公开(公告)号：WO2017165073A1

公开(公告)日：2017-09-28

申请号：PCT/US2017/019396

申请日：2017-02-24

Applicant: QUALCOMM INCORPORATED

Inventor： CHRISTODORESCU, Mihai ,  DHURJATI, Dinakar ,  ISLAM, Nayeem

IPC: G06F12/14 ,  G06F21/33 ,  G06F21/62 ,  G06F9/455

CPC classification number: G06F21/6218 ,  G06F9/455 ,  G06F9/45558 ,  G06F12/1433 ,  G06F12/1483 ,  G06F21/602 ,  G06F21/79 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2009/45591 ,  H04L9/008

Abstract: Embodiments include computing devices, systems, and methods for protecting data using virtual views of resource contents. A virtualization interface monitor may monitor a request to access a computing device resource by a first requesting entity and determine whether the first requesting entity is an owner of the computing device resource. A data protection system may provide, to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource. A resource content cryptographic device may obscure a virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource. The data protection system may provide, to the first requesting entity, the obscured virtual view of resource contents of the computing device resource.

Abstract translation: 实施例包括用于使用资源内容的虚拟视图来保护数据的计算设备，系统和方法。 虚拟化接口监视器可监视由第一请求实体访问计算设备资源的请求，并确定第一请求实体是否是计算设备资源的所有者。 响应于确定第一请求实体是计算设备资源的所有者，数据保护系统可以向第一请求实体提供计算设备资源的资源内容的不混淆的虚拟视图。 响应于确定第一请求实体是计算设备资源的非所有者，资源内容密码设备可以隐藏计算设备资源的资源内容的虚拟视图。 数据保护系统可以向第一请求实体提供计算设备资源的资源内容的模糊虚拟视图。

公开(公告)号：WO2017014896A1

公开(公告)日：2017-01-26

申请号：PCT/US2016/038664

申请日：2016-06-22

Applicant: QUALCOMM INCORPORATED

Inventor： CHRISTODORESCU, Mihai ,  PATNE, Satyajit Prabhakar ,  RAO, Sumita ,  NAIR, Vikram

IPC: G06F21/55

CPC classification number: G06F3/0604 ,  G06F3/0653 ,  G06F3/0683 ,  G06F21/552

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

Abstract translation: 各个方面的系统，方法和设备使得能够通过监视运行在计算设备上的应用的存储器访问来识别异常应用行为。 在各个方面，存储器访问监视的级别可以基于在计算设备上运行的应用的风险级别。 可以基于由计算设备的一个或多个所选存储器层级层的地址监视单元监视的应用的存储器地址访问来确定风险级别。 选择用于监视应用程序的存储器地址访问的存储器层级层可以基于所确定的应用程序的风险级别。 可以通过启用与所选择的一个或多个存储器层级层相关联的一个或多个地址监视单元（AMU）来监视所选存储器层级层。 选择的AMU的使能可以由AMU选择模块来实现。

公开(公告)号：WO2014116977A2

公开(公告)日：2014-07-31

申请号：PCT/US2014/012990

申请日：2014-01-24

Applicant: QUALCOMM INCORPORATED

Inventor： GUPTA, Rajarshi ,  SRIDHARA, Vinay ,  GATHALA, Sudha Anil Kumar ,  WEI, Xuetao ,  CHRISTODORESCU, Mihai

IPC: H04W24/04

CPC classification number: H04W24/04 ,  G06F21/55 ,  G06N5/043 ,  H04L63/1408 ,  H04W12/12

Abstract: Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources.

Abstract translation: 用于智能地，动态地和/或自适应地检测要观察的计算设备行为，要观察的行为的数量以及细节或粒度的级别来检测可疑或降级性能的移动设备行为的方法，设备和系统 在那里要观察移动设备的行为。 各个方面有效地识别可疑或降低性能的移动设备行为，而不需要过多的处理，存储器或能量资源。

公开(公告)号：WO2018084912A1

公开(公告)日：2018-05-11

申请号：PCT/US2017/047732

申请日：2017-08-21

Applicant: QUALCOMM INCORPORATED

Inventor： CHRISTODORESCU, Mihai ,  ISLAM, Nayeem ,  RAMAN, Arun ,  GE, Shuhua

IPC: G06F21/55 ,  G06F21/57 ,  G06F21/85 ,  H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/552 ,  G06F21/554 ,  G06F21/577 ,  G06F21/85 ,  H04L63/1433

Abstract: Various embodiments include methods of protecting a computing device within a network from malware or other non-benign behaviors. A computing device may monitor inputs and outputs to a server, derive a functional specification from the monitored inputs and outputs, and use the functional specification for anomaly detection. Use of the derived functional specification for anomaly detection may include determining whether a behavior, activity, web application, process or software application program is non-benign. The computing device may be the server, and the functional specification may be used to determine whether the server is under attack. In some embodiments, the computing device may constrain the functional specification with a generic constraint, detect a new input-output pair, determine whether the detected input-output pair satisfies the constrained functional specification, and determine that the detected input-output pair is anomalous upon determining that the detected input-output pair (or request-response pair) satisfies the constrained functional specification.

Abstract translation: 各种实施例包括保护网络内的计算设备免受恶意软件或其他非良性行为的方法。 计算设备可以监视对服务器的输入和输出，从监视的输入和输出导出功能规格，并使用功能规格进行异常检测。 导出的功能规范用于异常检测可以包括确定行为，活动，Web应用程序，过程或软件应用程序是否是非良性的。 计算设备可以是服务器，并且功能规格可以用于确定服务器是否受到攻击。 在一些实施例中，计算设备可以用通用约束约束功能规格，检测新的输入 - 输出对，确定检测到的输入 - 输出对是否满足约束功能规格，并且确定检测到的输入 - 输出对是异常的 一旦确定检测到的输入 - 输出对（或请求 - 响应对）满足约束功能规格。

公开(公告)号：WO2017083043A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/056438

申请日：2016-10-11

Applicant: QUALCOMM INCORPORATED

Inventor： AHMADZADEH, Seyed Ali ,  ISLAM, Nayeem ,  CHRISTODORESCU, Mihai ,  GUPTA, Rajarshi ,  DAS, Saumitra Mohan

IPC: H04L29/06 ,  G06F21/56 ,  G06F21/55 ,  G06F21/57

CPC classification number: H04L63/1416 ,  G06F21/552 ,  G06F21/554 ,  G06F21/566 ,  G06F21/577 ,  G06F2221/033 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1491

Abstract: Various embodiments include a honeypot system configured to trigger malicious activities by malicious applications using a behavioral analysis algorithm and dynamic resource provisioning. A method performed by a processor of a computing device, which may be a mobile computing device, may include determining whether or not a target application currently executing on the computing device is potentially malicious based, at least in part, on the analysis, predicting a triggering condition of the target application in response to determining the target application is potentially malicious, provisioning one or more resources based, at least in part, on the predicted triggering condition, monitoring activities of the target application corresponding to the provisioned one or more resources, and determining whether or not the target application is a malicious application based, at least in part, on the monitored activities. The resources may be device components (e.g., network interface(s), sensor(s), etc.) and/or data (e.g., files, etc.).

Abstract translation: 各种实施例包括配置成使用行为分析算法和动态资源供应由恶意应用触发恶意活动的蜜罐系统。 由计算设备的处理器（其可以是移动计算设备）执行的方法可以包括：至少部分地基于分析来确定当前在计算设备上执行的目标应用程序是否潜在恶意，预测 响应于确定目标应用程序可能是恶意的，触发目标应用程序的条件;至少部分地基于所预测的触发条件来提供一个或多个资源;监视与所提供的一个或多个资源相对应的目标应用程序的活动; 以及至少部分地基于所监视的活动来确定目标应用程序是否是恶意应用程序。 资源可以是设备组件（例如，网络接口，传感器等）和/或数据（例如，文件等）。

公开(公告)号：WO2016130262A1

公开(公告)日：2016-08-18

申请号：PCT/US2016/013168

申请日：2016-01-13

Applicant: QUALCOMM INCORPORATED

Inventor： SALAJEGHEH, Mastooreh ,  KRISHNAMURTHI, Govindarajan ,  GUPTA, Rajarshi ,  CHRISTODORESCU, Mihai ,  SRIDHARA, Vinay ,  HUGHES, Patrick

IPC: G06F1/32 ,  H04B17/345 ,  H04B15/00

CPC classification number: H04W24/08 ,  G06F1/3206 ,  H04B15/00 ,  H04B17/17 ,  H04B17/27 ,  H04B17/345 ,  H04B17/3911 ,  H04W4/02 ,  H04W64/003

Abstract: Systems, methods, and devices of the various aspects enable detecting a malfunction caused by radio frequency (RF) interference. A computing device processor may identify a location of the computing device based on a plurality of real-time data inputs received by the computing device. The processor may characterize an RF environment of the computing device based on the identified location and the plurality of real-time data inputs. The processor may determine at least one RF emissions threshold based on the characterization of the RF environment. The processor may compare the characterization of the RF environment to the at least one RF emissions threshold, and may perform an action in response to determining that the characterization of the RF environment exceeds the at least one RF emissions threshold.

Abstract translation: 各方面的系统，方法和装置能够检测由射频（RF）干扰引起的故障。 计算设备处理器可以基于由计算设备接收的多个实时数据输入来识别计算设备的位置。 处理器可以基于所识别的位置和多个实时数据输入来表征计算设备的RF环境。 处理器可以基于RF环境的表征来确定至少一个RF发射阈值。 处理器可以将RF环境的特征与至少一个RF发射阈值进行比较，并且可以响应于确定RF环境的表征超过至少一个RF辐射阈值来执行动作。

公开(公告)号：WO2018132178A1

公开(公告)日：2018-07-19

申请号：PCT/US2017/062223

申请日：2017-11-17

Applicant: QUALCOMM INCORPORATED

Inventor： CHRISTODORESCU, Mihai ,  GE, Shuhua ,  ISLAM, Nayeem ,  KAYACIK, Hilmi Gunes

IPC: H04L29/06 ,  G06F21/55

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L41/145

Abstract: Various embodiments provide methods, devices, and non-transitory processor-readable storage media for detecting anomalies in network traffic patterns with a network device by analyzing patterns in network traffic packets traversing the network. Various embodiments include clustering received network traffic packets into groups. The network device receives data packets originating from an endpoint device and analyzes the packets for patterns. The network device may apply a traffic analysis model to the clusters to obtain context classes. The network device may select a behavior classifier model based, at least in part, on the determined context class, and may apply the selected behavior classifier model to determine whether the packet behavior is benign or non-benign.

公开(公告)号：WO2018085008A1

公开(公告)日：2018-05-11

申请号：PCT/US2017/055925

申请日：2017-10-10

Applicant: QUALCOMM INCORPORATED

Inventor： CASCAVAL, Gheorghe ,  CHAO, Hui ,  CHRISTODORESCU, Mihai ,  DEAN, Drew ,  DHURJATI, Dinakar ,  GE, Shuhua ,  KAYACIK, Hilmi Gunes ,  RAMAN, Arun ,  BUYUKKAYHAN, Ahmet Salih ,  FANG, Yuanwei

IPC: H04L29/06 ,  G06F21/55

Abstract: Aspects may relate to a server comprising: an interface to receive a service request; and a processor coupled to the interface to receive the service request, the processor configured to: implement a firewall appliance for the service request; operate a first micro-security application to generate an anomaly alert for the service request; and operate a second micro-security application to receive the anomaly alert from the first micro-security application or from another server's micro-security application and to determine whether the service request corresponds to a non-benign behavior.

Abstract translation: 各方面可涉及一种服务器，其包括：接收服务请求的接口; 以及耦合到所述接口的处理器，用于接收所述服务请求，所述处理器被配置为：为所述服务请求实现防火墙设备; 操作第一微安全应用程序以生成针对服务请求的异常警报; 并操作第二微安全应用程序以接收来自第一微安全应用程序或来自另一服务器的微安全应用程序的异常警报，并确定服务请求是否对应于非良性行为。

公开(公告)号：WO2016209528A1

公开(公告)日：2016-12-29

申请号：PCT/US2016/034342

申请日：2016-05-26

Applicant: QUALCOMM INCORPORATED

Inventor： CHEN, Yin ,  SRIDHARA, Vinay ,  CHRISTODORESCU, Mihai

IPC: G06F21/55 ,  G06F21/56

CPC classification number: G06N99/005 ,  G06F21/552 ,  G06F21/566

Abstract: An aspect computing device may be configured to perform program analysis operation in response to classifying a behavior as non-benign. The program analysis operation may identify new sequences of API calls or activity patterns that are associated with the identified non-benign behaviors. The computing device may learn new behavior features based on the program analysis operation or update existing behavior features based on the program analysis operation. For example, API sequences observed to occur when a non-benign behavior is recognized may be added to behavior features observed during program analysis operation.

Abstract translation: 方面计算设备可以被配置为响应于将行为分类为非良性来执行程序分析操作。 程序分析操作可以识别与所识别的非良性行为相关联的API调用或活动模式的新序列。 计算设备可以基于程序分析操作学习新的行为特征，或者基于程序分析操作来更新现有行为特征。 例如，当识别到非良性行为时观察到发生的API序列可以被添加到在程序分析操作期间观察到的行为特征。

公开(公告)号：WO2016178776A1

公开(公告)日：2016-11-10

申请号：PCT/US2016/026151

申请日：2016-04-06

Applicant: QUALCOMM INCORPORATED

Inventor： SALAJEGHEH, Mastooreh ,  KRISHNAMURTHI, Govindarajan ,  CHRISTODORESCU, Mihai ,  GUPTA, Rajarshi ,  SRIDHARA, Vinay ,  HUGHES, Patrick

IPC: G01R29/08 ,  G01R31/00

CPC classification number: G01R29/0814 ,  G01R29/0892 ,  G01R31/001 ,  G01R31/002

Abstract: Systems, methods, and devices of the various aspects enable detecting anomalous electromagnetic (EM) emissions from among a plurality of electronic devices. A device processor may receive EM emissions of a plurality of electronic devices, wherein the receiving device has no previous information about any of the plurality of electronic devices. The device processor may cross-correlate the EM emissions of the plurality of electronic devices over time. The device processor may identify a difference of the cross-correlated EM emissions from earlier cross-correlated EM emissions. The device processor may determine that the difference of the cross-correlated EM emissions from the earlier cross-correlated EM emissions indicates an anomaly in one or more of the plurality of electronic devices.

Abstract translation: 各个方面的系统，方法和装置能够检测多个电子设备中的异常电磁（EM）发射。 设备处理器可以接收多个电子设备的EM发射，其中接收设备没有关于多个电子设备中的任何一个的先前信息。 设备处理器可以随着时间使得多个电子设备的EM发射互相关联。 器件处理器可以识别来自先前的相互关联的EM发射的相互关联的EM发射的差异。 设备处理器可以确定来自较早的交叉相关EM发射的交叉相关EM发射的差异指示多个电子设备中的一个或多个中的异常。