web server 116 and the telephone network 104 can be Via the Internet 110 or via a private network (as illustrated by the dashed arrows). The web server 116 can also be implemented as a server within the network infrastructure of the cloud service provider network 118. Communication between the web server 116 and the mobile device 102 can be accomplished via the telephone network 104, the internet 110, a private network (not illustrated), or any combination thereof.

The web server 116 can send the reduced profile/behavior model to the mobile device 102, which can receive and use the reduced profile/behavior model to identify suspicious or performance degraded mobile device behavior, software applications, programs, and the like. The web server 116 can also send classification and build model information to the mobile device 102 to replace, update, generate, and/or maintain the mobile device profile/behavior model.

The mobile device 102 can collect behavior, status, classification, model building, success rate, and/or statistical information in the mobile device 102 and send the collected information to the network server 116 (eg, via the telephone network 104) For analysis. The web server 116 can use the information received from the mobile device 102 to update or optimize the reduced data/behavior model or classification/modeling information to include another targeted and/or reduced subset of features.

In one aspect, mobile device 102 can be configured to generate, update, or optimize to include another target in mobile device 102 using the collected behavior, status, classification, model building, success rate, and/or statistical information. A reduced classifier model (or data/behavior model) of a subset of features and/or reduced features. This reduces the amount of feedback communication between the mobile device and the network server 116 and improves the performance and power consumption characteristics of the mobile device 102.

2 illustrates example logic components and information flows in a suspicious or benign mobile device 102 configured to determine a particular mobile device behavior, software application or program being malicious/performance degraded. In the example illustrated in FIG. 2, the mobile device 102 includes a behavior observer module 202, a behavior analyzer module 204, an external content information module 206, a classifier module 208, and an actuator module 210. In one aspect, the classifier module 208 can be implemented as part of the behavior analyzer module 204. In one aspect, the behavior analyzer module 204 can be configured to generate one or more classifier modules 208, each of which can include one or more points Classifier.

Each of the modules 202-210 can be implemented in software, hardware, or any combination thereof. In various aspects, the modules 202-210 can be implemented within components of the operating system (eg, in a core, in a nuclear space, in a user space, in a separate program or application, in a particular hardware buffer or processor). Medium, or any combination thereof. In one aspect, one or more of modules 202-210 can be implemented as software instructions that are executed on one or more processors of mobile device 102.

The behavioral observer module 202 can be configured to tool or coordinate application programming interfaces (APIs) at various levels/modules of the mobile device and to monitor/observe actions via instrumentation APIs at various levels/modules Device operations and events (eg, system events, state changes, etc.), collecting information about observed operations/events, intelligently filtering the collected information, generating one or more observations based on the filtered information, and The resulting observations are stored in memory (eg, stored in a log file), and/or the resulting observations are sent to the behavior analyzer module 204 (eg, via memory writes, function calls, etc.).

The behavior observer module 202 can be used to collect application frameworks or execution time libraries, system call APIs, file system and network connection subsystem operations, device (including sensor device) state changes, and other similar events. Information about library application programming interface (API) calls to monitor/observe mobile device operations and events. The behavior observer module 202 can also monitor file system activity, which can include searching for file names, file access categories (personal information or normal data files), generating or deleting files (eg, type exe, zip, etc.), files Read/write/find operations, change file permissions, etc.

The behavior observer module 202 can also monitor data network activity, which can include connection type, protocol, number of ports, server/client connected to the device, number of connections, capacity or frequency of communication, and the like. The behavior observer module 202 can monitor telephone network activity, which can include monitoring the type of call or message (eg, SMS, etc.) that is sent, received, or intercepted. And the number (for example, the number of premium calls placed).

The behavior observer module 202 can also monitor system resource usage, which can include the number of monitoring forks, memory access operations, the number of open files, and the like. The behavioral observer module 202 can monitor the status of the mobile device, which can include monitoring various factors, such as whether the display is on or off, the device is locked or unlocked, the amount of remaining battery, the state of the camera, and the like. The behavior observer module 202 can also monitor inter-program communication (IPC) by, for example, monitoring the intent of critical services (browser, contract provider, etc.), the degree of inter-program communication, pop-up windows, and the like.

The behavioral observer module 202 can also monitor/observe driver statistics and/or conditions of one or more hardware components, which can include cameras, sensors, electronic displays, WiFi communication components, data controllers, memory controllers System controllers, access ports, timers, peripherals, wireless communication components, external memory chips, voltage regulators, oscillators, phase locked loops, peripheral bridges, and to support execution on mobile computing devices The processor and other similar components of the client.

The behavioral observer module 202 can also monitor/observe one or more hardware counters that indicate the status or condition of the mobile computing device and/or the mobile device subsystem. The hardware counter can include a dedicated register of processors/cores configured to store a count or status of hardware related activities or events occurring in the mobile computing device.

The behavior observer module 202 can also monitor/observe the action or operation of the software application, download the software from the application download server (for example, the Apple® application storage server), and use the mobile device information used by the software application. , call information, message delivery information (eg, SendSMS, BlockSMS, ReadSMS, etc.), media messaging information (eg, ReceiveMMS), user account information, location information, camera information, accelerometer information, browser information, browsing-based Content of the communication, content of voice-based communication, short-range radio communication (eg, Bluetooth, WiFi, etc.), content based on communication in this document, content of recorded audio files, phone book or contact information, contact List of people, etc.

The behavior observer module 202 can monitor/observe the transmission or communication of the mobile device, and includes the following items: communication including voicemail (VoiceMailComm), communication including device identifier (DeviceIDComm), communication including user account information (UserAccountComm) ), including communication of calendar information (CalendarComm), communication including location information (LocationComm), communication including recorded audio information (RecordAudioComm), communication including accelerometer information (AccelerometerComm) and so on.

The behavioral observer module 202 can monitor/observe the use of compass information and updates/changes to compass information, mobile device settings, battery life, gyroscope information, pressure sensors, magnet sensors, screen activity, and the like. The behavior observer module 202 can monitor/observe notifications (AppNotifications) communicated to the software application and communicated from the software application, application updates, and the like. The behavior observer module 202 can monitor/observe conditions or events regarding the first software application requesting download and/or installation of the second software application. The behavior observer module 202 can monitor/observe conditions or events regarding user authentication, such as password entries.

The behavioral observer module 202 can also monitor/observe conditions or events at multiple levels of the mobile device, including application level, radio level, and sensor level. Application level observations may include: observing users via facial recognition software, observing social streams, observing notes typed by the user, observing events regarding the use of PassBook/Google Wallet/Paypal, and the like. Application level observations may also include observing events related to the use of virtual private networks (VPNs) and events related to synchronization, voice search, voice control (eg, by speaking a word to lock/unlock) Telephone), language translator, offloading of data for calculation, video streaming, camera use without user activity, microphone use without user activity, etc.

Radio level observations may include determining the presence of any one or more of the following: Condition, presence or quantity: interaction between the user and the mobile device before establishing the radio communication link or transmitting information, dual/multiple subscriber identity module (SIM) cards, internet radio, mobile phone tether, unloading data For computing, device state communication, use as a game controller or home controller, vehicle communication, mobile device synchronization, and the like. Radio level observations may also include: monitoring radio (WiFi, WiMax, Bluetooth, etc.) for positioning use, inter-peer (p2p) communication, synchronization, inter-vehicle communication, and/or inter-machine (m2m). Radio level observations may further include monitoring network traffic usage, statistics, or profiles.

Sensor level observations may include monitoring a magnet sensor or other sensor to determine the use of the mobile device and/or the external environment. For example, the mobile device processor can be configured to determine that the phone system is in the holster (eg, via a magnet sensor configured to sense a magnet within the holster) or in a user's pocket ( For example, the amount of light detected by a camera or light sensor). The detection of the mobile device in the holster can be related to the identification of suspicious behavior, for example, due to activities and functions associated with the effective use of the user when the mobile device is installed in the holster (eg, taking a picture or video) , sending a message, making a voice call, recording a sound, etc.) may be an identification of an illegal procedure (eg, tracking or probing a user) performed on the device.

Other examples of sensor level observations associated with the use or external environment may include: detecting near field communication (NFC), self-credit card scanners, barcode scanners, or mobile tag readers to collect information; detecting universal serials Current status of the bus (USB) charging source; the detection keyboard or auxiliary device is coupled to the mobile device; the detecting mobile device is coupled to the computing device (eg, via USB, etc.); determining whether the LED, flash, flashlight or light source is Has been modified or disabled (for example, maliciously disables the emergency messaging application, etc.); detects that the speaker or microphone is turned on or powered; detects charging or power events; the detection mobile device is being used as a game control And so on. Sensor level observations may also include: collecting information from the body of a medical or health sensor or self-scanning user; external sensing from a plug-in to a USB/audio jack Collecting information; collecting information from tactile or tactile sensors (eg, via a vibrator interface, etc.); collecting information about the thermal state of the mobile device, and the like.

To reduce the number of monitored factors to the manageable level, in one aspect, the behavioral observer module 202 can be monitored/observed as a small subset of the behavior or factors that can contribute to the degradation of the mobile device. The initial set is used to perform rough observations. In one aspect, the behavior observer module 202 can receive an initial set of behaviors and/or factors from the network server 116 and/or components in the cloud service or network 118. In one aspect, the initial set of behaviors/factors can be specified in a data/behavior model received from web server 116 or cloud service/network 118. In one aspect, the initial set of behaviors/factors can be specified in a reduced feature model (RFM).

The behavior analyzer module 204 and/or the classifier module 208 can receive the observation result for the observer module 202, and receive the received information (that is, the observation result) and the content information from the external content information module 206. Comparing, and identifying subsystems, programs, and/or applications associated with the received observations that contributed to (or are likely to contribute to) degradation of the device over time.

In one aspect, the behavior analyzer module 204 and/or the classifier module 208 can include means for utilizing a limited set of information (ie, rough observations) to identify a degradation that is or is likely to contribute to the degradation of the device over time, or The wisdom of behaviors, programs, or programs that can cause problems on the device in other ways. For example, the behavior analyzer module 204 can be configured to analyze information collected from various modules (eg, the behavior observer module 202, the external content information module 206, etc.) (eg, in the form of observations), Learning the normal operational behavior of the mobile device and generating one or more behavior vectors based on the results of the comparison. The behavior analyzer module 204 can send the generated behavior vector to the classifier module 208 for further analysis.

The classifier module 208 can receive the behavior vector and compare it to one or more behavioral modules to determine whether the particular mobile device behavior, software application, or program is performance degraded/malicious, benign, or suspicious.

When the classifier module 208 determines that the behavior, software application, or program is malicious or degraded, the classifier module 208 can inform the actuator module 210 that the various actions or operations can be performed to correct A mobile device behavior determined to be malicious or degraded and/or performed to recover, process, quarantine, or otherwise repair the identified problem.

When the classifier module 208 determines that the behavior, software application, or program is suspicious, the classifier module 208 can notify the behavior observer module 202, which can adjust the granularity of its observations (ie, observations). Generate or collect new or additional behavioral information, and/or change the behavior observed based on the information received by the self-classifier module 208 (eg, the results of an immediate analysis operation) The additional information is sent to the behavior analyzer module 204 and/or the classifier module 208 for further analysis/classification. Such feedback communication between the behavioral observer module 202 and the classifier module 208 enables the mobile device 102 to recursively increase the granularity of the observations (ie, to make finer or more detailed observations) or to change the observed features. /behavior until the source of suspicious or degraded mobile device behavior is identified until the processing or battery consumption threshold is reached, or until the mobile device processor determines that the suspicious or performance degradation action cannot be identified with further increase in the observed granularity Until the source of device behavior. These feedback communications also enable the mobile device 102 to adjust or modify the data/behavior model of the local device in the mobile device without consuming excessive amounts of processing resources, memory resources, or energy resources of the mobile device.

In one aspect, the behavioral observer module 202 and the behavioral analyzer module 204 can provide an immediate behavioral analysis of the behavior of the computing system, individually or collectively, to identify suspicious behavior from limited and coarse observations, and dynamically determine The behavior of the observations will be observed in more detail and the level of detail required for the observations will be determined dynamically. In this manner, the behavioral observer module 202 enables the mobile device 102 to effectively identify problems and prevent them from appearing on the mobile device without the need for a large amount of processor, memory or battery resources on the device.

3 and 4 illustrate example components and information flows in an aspect system 300 including a network server 116 that is configured to work in conjunction with a cloud service/network 118 to Intelligently and efficiently identifying active malicious or underwritten software applications and/or suspicious or performance on the mobile device 102 in the event that an excessive amount of processing resources, memory resources, or energy resources of the mobile device are consumed Degraded mobile device behavior. In the example illustrated in FIG. 3, the network server 116 includes a cloud module 302, a model generator 304 module, and a training data module 306. The mobile device 102 includes a behavior observer module 202, a classifier module 208, and an actuator module 210. In one aspect, the classifier module 208 can be included in or as part of the behavior analyzer module 204 (illustrated in FIG. 2). In one aspect, the model generator 304 module can be a live line classifier.

The cloud module 302 can be configured to receive a large amount of information from the cloud service/network 118 and generate complete or robust information including all or most of the features, data points and/or factors that can cause degradation of the mobile device over time. Data/behavior model.

The model generator 304 module can be configured to generate a reduced data/behavior model based on the full model generated in the cloud module 302. In one aspect, generating a reduced data/behavior model can result in one or more reduced feature models (RFMs) including a subset of features and data points included in the full model generated by the cloud module 302. In one aspect, model generator 304 can generate a reduced data/behavior model that includes an initial set of features (eg, an initial reduced feature model), the initial set of features including being determined to enable classifier module 208 to be decisive Information on the highest probability that a particular mobile device behavior is benign or malicious/performance degraded. The model generator 304 can send the generated reduced model to the behavior observer module 202.

The behavior observer module 202 can monitor/observe the behavior of the mobile device based on the received model, generate an observation, and send the observation to the classifier module 208. The classifier module 208 can perform an immediate analysis operation, which can include applying a data/behavior model to the behavioral information collected by the behavioral observer module 202 to determine whether the mobile device behavior is benign, suspicious, or malicious/performance degraded. of. When the classifier module 208 does not have sufficient information to classify or decisively determine whether the behavior is benign or malicious, the classifier module 208 can determine the row. The behavior of the device is suspicious.

When the classifier module 208 determines that the device behavior is suspicious, the classifier module 208 can be configured to communicate the results of its immediate analysis operations to the behavior observer module 202. The behavioral observer module 202 can adjust the granularity of its observations (ie, the level of detail when observing the behavior of the mobile device) and/or change the behavior of the information observations received based on the self-classifier module 208 (eg, based on an immediate analysis operation) As a result, new or additional behavioral information is generated or collected, and new/extra information is sent to the classifier module for further analysis/classification (eg, in the form of a new model). In this manner, the mobile device 102 can recursively increase the granularity of the observations (ie, to make finer or more detailed observations) or change the observed features/behaviors until the source of suspicious or performance-degrading mobile device behavior is identified. Until the processing or battery consumption threshold is reached, or until the mobile device processor determines that the source of suspicious or performance degraded mobile device behavior cannot be identified with a further increase in the observed granularity.

The mobile device 102 can send the results of its operations and/or success rates associated with the application of the model to the network server 116. Network server 116 may generate training material for use by model generator 304 based on the result/success rate (e.g., via training data module 306). The model generator may generate an updated model based on the training data and send the updated model to the mobile device 102.

In the example illustrated in FIG. 4, there is no feedback communication between the mobile device 102 and the network server 116. Rather, the mobile device 102 includes a reduced model generator module 402 that is configured to generate a centralized/targeted behavioral model based on a full or more robust model generated in the full model generator 404 and received from the web server 116. Or classifier. That is, the web server 116 can be configured to send the full classifier model to the mobile device 102, and the mobile device 102 can be configured to generate a reduced classifier model based on the full classifier model. This can be attributed to the use (or including) of the enhanced single layer decision tree in the classifier model, without consuming excessive amounts of processing resources or battery resources in the mobile device. That is, by generating a classifier model including an enhanced single layer decision tree in the network server 116, and These classifiers/models are sent to the mobile device 102, which allows the reduced model generator module 402 to communicate further by not accessing the training material or communicating with the web server 116 or the cloud network/server 118. A number of enhanced single layer decision trees included in the full classifier model are culled, resulting in a streamlined (or more concentrated) classifier model in the mobile device 102 quickly and efficiently. This significantly reduces the dependence of the mobile device on network communications and further improves the performance and power consumption characteristics of the mobile device 102.

FIG. 5A illustrates an aspect method 500 (eg, a model generated in model generator module 402, etc.) that produces a reduced or centralized classifier/behavior model in a mobile device. Method 500 can be performed by a processing core in a mobile device.

In block 502 of method 500, the processing core may receive a full classifier model (which is a finite state machine, an enhanced single layer decision tree list, or other similar information structure or includes a finite state machine, a reinforced single layer decision tree list, or Other similar information structures). In one aspect, the full classifier model includes a finite state machine including information suitable for expressing a plurality of enhanced single layer decision trees, and/or including suitable for converting to a plurality of enhanced single layers by the mobile device Decision tree information. In one aspect, the finite state machine can be (or can include) a list of enhanced single-level decision trees that are ordered or prioritized. Each of the enhanced single layer decision trees may include test conditions and weighting values.

As discussed above, the enhanced single-layer decision tree is a hierarchical decision tree that has exactly one node (and therefore a test problem or test condition) and a weighted value, and is therefore more suitable for data/behavior binary classification. This means applying a feature vector or behavior vector to the enhanced single-level decision tree to generate a binary answer (eg, yes or no). For example, if the problem/condition of the single-layer decision tree test is "the frequency of SMS transmission is less than x per minute", applying the value "3" to the enhanced single-layer decision tree will produce a "yes" answer ( Answer for "less than 3" SMS transmissions or "No" ("3 or more" SMS transmissions).

Returning to FIG. 5A, in block 504 of method 500, the processing core may determine that processing resources, memory resources, or energy resources should be evaluated to not consume excessive amounts of mobile devices. The number of unique test conditions that accurately classify the behavior of the mobile device as malicious or benign in the case of the source. This may include determining the amount of processing resources available in the mobile device, the amount of memory resources and/or energy resources, the processing resources required for the test conditions in the mobile device, the amount of memory resources or energy resources; determining and pending action The priority and/or complexity associated with the behavior or condition analyzed or evaluated by the test conditions in the device; and the selection/determination of the number of unique test conditions to impact available processing resources, memory resources or energy in the mobile device The consumption of resources, the accuracy of the classification of behaviors to be achieved from the conditions of the test, and the balance or trade-off between the importance or priority of the behavior by conditional testing.

In block 506, the processing core may traverse the enhanced single layer decision tree list from the beginning to populate the list of selected test conditions with the determined number of unique test conditions. In one aspect, the processing core may also determine an absolute or relative priority value for each of the selected test conditions and store the absolute or relative priority values in a manner associated with their corresponding test conditions in the list of selected test conditions.

In block 508, the processing core may generate a reduced classifier model that includes all of the enhanced single layer decision trees that are included in one of the test selected test conditions included in the full classifier model. In one aspect, the processing core may generate a reduced classifier model that includes or expresses an enhanced single layer decision tree in order of importance or priority value.

In optional block 510, the number of unique test conditions can be increased to traverse the enhanced single layer decision tree list for a larger number of test conditions (in block 506) and to generate another reduced classifier model (in The operation of block 508 results in another, more robust (i.e., less compact) reduced classifier model. These operations can be repeated to produce a family of reduced classifier models.

Figure 5B illustrates another aspect of the method 511 of generating a data model in a mobile device. Method 511 can be performed by a processing core in a mobile device. In block 512 of method 511, the processing core can receive a full classifier model including a finite state machine. The finite state machine can be an information structure that includes information suitable for conversion into a plurality of enhanced single layer decision trees. At block 514 The processing core may convert the finite state machine included in the full classifier model into an enhanced single layer decision tree including test conditions and weighting values.

In one aspect, the processing core can also calculate or determine the priority value of each of the enhanced single-layer decision trees generated by the finite state machine in block 512. The processing core can determine the priority of the enhanced single-layer decision tree in order to balance the processing resources of the mobile device, the consumption of memory resources or energy resources, the accuracy of the behavior classification, and the like. The processing core may also determine the priority of the enhanced single-layer decision tree to accurately classify the behavior based on the associated weighting values of the enhanced single-layer decision tree, the relative importance of the test conditions, or the predicted importance.

Also in block 512, the processing core may generate a first manifest (or other information structure) that includes, references, and identifies the priority and/or importance order of the enhanced single-level decision tree generated from the finite state machine. And/or organize these enhanced single-layer decision trees. For example, the processing core may generate a first list as an ordered list that includes the single-level tree with the highest priority as the first item, followed by a single-layer tree with the second highest priority value, and the like. This order of importance can also take into account information gathered from the cloud corpus and information specific to the device performing the culling algorithm.

In block 516, the processing core may calculate or determine the number of unique test conditions that should be evaluated when applying the reduced classifier model (ie, the state, characteristics, behavior of the mobile device that can be tested in the enhanced single layer decision tree) Or condition). Calculating or determining the number of unique test conditions may involve a balance or trade-off between the processing resources of the mobile device required to impact the application model, the consumption of memory resources or energy resources, and the accuracy of the classification of the behavior to be achieved by the reduced classifier model. . The determining may include determining the amount of processing resources, memory resources, and/or energy resources available in the mobile device, determining a priority and/or complexity associated with the behavior to be analyzed, and prioritizing the behavior based on the behavior and/or Complexity balances available resources.

In block 518, the processing core may generate a second manifest that traverses the first list of enhanced single-level decision trees by sequential traversal and will be associated with each traversed enhanced single-level decision tree The combined test condition values are inserted into the second list. The processing core may continue to traverse the first list and insert values into the second list until the length of the second list is equal to the determined number of unique test conditions, or until the second list includes all of the determined number of unique test conditions.

In block 520, the processing core may generate a reduced classifier model based on the enhanced single layer decision tree included in the first listing. In one aspect, the processing core can generate a reduced classifier model to include only the enhanced single layer of one of the test conditions included in the second list (ie, the list of test conditions generated in block 518). Decision tree.

In optional block 522, the unique test condition can be increased by traversing the enhanced single layer decision tree list for a larger number of test conditions in block 518 and generating another reduced classifier model in block 520. The number is to produce another, more robust (ie, less compact) reduced classifier model. These operations can be repeated to produce a family of reduced classifier models.

FIG. 5C illustrates an aspect method 524 of classifying the behavior of a mobile device using a reduced classifier model. Method 524 can be performed by a processing core in a mobile device.

In block 526 of method 524, the processing core can perform observations to collect behavioral information from various components instrumented at various levels of the mobile device system. In one aspect, this can be accomplished via the behavioral observer module 202 as described above with reference to FIG. In block 528, the processing core may generate behavioral vectors that characterize observations, collected behavioral information, and/or behavior of the mobile device. Also in block 528, the processing core can use the full classifier model received from the web server to generate a reduced classifier model or a reduced classifier model family with varying levels of complexity (or "simplification"). To accomplish this, the processing core may eliminate the enhanced single-layer decision tree family included in the full classifier model to produce a reduced classifier model that includes a reduced number of enhanced single-layer decision trees and/or evaluates a limited number of test conditions. .

In block 529, the processing core may select a family of reduced classifier models that have not yet been utilized. The most streamlined classifier for mobile device evaluation or application (ie, based on a minimum number of different mobile device states, characteristics, behaviors, or conditions). In one aspect, this can be accomplished by the processing core selecting the first classifier model in the ordered classifier model list.

In block 530, the processing core can apply the collected behavioral information or behavior vector to each of the enhanced single-level decision trees in the selected reduced classifier model. Because the enhanced single-layer decision tree is a binary decision, and the reduced classifier model is generated by selecting many binary decisions based on the same test conditions, the behavior vector can be applied to the reduced classifier model in parallel operations. A program that enforces a single-level decision tree. Alternatively, the behavior vector applied in block 530 can be truncated or filtered to include only a limited number of test condition parameters included in the reduced classifier model, thereby further reducing computational effort when applying the model.

In block 532, the processing core may calculate or determine a weighted average of the results of applying the collected behavioral information to each of the enhanced single-level decision trees in the classifier model. In block 534, the processing core can compare the calculated weighted average to the threshold. In decision block 535, the processing core may determine whether the result of the comparison and/or the result produced by applying the selected reduced classifier model is suspicious. For example, the processing core can determine whether such results can be used to classify behaviors as malicious or benign with high confidence, and whether to treat the behavior as suspicious.

If the processing core decision result is suspicious (e.g., decision block 535 = "Yes"), the processing core may repeat the operations in blocks 529 through 534 to select and apply to evaluate more device states, characteristics, behaviors, or conditions. Until the behavior is classified as a more robust (ie less concise) classifier model with high reliability as malicious or benign. If the processing core is classified as malicious or benign by high-reliability by determining the behavior, and the determination result is not suspicious (eg, decision block 535 = "No"), then in block 536, the processing core can be used in the region. The result of the comparison generated in block 534 is to classify the behavior of the mobile device as benign or potentially malicious.

In the alternative aspect method 540 illustrated in FIG. 5D, the operations described above with reference to blocks 518 and 520 can be implemented by sequentially selecting an enhanced single layer decision tree that is not yet located in the reduced classifier model; Identifying all other enhanced single-layer decision trees that depend on the same mobile device state, characteristics, behavior, or condition as the selected single-layer decision tree (and, therefore, may be applied based on a decision result); will depend on the same mobile device state, characteristics The selected, and all identified, enhanced single-level decision trees of the behavior or condition are included in the reduced classifier model; and the program is repeated a number of times equal to the number of test conditions determined. Because all of the enhanced single-layer decision trees that are dependent on the same test conditions as the selected enhanced single-level decision tree are added to the reduced classifier model each time, limiting the number of times the program is executed will limit the tests included in the streamlined classifier model. The number of conditions.

Referring to Figure 5D, in block 542, the processing core can calculate or determine a number of unique test conditions (N) that should be evaluated when applying the reduced classifier model (i.e., can be tested in an enhanced single layer decision tree) Mobile device status, characteristics, behavior or conditions). Calculating or determining the number of unique test conditions may involve a balance or trade-off between the processing resources of the mobile device required to impact the application model, the consumption of memory resources or energy resources, and the accuracy of the classification of the behavior to be achieved by the reduced classifier model. The determining may include determining the amount of processing resources, memory resources, and/or energy resources available in the mobile device, determining a priority and/or complexity associated with the behavior to be analyzed, and prioritizing the behavior and/or Or complexity balances the resources available.

In block 544, the processing core may set the value of the loop count variable equal to zero (0), or otherwise initiate a loop that will be executed a number of times determined. In block 546, the processing core may optionally include an enhanced single layer decision tree generated in or derived from the complete set of enhanced single layer decision trees, and the enhanced single layer decision tree is not included in the list of reduced classifier models in. In the first pass through the loop, there will be no enhanced single-level decision tree in the list of streamlined classifier models, so the first enhanced single-layer decision tree will be selected. As mentioned in this article, the full classifier model can be configured to make the first reinforcement list in the complete set The layer decision tree has the highest probability of identifying malicious or benign behavior. In block 548, the processing core may determine the test conditions associated with the selected single layer decision tree. In block 550, the processing core may identify all single-level decision trees included in the full classifier model or generated from the full classifier model, wherein the full classifier model depends on, includes, or tests with the selected single-layer decision tree Test conditions with the same test conditions. In block 552, the processing core may add the selected enhanced single layer decision tree and all identified enhanced single layer decision trees that depend on, include, or test the same test conditions to the reduced classifier model list.

In block 554, the processing core may increment the value of the loop count variable. In decision block 556, the processing core may determine whether the value of the loop count variable is greater than or equal to the number N of unique test conditions determined in block 542. When the value of the processing core decision loop count variable is not greater than or equal to the number of unique test conditions (i.e., decision block 556 = "No"), the processing core may repeat the operations in blocks 546 through 554. When the value of the processing core decision loop count variable is greater than or equal to the number of unique test conditions (i.e., decision block 556 = "Yes"), in block 558, the processing core may generate a list including the reduced classifier model. A streamlined classifier model for all hardened single-level decision trees.

This method 540 can be used multiple times to produce a family of reduced classifier models with different degrees of robustness or refinement by varying the number N of unique test conditions in the reduced classifier model. For example, in optional block 560, the mobile device processor can increase the number N of unique test conditions determined in block 542 to produce another reduced classifier model that incorporates more test conditions. In optional decision block 562, the processor can determine if the increased number N exceeds the maximum number of test conditions (max N). The maximum number of test conditions can be determined based on the maximum performance loss or resource investment required to assess the behavior that is difficult to classify (eg, by a developer, service provider, user, or via an algorithm). If the increased number N is less than the maximum number max N (i.e., decision block 562 = "No"), then the operations of blocks 544 through 560 can be repeated to generate another reduced classifier model. Once the reduced classifier model has included the maximum number of unique test conditions (ie, decision block 562 = "Yes", you can end the process of generating a streamlined classifier model.

Although FIGS. 5A, 5B, and 5D depict the generation of a reduced classifier model family by repeating the entire procedure of traversing a complete set of enhanced single-layer decision trees, a similar result can be achieved by the following operations: a reduced classifier that has been generated The model (i.e., the model generated in any of blocks 508, 520, and 558) begins and traverses a complete set of enhanced single-level decision trees for a number of test conditions added, a number of tests added The condition adds to the model a strengthened single-level decision tree that depends on the test conditions that have not been included in the generated reduced classifier model.

Again, while Figures 5A, 5B, and 5D depict a family of reduced classifier models resulting from the most compact to the most robust, they can also be started by only the maximum number of test conditions (e.g., N = max N). This number is reduced to produce a streamlined classifier model from the most robust to the most streamlined.

FIG. 6A illustrates a method 600 of generating a full classifier in a server or cloud. Method 600 can be performed by a processing core in a server computing device coupled to a cloud network.

In block 602, the processing core may aggregate a corpus of behavioral data from a number of mobile devices, including a large number of device states, configurations, and behaviors, as well as information about whether malicious behavior was detected. In block 604, the processing core can identify specific binary problem/test conditions that can be tested within the device state, configuration, and behavior from the behavioral material corpus. To characterize all device states, configurations, and behaviors, a large number of such binary problem/test conditions will typically be identified. Subsequently, in block 606, for each identified binary problem, the core testable database is processed to determine the percentage or percentage of the number of times the malicious behavior corresponds to one or the other of the answers to the binary question. In block 608, the processing core may select a binary problem that has the highest correspondence with the malicious behavior as the first single layer decision tree having weighting values based on the correspondence percentage determination. In block 610, the processing core may enforce the weighting of the incorrectly classified samples/test conditions as described below with reference to Figure 6B.

Assume that the answer to the first question is a value that is not associated with malicious behavior (for example, "No"), the processing core of the server can then repeatedly scan the program of the binary problem to identify the problem with the highest correspondence with malicious behavior in this situation. The problem is then set to the second binary problem in the model, where the weighting value is determined based on the percentage of its correspondence. The server then repeats the process of scanning the binary problem one by one assuming that the first and question/test condition answers are values that are not associated with malicious behavior (eg, "no"), in order to identify and maliciously act the highest in this situation. The next question/test condition for the correspondence. The problem/test condition is then the third binary problem/test condition in the model, where the weighting value is determined based on the percentage of its correspondence. The complete set is built by continuing this procedure via all identified binary problem/test conditions.

In the process of generating binary problems/test conditions, the server can evaluate data having a range, such as the frequency of communications or the number of communications in a prior time interval, and clarify the manner in which the manner of helping to classify behaviors A series of binary problems/test conditions. Therefore, the one-two carry problem/test condition may be whether the device has sent more than zero data transmissions in the previous five minutes (which may have low correlation), and the second binary problem/test condition may be whether the device is already in the previous five More than 10 data transfers (which may have media dependencies) are sent in minutes, and the third question/test condition may be whether the device has sent more than 100 data transfers (which may have high correlation) within the previous five minutes.

Some culling of the final set of problem/test conditions may be performed by the server before the full classifier set is sent to the mobile device in order to remove the determined weights or their relevance to the malicious behavior that is less than the threshold/ Test conditions (for example, not statistically important). For example, if the correlation with malicious behavior is about 50/50, then there may be little benefit in using a single-level decision tree as a negative answer to help answer the question of whether the current behavior is malicious or benign.

FIG. 6B illustrates an example enhancement method 620 suitable for generating a robust decision tree/classifier suitable for use, in accordance with various aspects. In operation 622, the processor may generate and/or execute a decision tree/classifier, collect training samples from execution of the decision tree/classifier, and based on the training Practicing the sample produces a new classifier model (h1(x)). Training samples may include information collected from observations or analysis of previous mobile device behaviors, software applications, or programs in mobile devices. The accuracy may be based on the type of problem or test condition included in the previous classifier, and/or based on the prior data/behavior model or classifier execution/application in the classifier module 208 of the analyzer module 204. Training samples and/or new classifier models (h1(x)) are generated for sexual or performance characteristics. In operation 624, the processor may enforce (or increase) the weight of the item misclassified by the generated decision tree/classifier (h1(x)) to generate a second new tree/classifier (h2(x)) . In one aspect, the training samples and/or the new classifier model (h2(x)) may be generated based on previous executions of the classifier or using an error rate of (h1(x)). In one aspect, the training sample and/or the new classifier model (h2(x)) may be generated based on attributes determined to have contributed to the error rate or misclassification of the data points in the previous execution or use of the classifier.

In one aspect, misclassified items may be weighted based on their relative accuracy or validity. In operation 626, the processor may enhance (or increase) the weight of the item misclassified by the generated second tree/classifier (h2(x)) to generate a third new tree/classifier (h3(x) )). In operation 628, the operations of 624 through 626 may be repeated to generate a "t" number of new trees/classifiers (ht(x)).

The second tree/classifier (h2(x)) can be more accurately classified by the first decision by strengthening or increasing the weight of the item misclassified by the first decision tree/classifier (h1(x)) The tree/classifier (h1(x)) misclassified entities, but may also misclassify entities that are correctly classified by the first decision tree/classifier (h1(x)). Similarly, the third tree/classifier (h3(x)) can more accurately classify the entities misclassified by the second decision tree/classifier (h2(x)), and the second decision is made in the misclassified entity Some entities that are correctly classified by the tree/classifier (h2(x)). That is, the generation tree/classifier family h1(x)-h _t (x) may not result in a system of overall convergence, but results in several decision trees/classifiers that can be executed in parallel.

7 illustrates an example method 700 of generating a classifier model including a reinforced single-layer decision tree, and the example method can be used to process resources that do not consume excessive amounts of mobile devices, An active or maliciously written software application and/or suspicious or performance degraded mobile device behavior on the mobile device 102 is intelligently and efficiently identified in the case of a memory resource or an energy resource. In operation 1 of method 700, the offline classifier in the network server can generate a full or robust classifier model based on information received from the cloud service/network. For example, a full classifier may include 100 enhanced single layer decision trees that test forty (40) unique conditions. In operation 2 of method 700, the full classifier model can be sent to the analyzer/classifier module 208 in the mobile device 102. In operation 3 of method 700, analyzer/classifier module 208 can generate a reduced data/behavior model classifier set in the form of an enhanced single layer decision tree based on analyzing the full classifier model. This can be achieved by performing the "join feature selection and culling" operation that allows the mobile device to perform the following operations: generating a reduced model in real time without accessing the cloud training data; dynamically reconfiguring the classifier according to the application to enhance classification accuracy And specify deterministic complexity for each classifier (for example, O (single layer tree #)). The "join feature selection and culling" operation may also include performing a feature selection operation.

8 illustrates an example enhanced single layer decision tree 800 that may be generated by an aspect server processor and used by a device processor to generate a reduced classifier model in a mobile device. In the example illustrated in FIG. 8, the enhanced single layer decision tree 800 includes a plurality of decision nodes W1-W4 (eg, F1, F3, F5) each including a question or a test condition, the decision nodes being processed by Execution or execution may result in a decisive binary answer (eg, true or false, malicious or benign, etc.) (either alternatively). Each decision node W1-W4 can also be associated with a weighted value.

Figure 8 also illustrates a method 802 of performing the "join feature selection and culling" operation as described above with reference to Figure 7. The method 802 can include: the analyzer module of the mobile device determines that it needs to generate a reduced classifier that tests two unique conditions, in which case the feature selection operation can include traversing a list of 100 enhanced single-layer decision trees until discovery The first two unique conditions (for example, F1 and F3 in Fig. 8). The analyzer/classifier module 208 can then only test the conditions identified by the feature selection operation (eg, F1 and F3), which can be traversed by 100 Enhance the entire list of single-layer decision trees and remove any single-layer tree that tests a different condition (for example, F5). The remaining enhanced single-layer decision trees (ie, single-layer trees with test conditions "F1" and "F3") can be used as a streamlined classifier without retraining the data. The analyzer/classifier module 208 can apply behavioral information to each of the remaining enhanced single-layer decision trees (ie, the single-layer trees of the test conditions "F1" and "F3"), calculated from the remaining single-layer trees. A weighted average of all answers received, and a weighted average is used to determine whether the mobile device behavior is malicious or benign.

Once the enhanced single-level decision tree has been generated by the feature selection and culling procedures, the selected single-level decision tree can be used as a classifier or behavioral model that can be compared to current device states, settings, and behaviors. Since the single-layer decision tree is an independent binary test, a behavioral analysis program that compares the observed behavior (which can be summarized in the behavior vector) with the model can be performed in parallel. Also, since the single-layer tree is extremely simple (essentially binary), the procedure for executing each single-layer tree is extremely simple, and thus can be quickly implemented with a small processing load. Each single-level decision tree produces an answer with a weighted value, and the final decision about whether the behavior is malicious or benign can be determined as the weighted sum of all results, which is also a simple calculation.

The weights associated with the nodes may be calculated based on information collected from the behavior of the mobile device in the mobile device, previous observations of the software application or program, or analysis. It is also possible to build an enhanced single-level decision tree to calculate the weight associated with each node based on how many data corpus units are used (eg, a cloud corpus of data or behavior vectors).

9 illustrates example logic components and information flows in a behavioral observer module 202 of a computing system configured to perform dynamic and adaptive observations in accordance with an aspect. The behavior observer module 202 can include an adaptive screening module 902, a throttle module 904, an observer mode module 906, a high level behavior detection module 908, a behavior vector generator 910, and a security buffer 912. The high-level behavior detection module 908 can include a spatial correlation module 914 and a temporal correlation module 916.

The observer mode module 906 can receive control information from various sources, which can include The analyzer unit (e.g., the behavior analyzer module 204 described above with reference to Figure 2) and/or the application API. The observer mode module 906 can send control information about various observer modes to the adaptive screening module 902 and the high level behavioral detection module 908.

The adaptive screening module 902 can receive data/information from a plurality of sources and intelligently filter the received information to produce a smaller subset of the information selected from the received information. This filter can be adapted based on information or control received from the analyzer module or via a higher level program of API communication. The filtered information can be sent to the throttling module 904, which can be responsible for controlling the amount of information flowing from the filter to ensure that the high level behavioral detection module 908 is not requested or information immersed or overloaded.

The high-level behavior detection module 908 can receive data/information from the throttle module 904, receive control information from the observer mode module 906, and receive content information from other components of the mobile device. The high-level behavior detection module 908 can use the received information to perform spatial and temporal correlation to detect or identify high-level behavior that can cause the device to perform at sub-optimal levels. The results of the spatial and temporal correlations can be sent to a behavior vector generator 910 that can receive the correlation information and generate a behavior vector that describes the behavior of a particular program, application, or subsystem. In one aspect, the behavior vector generator 910 can generate a behavior vector such that each high level behavior of a particular program, application, or subsystem is an element of a behavior vector. In one aspect, the generated behavior vector is stored in secure buffer 912. Examples of high-level behavioral detection may include detection of the existence of a particular event, the amount or frequency of another event, the relationship between multiple events, the order in which events occur, and the occurrence of certain events. Time difference, and so on.

In various aspects, the behavioral observer module 202 can perform adaptive observations and control the granularity of observations. That is, the behavioral observer module 202 can dynamically identify the relevant behavior to be observed and dynamically determine the level of detail at which the identified behavior will be observed. In this manner, the behavioral observer module 202 enables the system to monitor the behavior of the mobile device at various levels (eg, multiple coarse and fine levels). The behavior observer module 202 enables the system to adapt Things to observe. The behavior observer module 202 can enable the system to dynamically change the observing factors/behavior based on a concentrated subset of information that can be obtained from a wide variety of sources.

As discussed above, the behavioral observer module 202 can perform adaptive observation techniques and control the granularity of observation based on information received from a variety of sources. For example, the high-level behavior detection module 908 can receive information from the throttle module 904, the observer mode module 906, and content information received from other components (eg, sensors) of the mobile device. As an example, the high-level behavior detection module 908 that performs time correlation can detect that the camera has been used and the mobile device is attempting to upload the image to the server. The high level behavioral detection module 908 can also perform spatial correlation to determine whether the application on the mobile device is photographed when the device is mounted in the holster and attached to the user's belt. The high-level behavior detection module 908 can determine whether the detected high-level behavior (eg, using a camera when mounted in a holster) is acceptable or common behavior, by making current behavior and actions The past behavior of the device is compared and/or access to information collected from a plurality of devices (eg, information received from a crowd-sourcing server) is achieved. In this case, the high level is due to the abnormal behavior when taking pictures in the holster and uploading the images to the server system (such as the normal behavior observed in the case of being installed in the holster) The behavior detection module 908 can identify this as a potentially threatening behavior and initiate an appropriate response (eg, turn off the camera, sound an alarm, etc.).

In one aspect, the behavioral observer module 202 can be implemented in multiple components.

Figure 10 illustrates in more detail the logical components and information flows in the computing system 1000 implementing the Aspect Observer Assistant. In the example illustrated in FIG. 10, computing system 1000 includes a behavior detector 1002 module in user space, a database engine 1004 module and behavior analyzer module 204, and a ring buffer 1014 in core space. The screening rule 1016 module, the throttle rule 1018 module, and the security buffer 1020. The computing system 1000 can further include an Observer Wizard assistance program including a behavior detector 1002 and a repository engine 1004 in the user space, and a security buffer manager 1006 in the kernel space, a rule manager 1008 and system health monitor 1010.

Various aspects provide cross-level observations on mobile devices including webkits, SDKs, NDKs, cores, drives, and hardware to characterize system behavior. Behavioral observations can be made immediately.

The observer module can perform adaptive observation techniques and control the granularity of observations. As discussed above, there are a large number (i.e., thousands) of factors that can contribute to the degradation of the mobile device, and all of the different factors that can be monitored/observed can contribute to the performance degradation of the device may not be feasible. To solve this problem, various aspects dynamically identify the relevant behaviors to be observed and dynamically determine the level of detail at which the identified behavior will be observed.

FIG. 11 illustrates an example method 1100 for performing dynamic and adaptive observations in accordance with an aspect. In block 1102, the mobile device processor can perform coarse observations by monitoring/observing a subset of a number of factors/behaviors that can contribute to the degradation of the mobile device. In block 1103, the mobile device processor can generate a behavior vector that characterizes the coarse observations and/or the behavior of the mobile device based on the coarse observations. In block 1104, the mobile device processor can identify subsystems, programs, and/or applications associated with the coarse observations that can potentially contribute to the degradation of the mobile device. This can be achieved, for example, by comparing information received from multiple sources with content information received from sensors of the mobile device. In block 1106, the mobile device processor can perform a behavior analysis operation based on the coarse observations. In an aspect, as part of blocks 1103 and 1104, the mobile device processor can perform one or more of the operations as described above with reference to Figures 2-10.

In decision block 1108, the mobile device processor can determine whether a suspicious behavior or potential problem can be identified and corrected based on the outcome of the behavioral analysis. When the mobile device processor determines that the suspicious behavior or potential problem can be identified based on the outcome of the behavioral analysis (ie, decision block 1108 = "Yes"), in block 1118, the processor can initiate a procedure to correct the behavior, And returning to block 1102 to perform additional coarse observations.

When the mobile device processor determines that the result of the behavior analysis cannot be identified and/or corrected In the case of suspicious behavior or potential problems (i.e., decision block 1108 = "No"), in decision block 1109, the mobile device processor can determine if there is a likelihood of a problem. In one aspect, the mobile device processor can determine the likelihood of a problem by calculating a probability that the mobile device is experiencing a potential problem and/or participating in a suspicious behavior, and determines if the calculated probability is greater than a predetermined threshold. When the mobile device processor determines that the calculated probability is not greater than a predetermined threshold, and/or does not exist and/or can detect the likelihood of a suspicious behavior or potential problem (ie, decision block 1109 = "No"), The processor can return to block 1102 to perform additional coarse observations.

When the mobile device processor determines that there is a likelihood of existence and/or detectable suspicious behavior or potential problem (ie, decision block 1109 = "Yes"), in block 1110, the mobile device processor may Identify subsystems, programs, or applications to perform deeper logins/observations or final logins. In block 1112, the mobile device processor can perform deeper and more detailed observations on the identified subsystems, programs, or applications. In block 1114, the mobile device processor can perform further and/or deeper behavioral analysis based on deeper and more detailed observations. In decision block 1108, the mobile device processor can again determine whether the suspicious behavior or potential problem can be identified and corrected based on the results of the deeper behavior analysis. When the mobile device processor determines that the suspicious behavior or potential problem cannot be identified based on the result of the deeper behavior analysis (ie, decision block 1108 = "No"), the processor may repeat the operations in blocks 1110 through 1114, Until the level of detail is fine enough to identify the problem, or until it is determined that the problem cannot be identified with additional detail or there is no problem.

When the mobile device processor determines that the suspicious behavior or potential problem can be identified and corrected based on the results of the deeper behavior analysis (ie, decision block 1108 = "Yes"), in block 1118, the mobile device processor can perform the operation. To correct the problem/behavior, and the processor can return to block 1102 to perform additional operations.

In one aspect, as part of blocks 1102 through 1118 of method 1100, the mobile device processor can perform an immediate behavioral analysis of the behavior of the system for self-limited and coarse observations Identify suspicious behavior, dynamically determine behavior to observe in more detail, and dynamically determine the level of precision detail required for observation. This enables the mobile device processor to effectively identify and prevent problems from occurring without the need to use a large amount of processor resources, memory resources or battery resources on the device.

As discussed above, various aspects include methods and computing devices configured to implement such methods that use behavior-based and machine learning techniques to efficiently identify, classify, model, prevent, and/or correct Time lapses downgrades the performance, power utilization level, network usage level, security, and/or privacy conditions and behavior of the computing device. To accomplish this, the computing device can perform an immediate behavior monitoring and analysis operation, which can include monitoring activity of one or more software applications operating on the computing device (eg, by hardware, drive, core, NDK) , monitoring API calls at the SDK and/or network suite level, etc.); generating behavioral vector information structures ("behavior vectors") that characterize all monitored activities or subsets of one or more software applications; The generated behavior vector is applied to a machine learning classifier model ("classifier model") to generate a behavior vector information structure analysis result analysis result; and the behavior result vector is used using the analysis result (and thus will be associated with the monitored activity) Vector and/or software application characterization activities are classified as benign or non-benign.

As also described above, various aspects include a method of generating a classifier model in a computing device, which can include: receiving a full classifier model from a server computing device; using a full classifier model to generate an enhanced single layer decision tree list ( For example, by converting a finite state machine included in a full classifier model into a plurality of enhanced single layer decision trees each including a test condition and a weighted value, etc.; and based on a list of enhanced single layer decision trees The enhanced single-level decision tree in the middle produces a streamlined classifier model (or a reduced classifier model family). The computing device can use these locally generated and streamlined classifier models to evaluate a subset of the target features included in the full classifier model, such as features that are determined to be most relevant to classifying the behavior in a particular computing device. In some embodiments, the computing device can execute the package The following operations are used to use the reduced classifier model: applying the behavior information included in the behavior vector information structure to the enhanced single-layer decision tree included in the reduced classifier model, and calculating the collected behavior information for the simplified classification A weighted average of the results of each of the enhanced single-level decision trees; and comparing the weighted average to a threshold to determine if the behavior of the mobile device is non-benign. In other words, applying a behavior vector to the classifier model can produce an analysis result in the form of a value (P) between zero (0) and one (1). Depending on how the computing device is configured, a value close to zero (eg, 0.1) may indicate that the behavior expressed as a behavior vector is benign, and a value close to one (eg, 0.9) may indicate that the behavior is non-benign. (or vice versa).

The most streamlined classifiers in the reduced classifier model family (ie, the minimum classifiers or the reduced classifier model that evaluates the minimum number of test conditions) can be routinely applied until the model cannot be classified as benign or non-benign. Until (or the behavior vector), a more robust (ie, less concise) reduced classifier model can be selected and applied at this point in an attempt to classify the behavior as benign or malicious. That is, to preserve resources, the computing device processor may first apply the behavior vector to a reduced classifier model that evaluates a small subset of all available features/factors (eg, 20 features) (sometimes referred to as "reduced" a feature model or RFM, and then progressively use a larger classifier model until the processor determines that the behavior is benign or non-benign with high confidence (eg, until the resulting value P is less than the lower level) The limit is greater than the upper threshold.)

For example, the computing device may first apply the behavior vector to a classifier model that evaluates twenty features (ie, to RFM-20). If the analysis result is less than the first threshold (eg, P < 0.1), the computing device can have high reliability and classify the behavior as benign without further analysis. Similarly, if the analysis result is greater than the second threshold (eg, >0.9), the computing device can classify the behavior as non-benign with high confidence without further analysis. On the other hand, when the analysis result falls between the first threshold and the second threshold (for example, P>=0.1∥P<=0.9), the computing device may not be able to (sufficiently) have high reliability. Classify behavior as benign or non-benign. In this case, the computing device can apply the behavior vector to a larger classifier model (eg, RFM-40 or a classifier model that evaluates 40 features) to generate new analysis results, and repeat the operations as described above. The computing device may repeat such operations until the analysis results indicate that the behavior is benign or non-benign with high reliability (eg, until p < 0.1 ∥ P > 0.9).

Although the above system is generally effective, the value (P) is not always a true probability value. Therefore, this value (P) may not always accurately represent the benign or non-benign likelihood of the behavior. This is because, in order to calculate P, it may be necessary first for the system to calculate the trust value (c) using a formula such as the following: . Due to the unique behavior of benign and non-benign applications, the confidence value (c) using this formula can be clustered around one of two extremes that are very close to 1 or very close to zero. Thus, the use of the above formula can produce results that are highly clustered around two extremes (ie, the resulting P value can be very close to 1 or very close to 0).

In view of these facts, the computing device can be configured to use the S-type parameters (α and β) to calculate the normalized confidence value ( c ^) and classify the behavior as benign or non-benign using a standardized confidence value ( c ^) In order to better determine whether to continue to evaluate the behavior (eg, whether to choose a more robust classifier model, etc.).

In one aspect, the computing device can be configured to calculate a normalized confidence value (C^) using the following formula:

As shown in the above formula, the normalized confidence value ( c ^) can be defined by the S-type parameters α and β and the original trust value ( c ). The computing device can be configured to perform operations to implement the above formula to calculate a normalized confidence value ( c ^). The computing device can use the normalized confidence value ( c ^) to determine whether to choose a larger or robust classifier model or whether the current analysis results indicate that the behavior can be classified as benign or non-benign with sufficient high confidence.

By using a standardized confidence value ( c ^), the computing device can reduce the number of misclassified vectors, reduce the number of false positives, reduce the number of false negatives, and reduce the behavior to be classified as suspicious. And the number of times that need to be further analyzed with a more robust classifier model. Thus, the computing device can more accurately and efficiently classify device behavior, preferably determine whether the behavior is benign or non-benign, and more effectively determine whether additional analysis (such as selection and use of larger or more robust classifier models) will A more accurate classification of device behavior.

In some aspects, the computing device can be configured to receive the new classifier model in conjunction with the self-server computing device to receive the updated or modified S-type parameters a and β. In some aspects, the computing device can be configured to be based on historical information (eg, collected from previous executions, previous applications of behavioral models, previously determined standardized confidence values, etc.), new information, machine learning, content Modeling, and updating or correcting the S-type parameter α locally located on the computing device based on changes detected in available information, mobile device status, environmental conditions, network conditions, mobile device performance, battery consumption levels, etc. And β.

In some aspects, the computing device can be configured to transmit the S-type parameters α and β updated or modified by the local end to a server computing device that can receive and use the parameters (eg, by The classifier model is updated with other S-type parameter groups received from many other devices) and/or new S-type parameters α and β for the classifier model are generated in the server. These feedback communications allow the system to continually optimize and adjust its models and operations for improved (eg, more accurate, more efficient, etc.) behavioral classifications.

Figure 12 illustrates a method 1200 for using a standardized confidence value ( c ^) for improved behavior classification, according to an aspect. In block 1202, the processor of the computing device can receive the full classifier model and S-type parameters (eg, alpha and beta) from the server computing device. In an embodiment, the full classifier model can include a finite state machine that includes information suitable for expression as a plurality of enhanced single layer decision trees. Each enhanced single-layer decision tree can include a test condition and a weighted value, and each test condition can be associated with a probability value, wherein the probability value identifying its associated test condition will enable the computing device to determine whether the behavior is benign The likelihood of being one of non-benign.

In block 1204, the processor can determine or calculate a normalized confidence value based on the received S-type parameter, such as by using the following formula:

In block 1206, the computing device can use the standardized confidence value as the device behavior classification. For example, in one aspect, the computing device can generate a list of enhanced single-level decision trees by converting a finite state machine included in the received full classifier model into a plurality of enhanced single-level decision trees; The enhanced single-level decision tree in the enhanced single-level decision tree list is generated to generate a reduced classifier model family; the behavior vector data/information structure is applied to the first reduced classifier model in the classifier model family to generate analysis results; Standardized trust value to determine whether the behavior vector data/information structure is applied to the second reduced classifier model in the classifier model family to generate new analysis results; and in response to the standardized trust value determination using a more robust classifier model It does not increase the accuracy of the behavioral classification, and classifies the behavior as one of benign or non-benign based on the resulting analysis.

Figure 13 illustrates a method 1300 of using a standardized confidence value ( c ^) for improved behavior classification, according to another aspect. In block 1302, the processor of the computing device can receive the full classifier model and the S-type parameters from the server computing device. In block 1304, the processor may generate a reduced classifier model based on the received full classifier model. In block 1306, the processor can determine/calculate a normalized confidence value based on the received S-type parameters. In block 1308, the processor can apply a behavior vector information structure to the reduced classifier model to produce an analysis result. In block 1310, the processor can use the analysis results and the normalized confidence values to determine whether the behavior of the computing device is benign or non-benign.

Figure 14 illustrates a method 1400 for using a standardized confidence value ( c ^) for improved behavior classification, according to yet another aspect. In block 1402, the processor of the computing device can receive the full classifier model and the S-type parameters from the server computing device. In block 1404, the processor may generate an enhanced single layer decision tree list by converting the finite state machine included in the received full classifier model into a plurality of enhanced single layer decision trees. In block 1406, the processor may generate a reduced classifier model family based on the enhanced single layer decision tree included in the enhanced single layer decision tree list. In block 1408, the processor may determine/calculate one or more standardized confidence values for refining one or more of the classifier models based on the received S-type parameters. For example, in one aspect, the processor can calculate a single standardized confidence value for streamlining all of the reduced classifier models in the family of classifier models. In another aspect, the processor can calculate a standardized confidence value for simplifying each of the reduced classifier models in the family of classifier models.

In block 1408, the processor can apply a behavior vector information structure to the first reduced classifier model in the family of classifier models to produce an analysis result. In block 1410, the processor can determine whether to apply the behavior vector information structure to the classifier model family based on the normalized trust value (eg, the normalized trust value associated with the first or second reduced classifier model, etc.) The second is to reduce the classifier model to produce new analysis results.

Figure 15 illustrates a method 1500 for using a standardized confidence value ( c ^) for improved behavior classification, according to yet another aspect. In block 1502, the processor of the computing device can receive the full classifier model and the S-type parameters from the server computing device. In block 1504, the processor can determine/calculate a normalized confidence value based on the received S-type parameters. In block 1506, the processor can apply a behavior vector information structure to the classifier model to produce a new analysis result. In block 1508, the processor may update or modify the received S-type parameter based on the analysis result and/or the determined normalized confidence value. In block 1510, the processor can send the updated S-type parameters to the server computing device. That is, in block 1510, the computing device can transmit the S-type parameters α and β updated or modified by the local end to the server computing device, which can receive and use the parameters (eg, by using The other S-type parameters received from many other devices are such parameters to update the classifier model and/or to generate new S-type parameters α and β for the classifier model in the server. This allows the system to continually optimize and adjust its models and operations for improved (eg, more accurate, more efficient, etc.) behavioral classifications.

Figure 16 illustrates a method 1600 for using a standardized confidence value ( c ^) for improved behavior classification, according to yet another aspect. In block 1602, the processor of the computing device can receive the full classifier model and the S-type parameters from the server computing device. In block 1604, the processor can determine/calculate a normalized confidence value based on the received S-type parameters. In optional block 1606, the processor can apply a behavior vector information structure to the classifier model to produce a new analysis result. In block 1608, the processor can receive the updated S-type parameters from the server computing device. In block 1610, the processor can determine/calculate a new normalized confidence value based on the received updated S-type parameters. In block 1612, the processor can classify the behavior of the computing device based on the new normalized trust value, such as by applying a behavior vector information structure to the classifier model to produce the analysis result; combining the new standardization trust Values use previously generated analysis results; another behavior vector information structure is applied to the same or different classifier models to produce new analysis results, and so on.

Various aspects can be implemented on a variety of computing devices, an example of which is illustrated in Figure 17 in the form of a smart phone. The smart phone 1700 can include a processor 1702 coupled to the internal memory 1704, the display 1706, and the speaker 1708. Additionally, smart phone 1700 can include an antenna 1710 for transmitting and receiving electromagnetic radiation that can be coupled to a wireless data link and/or cellular telephone/wireless transceiver 1712 that is coupled to processor 1702. The smartphone 1700 also typically includes a menu selection button or rocker switch XX20 for receiving user input.

A typical smart phone 1700 also includes a voice encoding/decoding (codec CODEC) circuit 1716 that digitizes the sound received from the microphone into a data packet suitable for wireless transmission and decodes the received sound data packet to produce a provided To the speaker to produce an analog signal of the sound. Moreover, the processor 1702, the wireless transceiver 1712, and the CODEC 1716 One or more of may include digital signal processor (DSP) circuitry (not shown separately).

Portions of the aspect method can be implemented in a client-side server architecture, some of which occur in the server, such as a database that maintains normal operational behavior, which can be processed by the mobile device when performing the aspect method Access. These aspects can also be implemented on any of a variety of commercially available server devices, such as server 1800 illustrated in FIG. The server 1800 typically includes a processor 1801 coupled to a volatile memory 1802 and a bulk non-volatile memory such as a disk drive 1803. The server 1800 can also include a floppy disk drive, compact disk (CD) or DVD player 1804 coupled to the processor 1801. The server 1800 can also include a network access port 1806 coupled to the processor 1801 for establishing a data connection with a network 1805, such as a local area network coupled to other broadcast system computers and servers.

The processors 1702, 1801 can be any programmable microprocessor, microcomputer or processor chip that can be configured by a software instruction (application) to perform a variety of functions, including the various aspects described below. In some mobile devices, a plurality of processors 1702 may be provided, such as one processor dedicated to wireless communication functions and one processor dedicated to executing other applications. In general, the software application can be stored in internal memory 1704, 1802, 1803 before being accessed and loaded into processors 1702, 1801. The processors 1702, 1801 can include internal memory sufficient to store application software instructions.

The term "performance degradation" is used in this application to refer to a wide variety of undesirable mobile device operations and features, such as longer processing times, slower immediate response, lower battery life, loss of private data, malicious economic activity. (eg, sending unauthorized premium SMS messages), blocking services (DoS), operations related to compelling mobile devices or using phones for probing or botnet activity, and so on.

Computer code or "code" for execution on a programmable processor for performing various aspects of operations such as C, C++, C#, Smalltalk, Java, JavaScript, Visual Basic, Structured Query Language ( For example, trading SQL), Perl High-level stylized languages or written in a variety of other stylized languages. A code or program stored on a computer readable storage medium as used in this application may refer to a machine language code (such as a target code) whose format is understandable by the processor.

Many mobile computing device operating system cores are organized into user space (where unlicensed code is executed) and core space (where licensed code is executed). This separation is especially important in Android® and other Common Public License (GPL) environments where the code for the portion of the core space must be licensed by the GPL and the code executed in user space is not licensed by the GPL. It should be understood that the various software components/modules discussed herein can be implemented in nuclear space or user space, unless explicitly stated otherwise.

The above description of the method and the program flow are only provided as illustrative examples, and are not intended to require or imply that the various steps must be performed in the order presented. The order of the steps in the foregoing aspects may be performed in any order, as will be appreciated by those skilled in the art. Words such as "subsequent", "continued", "next" and the like are not intended to limit the order of the steps; these words are only used to guide the reader in reading the description of the methods. In addition, any reference to the element in the singular form of the singular (e.g., the use of the article "a" or "the") is not construed as limiting the element to the singular.

As used in this application, the terms "component", "module", "system", "engine", "generator", "manager" and the like are intended to include computer-related entities such as, but not limited to Hardware, firmware, a combination of hardware and software, software, or executing software, these computer-related entities are configured to perform specific operations or functions. For example, a component can be, but is not limited to being, a program executed on a processor, a processor, an object, an executable, a thread, a program, and/or a computer. By way of illustration, both an application executing on a computing device and the computing device can be referred to as a component. One or more components can reside within a program and/or a thread, and the components can be located on one processor or core and/or distributed between two or more processors or cores. In addition, such components can be executed from a variety of non-transitory computer readable media having various instructions and/or data structures stored thereon. Components can be used Communicates with local and/or remote program, function or process calls, electronic signals, data packets, memory read/write, and other known network, computer, processor, and/or program related communication methods.

The various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the aspects disclosed herein can be implemented as an electronic hardware, a computer software, or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether this functionality is implemented as hardware or software depends on the particular application and design constraints imposed on the overall system. Those skilled in the art can implement the described functionality in various ways for each particular application, but such implementation decisions should not be construed as causing the scope of the application.

The hardware described in connection with the aspects disclosed herein for implementing the various illustrative logic, logic blocks, modules, and circuits may be implemented or executed by: general purpose processors, digital signal processors ( DSP), Special Application Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or designed to perform the purposes herein Any combination of features described. A general purpose processor may be a multi-processor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The processor can also be implemented as a combination of computing devices, such as a combination of a DSP and a multi-processor, a plurality of multi-processors, one or more multi-processors in conjunction with a DSP core, or any other such configuration. Alternatively, some steps or methods may be performed by circuitry that is specific to a given function.

In one or more exemplary aspects, the functions described can be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored as one or more processor-executable instructions or code on a non-transitory computer readable storage medium or non-transitory processor readable storage medium. The methods or algorithms disclosed herein may be embodied in a processor executable software module that resides on a non-transitory computer readable or processor readable storage medium. Non-transitory computer readable or The processor readable storage medium can be any storage medium that can be accessed by a computer or processor. By way of example and not limitation, such non-transitory computer readable or processor readable medium may include RAM, ROM, EEPROM, flash memory, CD-ROM or other optical disk storage device, disk storage device or other magnetic A storage device, or any other medium that can be used to store the desired code in an instruction or data structure and accessible by a computer. Disks and optical discs as used herein include compact discs (CDs), laser discs, optical compact discs, digital audio and video discs (DVDs), floppy discs and Blu-ray discs, in which the discs are usually magnetically regenerated and the discs are regenerated. The optical reproduction of the data. Combinations of the above are also included in the context of non-transitory computer readable and processor readable media. In addition, the operations of the method or algorithm may reside as one or any combination or collection of code and/or instructions in a non-transitory processor readable medium and/or computer that can be incorporated into a computer program product. Read the media.

The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the scope of the claims. Various modifications to the above-described aspects will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other aspects without departing from the scope of the invention. Therefore, the present invention is not intended to be limited to the embodiments shown herein, but the scope of the invention is to be accorded

1400‧‧‧ method

1402‧‧‧ Block

1404‧‧‧ Block

1406‧‧‧ Block

Block 1408‧‧‧

1410‧‧‧ Block

1412‧‧‧ Block

Claims (30)

A method of analyzing behavior in a computing device, comprising: receiving a full classifier model and S-type parameters from a server computing device in a processor of the computing device; determining a normalization based on the S-type parameters The trust value; and the trust value based on the standardization is a device behavior classification of the calculation. The method of claim 1, further comprising: generating a list of enhanced single-level decision trees by converting a finite state machine included in the full classifier model into an enhanced single-level decision tree; and based on the enhancement The enhanced single-level decision tree in the single-level decision tree list generates a reduced classifier model family, wherein the device based on the standardized trust value comprises: applying a behavior vector information structure to the reduced classifier model a first streamlined classifier model of the family to generate an analysis result; and determining whether to apply the behavior vector information structure to the second reduced classifier model of the reduced classifier model family based on the normalized trust value to generate New analysis results. The method of claim 1, further comprising generating a reduced classifier model based on the full classifier model, wherein the device behavior classification based on the standardized trust value comprises: applying a behavior vector information structure to the The classifier model is streamlined to produce an analysis result; and the results of the analysis and the normalized confidence value are used to determine whether the device behavior of the computing device is benign or non-benign. The method of claim 3, wherein the reduced classification is generated based on the full classifier model The model includes: generating a list of enhanced single-level decision trees by converting one of the finite state machines included in the full classifier model into a plurality of enhanced single-layer decision trees; the decision should be evaluated to not consume the computing device The number of unique test conditions for classifying the behavior of the device in the case of an excessive amount of processing resources, memory resources, or energy resources; generating a list of test conditions that traverse the list of enhanced single-level decision trees in sequence, and Inserting a test condition associated with each of the sequentially traversed enhanced single-level decision trees into the test condition list until the test condition list includes the number of unique test conditions; and generating the reduced classifier model to It includes only those enhanced single-level decision trees that test one of the plurality of test conditions included in the list of test conditions. The method of claim 3, wherein applying the behavior vector information structure to the reduced classifier model to determine whether the device behavior of the computing device is non-benign comprises: the collected information to be included in the behavior vector information structure The behavior information is applied to each of a plurality of enhanced single-layer decision trees included in the reduced classifier model; calculating the collected behavior information to apply the plurality of reinforcement sheets included in the reduced classifier model A weighted average of one of the results of each of the layer decision trees; and comparing the weighted average to a threshold. The method of claim 1, further comprising: generating an updated S-type parameter based on the normalized confidence value; and transmitting the updated S-type parameter to the server computing device. The method of claim 1, further comprising: Receiving, from the server computing device, an updated S-type parameter; determining a new standardized trusted value based on the updated S-type parameter received from the server computing device; and the trusted value based on the new standardization The device behavior classification of the computing device. The method of claim 1, wherein receiving the full classifier model and the s-type parameters comprises receiving a finite state machine, the finite state machine comprising two or more suitable for expressing each comprising a weighted value and a test condition Information for a plurality of enhanced single-layer decision trees associated with identifying a likelihood that the test condition will enable the computing device to determine whether the device behavior of the computing device is one of benign and non-benign A probability value. A computing device comprising: means for receiving a full classifier model and S-type parameters from a server computing device; means for determining a standardized confidence value based on the S-type parameters; and for The standardized confidence value is a component of the device behavior classification of one of the computing devices. The computing device of claim 9, further comprising: means for generating a list of enhanced single-level decision trees by converting a finite state machine included in the full classifier model to an enhanced single-level decision tree; and Means for generating a family of reduced classifier models based on the enhanced single-level decision trees included in the list of enhanced single-level decision trees; wherein the confidence value based on the normalization is the device behavior classification of the computing device The component includes: a component for applying a behavior vector information structure to the first reduced classifier model of the reduced classifier model family to generate an analysis result; and A means for determining whether to apply the behavior vector information structure to the second reduced classifier model of the reduced classifier model family to generate a new analysis result based on the normalized trust value. The computing device of claim 9, further comprising means for generating a reduced classifier model based on the full classifier model, and wherein the means for classifying the device behavior based on the standardized trust value comprises: A behavior vector information structure is applied to the reduced classifier model to generate a component of the analysis result; and means for using the analysis result and the normalized confidence value to determine whether the device behavior of the computing device is benign or non-benign. The computing device of claim 11, wherein the means for generating the reduced classifier model based on the full classifier model comprises: for converting a finite state machine included in the full classifier model into a plurality of enhancements A single-layer decision tree produces a component that enforces a single-level decision tree list; is used to determine that the device should be evaluated to consume the processing resources, memory resources, or energy resources without consuming an excessive amount of the computing device. a component of the number of unique test conditions of the classification; a component for generating a list of test conditions, the generation traversing the list of enhanced single-level decision trees by sequence, and associating with each of the enhanced single-level decision trees traversed sequentially a test condition is inserted into the test condition list until the test condition list includes the number of unique test conditions; and is used to generate the reduced classifier model to include only a plurality of tests included in the test condition list One of the test conditions enhances the components of the single-level decision tree. The computing device of claim 11, wherein the behavior vector information structure is applied to The reduced classifier model to determine whether the device behavior is non-benign comprises: applying the collected behavior information included in the behavior vector information structure to a plurality of reinforcement sheets included in the reduced classifier model a component of each of the hierarchical decision trees; one of a result of calculating the applied behavior information to each of the plurality of enhanced single-level decision trees included in the reduced classifier model a component of the weighted average; and means for comparing the weighted average to a threshold. The computing device of claim 9, further comprising: means for generating an updated S-type parameter based on the normalized confidence value; and means for transmitting the updated S-type parameter to the server computing device . The computing device of claim 9, further comprising: means for receiving an updated S-type parameter from the server computing device; means for determining a new standardized trusted value based on the updated S-type parameter And means for classifying the behavior of the device based on the new standardized confidence value. The computing device of claim 9, wherein the means for receiving the full classifier model and the s-type parameters comprises means for receiving a finite state machine, the finite state machine comprising means adapted to express a weighting value each And information of two or more enhanced single-layer decision trees of a test condition associated with identifying the test condition to enable the computing device to determine whether the device behavior of the computing device is benign or non-benign One of the probability values of one likelihood. A computing device comprising: a processor configured by processor executable instructions to perform the Operation: receiving a full classifier model and S-type parameters from a server computing device; determining a standardized trust value based on the S-type parameters; and determining a device behavior classification based on the standardized trust value. The computing device of claim 17, wherein the processor is configured via processor-executable instructions to perform operations further comprising: converting a finite state machine included in the full classifier model to an enhanced single layer Generating a list of enhanced single-level decision trees by the decision tree; and generating a family of reduced classifier models based on the enhanced single-layer decision trees included in the list of enhanced single-level decision trees, wherein the processor is Executing an instruction configuration to perform an operation such that the confidence value based on the normalization is a classification of the device behavior comprises: applying a behavior vector information structure to one of the first reduced classifier models in the reduced classifier model family to generate an analysis result; And determining whether to apply the behavior vector information structure to one of the second reduced classifier models in the reduced classifier model family to generate a new analysis result based on the normalized trust value. The computing device of claim 17, wherein: the processor is configured via processor executable instructions to perform operations further comprising: generating a reduced classifier model based on the full classifier model, and the processor is processor Executable instructions are configured to perform operations such that the trusted behavior based on the normalization is a classification of the device behavior of the computing device comprising: applying a behavior vector information structure to the reduced classifier model to generate an analysis result; and using the analysis The result and the normalized confidence value are used to determine whether the device behavior of the computing device is benign or non-benign. The computing device of claim 19, wherein the processor is configured by the processor executable instructions to perform an operation such that generating the reduced classifier model based on the full classifier model comprises: by being included in the full classifier model A finite state machine converts into a plurality of enhanced single-layer decision trees to generate a list of enhanced single-layer decision trees; the decision should be evaluated to consume processing resources, memory resources, or energy resources that do not consume an excessive amount of the computing device. The number of unique test conditions for classifying the behavior of the device; generating a list of test conditions that traverse the list of enhanced single-level decision trees in order, and associating with each enhanced hierarchical decision tree traversed sequentially a test condition is inserted into the test condition list until the test condition list includes the number of unique test conditions; and the reduced classifier model is generated to include only a plurality of test conditions included in the test condition list One of them enhances the single-layer decision tree. The computing device of claim 19, wherein the processor is configured by the processor-executable instructions to perform an operation such that the behavior vector information structure is applied to the reduced classifier model to determine whether the device behavior of the computing device is non- Benign inclusion: applying the collected behavior information included in the behavior vector information structure to each of a plurality of enhanced single-level decision trees included in the reduced classifier model; calculating the collected behavior The information is applied to a weighted average of one of the results of each of the plurality of enhanced single layer decision trees included in the reduced classifier model; and the weighted average is compared to a threshold. The computing device of claim 17, wherein the processor is configured via processor executable instructions to perform operations further comprising: Generating an updated S-type parameter based on the normalized confidence value; and transmitting the updated S-type parameter to the server computing device. The computing device of claim 17, wherein the processor is configured via processor executable instructions to perform operations further comprising: receiving an updated S-type parameter from the server computing device; based on the updated S-type The parameter determines a new standardized confidence value; and the confidence value based on the new standardization is the device behavior classification of the computing device. The computing device of claim 17, wherein the processor is configured by the processor-executable instructions to perform operations such that receiving the full classifier model and the S-type parameters comprises receiving a finite state machine, the finite state machine including Expressed as information for two or more enhanced single-layer decision trees each including a weighted value and a test condition associated with identifying the test condition that will enable the processor to determine whether the device behavior is benign And a probability value of one of the non-benign ones. A non-transitory computer readable storage medium having stored thereon processor executable software instructions configured to cause a processor of a computing device to perform an operation comprising: receiving a complete classification from a server computing device And a s-type parameter; determining a standardized trust value based on the s-type parameters; and the reliance value based on the standardization is a device behavior classification of the computing device. The non-transitory computer readable storage medium of claim 25, wherein the stored processor executable instructions are configured to cause the processor to perform operations further comprising: including by the full classifier model One of the finite state machines is transformed into an enhanced single layer decision tree to produce a list of enhanced single layer decision trees; Generating a reduced classifier model family based on the enhanced single layer decision trees included in the enhanced single layer decision tree list; wherein the device based on the standardized trust value comprises: a behavior vector An information structure is applied to one of the first reduced classifier models in the reduced classifier model family to generate an analysis result; and determining whether the behavior vector information structure is applied to the reduced classifier model family based on the normalized trust value A second streamlined classifier model to generate new analysis results. The non-transitory computer readable storage medium of claim 25, wherein: the stored processor executable instructions are configured to cause the processor to perform operations further comprising: generating a streamline based on the full classifier model The classifier model, and the stored processor-executable instructions are configured to cause the processor to perform operations such that the trusted value based on the normalization is a classification of the device behavior comprising: applying a behavior vector information structure to the reduced classification The model is used to generate an analysis result; and the analysis results and the normalized confidence value are used to determine whether the device behavior of the computing device is benign or non-benign. The non-transitory computer readable storage medium of claim 27, wherein the stored processor executable instructions are configured to cause the processor to perform an operation such that generating the reduced classifier model based on the full classifier model comprises: Generating a list of enhanced single-level decision trees by converting one of the finite state machines included in the full classifier model into a plurality of enhanced single-layer decision trees; the decision should be evaluated to avoid excessive consumption of the computing device The uniqueness of the device's behavior when processing resources, memory resources, or energy resources a number of test conditions; generating a list of test conditions by sequentially traversing the list of enhanced single-level decision trees, and inserting a test condition associated with each of the sequentially traversed enhanced single-level decision trees into the test condition In the list, until the list of test conditions includes the number of unique test conditions; and generating the reduced classifier model to include only those of the plurality of test conditions included in the test condition list Layer decision tree. The non-transitory computer readable storage medium of claim 25, wherein the stored processor executable instructions are configured to cause the processor to perform an operation further comprising: generating an updated based on the normalized confidence value An S-type parameter; and transmitting the updated S-type parameter to the server computing device. The non-transitory computer readable storage medium of claim 25, wherein the stored processor executable instructions are configured to cause the processor to perform an operation further comprising: receiving an update from the server computing device S-type parameter; determining a new standardized trust value based on the updated S-type parameter; and determining the device behavior classification of the computing device based on the new standardized trust value.