Office of Technology Transfer – University of Michigan

Method of Classifying the Program Behavior for Behavioral Detection of Malicious Programs on Mobile Handsets

Technology #3859

Questions about this technology? Ask a Technology Manager

Download Printable PDF

Researchers
Kang G. Shin
Managed By
Drew Bennett
Associate Director - Software Licensing 734-615-4004
Patent Protection
US Patent Pending

The rapidly growing capability and world-wide proliferation of smart phones and mobile handhelds have begun to attract the attention of virus writers in recent years. The past three years alone have witnessed an exponential rise in the number of distinct mobile malware families to over 30, and their variants to more than 170. These malware can spread via Bluetooth and SMS/MMS messages, enable remote control of a device, modify critical system files, damage existing applications including anti-virus programs, and block MMC memory cards, to name a few. Current-generation mobile anti-virus solutions are primitive when compared to their desktop counterparts, and may not be scalable given the small footprint of mobile devices as new families of cross-platform malware continue to appear.

This invention focuses on a novel behavioral detection technique tailored to mobile handsets that captures mobile worms, viruses and Trojans, replacing the signature-based solutions currently available for mobile devices. Specifically, this invention presents a method of classifying the behavior of programs for mobile handsets, which yields the construction of compact database of program behavior patterns to be used to detect existence of malicious programs at run-time. This is achieved by first generating a collection of malicious and non-malicious behavior signatures from known mobile malware and chosen handset applications, and then training an optimal classifier (comprising an equation and associated parameters adaptively chosen from the training data of behavior signatures) using a machine learning algorithm such as Support Vector Machines (SVMs). The resulting classifier allows us to discriminate malicious behavior of malware from normal beĀ­ havior of applications. Our evaluation results indicate that behavioral detection can identify current mobile viruses and worms with over 96% accuracy. Most mobile device manufacturers and mobile service providers can implement our proposed method without any major modification of the handset operating environment.