Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

Abstract: A computing device may use machine learning techniques to determine whether a side channel attack is underway and perform obfuscation operations (e.g., operations to raise the noise floor) or other similar operations to stop or prevent a detected side channel attack. The computing device may determine that a side channel attack is underway in response to determining that the computing device is in airplane mode, that the battery of the computing device the battery has been replaced with a stable DC power supply, that the touch-screen display of the computing device has been disconnected, that there are continuous calls to a cipher application programming interface (API) using the same cipher key, that there has been tampering with a behavioral analysis engine of the computing device, or any combination thereof.

Abstract: Various aspects provide methods implemented by at least one processor executing on a mobile communication device to efficiently identify, classify, model, prevent, and/or correct the non-benign (e.g., performance degrading) conditions and/or behaviors that are related to an application operating on the device. Specifically, in various aspects, the mobile computing device may derive or extract application-specific features by performing a binary analysis of an application and may determine the application's category (e.g., a “games,” “entertainment,” or “news” category) based on the application-specific features. The mobile computing device may also obtain a classifier model associated with the application's category that includes various conditions, features, behaviors and corrective actions that may be used to quickly identify and correct non-benign behaviors (e.g., undesirable, malicious, and/or performance-degrading behaviors) occurring on the mobile computing device that are related to the application.

Abstract: A computing device processor may be configured with processor-executable instructions to implement methods of using behavioral analysis and machine learning techniques to identify, prevent, correct, and/or otherwise respond to malicious or performance-degrading behaviors of the computing device. As part of these operations, the processor may perform multifactor authentication operations that include determining one or more of a transaction type criticality value, a user confidence value, a software integrity confidence value, and a historical behavior value, using the one or more of these values to determine a number of authentication factors that are be evaluated when authenticating a user of the computing device, and authenticating the user by evaluating the determined number of authentication factors.

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

Abstract: Systems, methods, and devices of the various aspects enable method of cross-module behavioral validation. A plurality of observer modules of a system may observe behavior or behaviors of a observed module of the system. Each of the observer modules may generate a behavior representation based on the behavior or behaviors of the observed module. Each observer module may apply the behavior representation to a behavior classifier model suitable for each observer module. The observer modules may aggregate classifications of behaviors of the observed module determined by each of the observer modules. The observer modules may determine, based on the aggregated classification, whether the observed module is behaving anomalously.

Abstract: A computing device may use machine learning techniques to determine the level, degree, and severity of its vulnerability to side channel attacks. The computing device may intelligently and selectively perform obfuscation operations (e.g., operations to raise the noise floor) to prevent side channel attacks based on the determined level, degree, or severity of its current vulnerability to such attacks. The computing device may also monitor the current level of natural obfuscation produced by the device, determining whether there is sufficient natural obfuscation to prevent a side channel attack during an ongoing critical activity, and perform the obfuscation operation during the ongoing critical activity and in response to determining that there is not sufficient natural obfuscation to adequately protect the computing device against side channel attacks.

Abstract: Aspects include computing devices, systems, and methods for implementing detecting return oriented programming (ROP) attacks on a computing device. A memory traversal map for a program called to run on the computing device may be loaded. A memory access request of the program to a memory of the computing device may be monitored and a memory address of the memory from the memory access request may be retrieved. The retrieved memory address may be compared to the memory traversal map and a determination of whether the memory access request indicates a ROP attack may be made. The memory traversal map may include a next memory address adjacent to a previous memory address in the memory traversal map. A cumulative anomaly score based on mismatches between the retrieved memory address and the memory traversal map may be calculated and used to determine whether to load a finer grain memory traversal map.

Abstract: Mobile computing devices may be equipped with hardware components configured to monitor key assets of the mobile device at a low level (e.g., firmware level, hardware level, etc.). The hardware component may also be configured to dynamically determine the key assets that are to be monitored in the mobile device, monitor the access or use of these key assets by monitoring data flows, transactions, or operations in a system data bus of the mobile device, and report suspicious activities to a comprehensive behavioral monitoring and analysis system of the mobile device. The comprehensive behavioral monitoring and analysis system may then use this information to quickly identify and respond to malicious or performance degrading activities of the mobile device.

Abstract: A computing device processor may be configured with processor-executable instructions to implement methods of using behavioral analysis and machine learning techniques to identify, prevent, correct, and/or otherwise respond to malicious or performance-degrading behaviors of the computing device. As part of these operations, the processor may perform multifactor authentication operations that include determining one or more of a transaction type criticality value, a user confidence value, a software integrity confidence value, and a historical behavior value, using the one or more of these values to determine a number of authentication factors that are be evaluated when authenticating a user of the computing device, and authenticating the user by evaluating the determined number of authentication factors.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: A computing device may use machine learning techniques to determine the level, degree, and severity of its vulnerability to side channel attacks. The computing device may intelligently and selectively perform obfuscation operations (e.g., operations to raise the noise floor) to prevent side channel attacks based on the determined level, degree, or severity of its current vulnerability to such attacks. The computing device may also monitor the current level of natural obfuscation produced by the device, determining whether there is sufficient natural obfuscation to prevent a side channel attack during an ongoing critical activity, and perform the obfuscation operation during the ongoing critical activity and in response to determining that there is not sufficient natural obfuscation to adequately protect the computing device against side channel attacks.

Abstract: A computing device may use machine learning techniques to determine whether a side channel attack is underway and perform obfuscation operations (e.g., operations to raise the noise floor) or other similar operations to stop or prevent a detected side channel attack. The computing device may determine that a side channel attack is underway in response to determining that the computing device is in airplane mode, that the battery of the computing device the battery has been replaced with a stable DC power supply, that the touch-screen display of the computing device has been disconnected, that there are continuous calls to a cipher application programming interface (API) using the same cipher key, that there has been tampering with a behavioral analysis engine of the computing device, or any combination thereof.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: Various aspects provide methods implemented by at least one processor executing on a mobile communication device to efficiently identify, classify, model, prevent, and/or correct the non-benign (e.g., performance degrading) conditions and/or behaviors that are related to an application operating on the device. Specifically, in various aspects, the mobile computing device may derive or extract application-specific features by performing a binary analysis of an application and may determine the application's category (e.g., a “games,” “entertainment,” or “news” category) based on the application-specific features. The mobile computing device may also obtain a classifier model associated with the application's category that includes various conditions, features, behaviors and corrective actions that may be used to quickly identify and correct non-benign behaviors (e.g., undesirable, malicious, and/or performance-degrading behaviors) occurring on the mobile computing device that are related to the application.

Abstract: Mobile computing devices may be equipped with hardware components configured to monitor key assets of the mobile device at a low level (e.g., firmware level, hardware level, etc.). The hardware component may also be configured to dynamically determine the key assets that are to be monitored in the mobile device, monitor the access or use of these key assets by monitoring data flows, transactions, or operations in a system data bus of the mobile device, and report suspicious activities to a comprehensive behavioral monitoring and analysis system of the mobile device. The comprehensive behavioral monitoring and analysis system may then use this information to quickly identify and respond to malicious or performance degrading activities of the mobile device.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.