Field of the Invention
The disclosure relates to methods to monitor and maintain mobile device health, including malware detection and protection. These methods focus on a device activity and data traffic signature-based approach to detecting and protecting against undesirable execution of applications on mobile communication devices, as well as correcting other conditions which reflect suboptimal device performance.
Description of Related Art
Applications executing on a mobile device provide a continuous source of information which can be used to monitor and characterize overall “device health,” which in turn can impact the device's ability to execute applications with maximum efficiency and user quality of experience (QoE). Information which can characterize device health includes most aspects of the wireless traffic to and from the device, as well as state and quality of the device's wireless radios, status codes and error messages from the operating systems and specific applications, CPU state, battery usage and user-driven activity such as turning screen on, typing, etc. Once a model is developed for what expected device activity is, deviations from this model can be used to alert the user about possible threats (e.g. malware), or to initiate automatic corrective actions when appropriate.
One example of applications that can impact device health is malware. Malware is malicious software that is designed to damage or disrupt a computing system, such as mobile phone. Malware can include a virus, a worm, a Trojan horse, spyware, or a misbehaving application.
Traditional malware detectors develop code signatures for specific malware and use this signature to match against code which has or is about to be downloaded onto a device. Signature-based malware detectors, however, depend on receiving regular signature updates in order to protect against new malware. Code signature-based protection is only as effective as its database of stored signatures.
Another type of malware detector is an anomaly-based detection system is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This contrasts with code signature based system which can only detect attacks for which a code signature has previously been created.
Anomaly-based intrusion detection also has some short-comings, namely a high false positive rate and the ability to be fooled by a correctly delivered attack.
Accordingly, a need exists for malware protection that is both dynamic and accurate. Namely, malware protection that does not rely on determining, updating, or matching code signatures and avoids a high false positive rate. At the same time, there is a need for methods to automatically detect and correct suboptimal conditions on devices that cannot be attributed to a specific piece of malware.