Abstract: Various embodiments include methods for dynamically modifying shared libraries on a client computing device. Various embodiment methods may include receiving a first set of code segments and a first set of code sites associated with a first application. Each code in the first set of code sites may include an address within a compiled shared library stored on the client computing device. The compiled shared library may include one or more dummy instructions inserted at each code site in the first set of code sites, and each code segment in the first set of code segments may be associated with a code site in the first set of code sites. The client computing device may insert each code segment in the first set of code segments at its associated code site in the compiled shared library.

Abstract: Embodiments include computing devices, systems, and methods for protecting data using virtual views of resource contents. A virtualization interface monitor may monitor a request to access a computing device resource by a first requesting entity and determine whether the first requesting entity is an owner of the computing device resource. A data protection system may provide, to the first requesting entity, an unobscured virtual view of resource contents of the computing device resource in response to determining that the first requesting entity is the owner of the computing device resource. A resource content cryptographic device may obscure a virtual view of the resource contents of the computing device resource in response to determining that the first requesting entity is a non-owner of the computing device resource. The data protection system may provide, to the first requesting entity, the obscured virtual view of resource contents of the computing device resource.

Abstract: Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

Abstract: Various aspects provide methods implemented by at least one processor executing on a mobile communication device to efficiently identify, classify, model, prevent, and/or correct the non-benign (e.g., performance degrading) conditions and/or behaviors that are related to an application operating on the device. Specifically, in various aspects, the mobile computing device may derive or extract application-specific features by performing a binary analysis of an application and may determine the application's category (e.g., a “games,” “entertainment,” or “news” category) based on the application-specific features. The mobile computing device may also obtain a classifier model associated with the application's category that includes various conditions, features, behaviors and corrective actions that may be used to quickly identify and correct non-benign behaviors (e.g., undesirable, malicious, and/or performance-degrading behaviors) occurring on the mobile computing device that are related to the application.

Abstract: Various embodiments may include methods, devices, and non-transitory processor-readable media for performing information flow tracking during execution of a software application. A hybrid static/dynamic analysis may be used to track information flow during execution of a software application. In various embodiments, the method may predict a multiple paths of execution, and may utilize these predictions to analyze only actually executing software code. By analyzing only actually executed software code, the method may provide a lightweight and resource-efficient way of detecting actual data leaks as they occur during execution of a software application.

Abstract: Various aspects provide systems and methods for optimizing hardware monitoring on a computing device. A computing device may receive a monitoring request to monitor a portion of code or data within a process executing on the computing device. The computing device may generate from the monitoring request a first monitoring configuration parameter for a first hardware monitoring component in the computing device and may identify a non-optimal event pattern that occurs while the first hardware monitoring component monitors the portion of code or data according to the first monitoring configuration parameter. The computing device may apply a transformation to the portion of code or data and reconfigure the first hardware monitoring component by modifying the first monitoring configuration parameter in response to the transformation of the portion of code or data.

Abstract: Various embodiments include a honeypot system configured to trigger malicious activities by malicious applications using a behavioral analysis algorithm and dynamic resource provisioning. A method performed by a processor of a computing device, which may be a mobile computing device, may include determining whether or not a target application currently executing on the computing device is potentially malicious based, at least in part, on the analysis, predicting a triggering condition of the target application in response to determining the target application is potentially malicious, provisioning one or more resources based, at least in part, on the predicted triggering condition, monitoring activities of the target application corresponding to the provisioned one or more resources, and determining whether or not the target application is a malicious application based, at least in part, on the monitored activities. The resources may be device components (e.g., network interface(s), sensor(s), etc.

Abstract: Methods, systems and devices for communicating behavior analysis information using an application programming interface (API) may include receiving via the API a request to register the second module to access an operation of a behavioral monitoring system of the mobile computing device, and exchanging authentication information between the first module and the second module to accomplish mutual authentication. Aspects may include receiving via the API a request for version identification information that may be used by the server to determine how to interpret, evaluate, or crowd-source information, and exchanging version identification information between the first module and the second module to cause the second module to send the information to the server. Aspects may further include receiving via the API a provision malware model request including a command causing the first module to send a malware or classifier model to a behavioral monitoring system of the mobile computing device.

Abstract: Systems and methods for protection from buffer overflow vulnerability due to placement new constructs in C++ are provided. A system for protecting from buffer overflow vulnerability due to placement new constructs, comprises a compiler which is capable of receiving a program including a placement new instruction, and runtime which is capable of receiving binary code from the compiler and determining whether the program includes the placement new instruction and whether the placement new instruction would lead to buffer overflow, wherein the runtime is linked to a library including methods for preventing the buffer overflow, and selects a method for preventing the buffer overflow if the runtime determines that the placement new instruction would lead to the buffer overflow.

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

Abstract: An aspect computing device may be configured to perform program analysis operation in response to classifying a behavior as non-benign. The program analysis operation may identify new sequences of API calls or activity patterns that are associated with the identified non-benign behaviors. The computing device may learn new behavior features based on the program analysis operation or update existing behavior features based on the program analysis operation. For example, API sequences observed to occur when a non-benign behavior is recognized may be added to behavior features observed during program analysis operation.

Abstract: Methods and devices for tracking data flows in a computing device include monitoring memory in a hardware component of the computing device to identify a read operation that reads information from a tainted memory address, using heuristics to identify a first, second, and third number of operations performed after the identified read operation, marking memory addresses of write operations performed after first number of operations and before the second number of operations as tainted, and marking memory addresses of write operations performed after the third number of operations and before the second number of operations as untainted.

Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.

Abstract: A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs.

Abstract: Systems, methods, and devices of the various aspects enable detecting anomalous electromagnetic (EM) emissions from among a plurality of electronic devices. A device processor may receive EM emissions of a plurality of electronic devices, wherein the receiving device has no previous information about any of the plurality of electronic devices. The device processor may cross-correlate the EM emissions of the plurality of electronic devices over time. The device processor may identify a difference of the cross-correlated EM emissions from earlier cross-correlated EM emissions. The device processor may determine that the difference of the cross-correlated EM emissions from the earlier cross-correlated EM emissions indicates an anomaly in one or more of the plurality of electronic devices.

Abstract: A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs.

Abstract: The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.

Abstract: Methods, and devices implementing the methods, use device-specific classifiers in a privacy-preserving behavioral monitoring and analysis system for crowd-sourcing of device behaviors. Diverse devices having varying degrees of “smart” capabilities may monitor operational behaviors. Gathered operational behavior information may be transmitted to a nearby device having greater processing capabilities than a respective collecting device, or may be transmitted directly to an “always on” device. The behavior information may be used to generate behavior vectors, which may be analyzed for anomalies. Vectors containing anomaly flags may be anonymized to remove any user-identifying information and subsequently transmitted to a remote recipient such as a service provider or device manufacture.

Abstract: Various aspects provide systems and methods for optimizing hardware monitoring on a computing device. A computing device may receive a monitoring request to monitor a portion of code or data within a process executing on the computing device. The computing device may generate from the monitoring request a first monitoring configuration parameter for a first hardware monitoring component in the computing device and may identify a non-optimal event pattern that occurs while the first hardware monitoring component monitors the portion of code or data according to the first monitoring configuration parameter. The computing device may apply a transformation to the portion of code or data and reconfigure the first hardware monitoring component by modifying the first monitoring configuration parameter in response to the transformation of the portion of code or data.

Abstract: The disclosure generally relates to behavioral analysis to automate monitoring Internet of Things (IoT) device health in a direct and/or indirect manner. In particular, normal behavior associated with an IoT device in a local IoT network may be modeled such that behaviors observed at the IoT device may be compared to the modeled normal behavior to determine whether the behaviors observed at the IoT device are normal or anomalous. Accordingly, in a distributed IoT environment, more powerful “analyzer” devices can collect behaviors locally observed at other (e.g., simpler) “observer” devices and conduct behavioral analysis across the distributed IoT environment to detect anomalies potentially indicating malicious attacks, malfunctions, or other issues that require customer service and/or further attention.