1111111111111111 IIIIII IIIII 1111111111 11111 1111111111 lllll 111111111111111 1111111111 11111111
`US 20130254880Al
`
`c19) United States
`c12) Patent Application Publication
`Alperovitch et al.
`
`c10) Pub. No.: US 2013/0254880 Al
`Sep. 26, 2013
`(43) Pub. Date:
`
`(54) SYSTEM AND METHOD FOR
`CROWDSOURCING OF MOBILE
`APPLICATION REPUTATIONS
`
`(75)
`
`Inventors: Dmitri Alperovitch, Gaithersburg, MD
`(US); Sven Krasser, Pasadena, CA
`(US); Matthew Brinkley, Portland, OR
`(US)
`
`(73) Assignee: MCAFEE, INC., Santa Clara, CA (US)
`
`(21) Appl. No.: 13/426,363
`
`(22) Filed:
`
`Mar. 21, 2012
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`G06F 21100
`
`(2006.01)
`
`(52) U.S. Cl.
`USPC .. .. ... ... ... ... ... .. ... ... ... ... .. ... ... ... ... ... .. ... ... .. 726/22
`
`(57)
`
`ABSTRACT
`
`A system and method in one embodiment includes modules
`forobtaining a collection of attributes of a mobile application,
`comparing one or more of the attributes with crowdsourced
`data associated with other mobile applications to determine
`one or more trustworthiness indicators, and calculating a
`reputation score based on the one or more trustworthiness
`indicators. More specific embodiments include a collection
`ofattributes comprising a manifest, and an application behav(cid:173)
`ior. Other embodiments include determining a suitable action
`based on the reputation score, such as changing a configura(cid:173)
`tion of the mobile application, deleting the mobile application
`from a mobile device, generating a security alert on a display
`of the mobile device, etc.
`
`10
`~
`
`CLOUD
`
`18~ APPLICATION STORE I
`I REPUTATION ENGINE
`
`/
`16
`25a
`\
`
`SERVER
`
`25b
`/
`
`APPLICATION
`FINGERPRINTS
`DATABASE
`
`POLICIES
`DATABASE
`
`12
`
`APPLICATION
`
`24a ;
`
`22a
`AGENT
`
`APPLICATION
`
`24b ;
`
`22b
`AGENT
`
`APPLICATION
`
`24c ;
`
`22c
`AGENT
`
`MOBILE DEVICE
`
`MOBILE DEVICE
`
`MOBILE DEVICE
`
`14a
`
`14b
`
`14c
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 1 of 14
`
`

`

`Patent Application Publication
`
`Sep. 26, 2013 Sheet 1 of 3
`
`US 2013/0254880 Al
`
`FIG. 1
`
`10
`✓
`
`CLOUD
`
`18 -,1 APPLICATION STORE I
`1 REPUTATION ENGINE r 20
`
`25a
`
`SERVER
`
`25b
`
`APPLICATION
`FINGERPRINTS
`DATABASE
`
`POLICIES
`DATABASE
`
`12
`
`APPLICATION
`
`APPLICATION
`
`APPLICATION
`
`22a
`
`24a ;
`
`AGENT
`
`I
`
`22b
`
`24b ;
`
`AGENT
`
`I
`
`22c
`
`24c ;
`
`AGENT
`
`I
`
`MOBILE DEVICE
`
`MOBILE DEVICE
`
`MOBILE DEVICE
`
`14a
`
`14b
`
`14c
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 2 of 14
`
`

`

`Patent Application Publication
`
`Sep. 26, 2013 Sheet 2 of 3
`
`US 2013/0254880 Al
`
`10
`✓
`
`14
`
`MOBILE DEVICE
`
`APPLICATION
`
`MANIFEST
`\
`26
`
`25
`24
`22
`I A~ENT I IPou~Esl
`
`10
`✓
`
`20
`
`FIG. 2
`
`REPUTATION ENGINE
`
`DATA MINING
`MODULE
`I
`34
`PROCESSOR
`
`36
`MEMORY
`?
`38
`
`APPLICATION
`MANIFEST
`DATABASE
`
`32
`
`40
`)
`REAL-TIME
`DATA CAPTURE
`MODULE
`
`FIG. 3
`
`CLOUD
`20d "- REPUTATION
`ENGINE
`
`REPUTATION
`ENGINE
`I
`20a
`APPLICATION
`24a
`22a
`~
`AGENT
`
`MOBILE DEVICE
`
`I
`
`REPUTATION
`ENGINE
`\
`20b
`APPLICATION
`24b
`22b
`~
`AGENT
`
`MOBILE DEVICE
`
`I
`
`REPUTATION
`ENGINE
`\
`20c
`I APPLICATION I
`I
`24c
`22c
`~
`AGENT
`
`I
`
`MOBILE DEVICE
`
`14a
`
`14b
`
`14c
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 3 of 14
`
`

`

`Patent Application Publication
`
`Sep. 26, 2013 Sheet 3 of 3
`
`US 2013/0254880 Al
`
`50
`\
`
`FIG. 4
`START
`
`52
`
`54
`
`56
`
`58
`
`60
`
`62
`
`64
`
`DOWNLOAD APPLICATION
`
`OBTAIN MANIFEST
`
`COMMUNICATE MANIFEST
`TO REPUTATION ENGINE
`
`ANALYZE MANIFEST WITH
`OTHER STORED DATA
`
`CALCULATE
`REPUTATION SCORE
`
`DETERMINE ACTION BASED
`ON REPUTATION SCORE
`
`66
`
`END
`
`FIG. 5
`START
`
`70
`i
`
`72
`
`DOWNLOAD APPLICATION
`
`RUN APPLICATION
`
`MONITOR APPLICATION
`BEHAVIOR
`
`COMMUNICATE APPLICATION
`BEHAVIOR TO REPUTATION
`ENGINE
`
`ANALYZE APPLICATION
`BEHAVIOR WITH OTHER
`STORED DATA
`
`CALCULATE
`REPUTATION SCORE
`
`DETERMINE ACTION BASED
`ON REPUTATION SCORE
`
`END
`
`86
`
`74
`
`76
`
`77
`
`78
`
`80
`
`82
`
`84
`
`FIG. 6
`
`92
`
`'===I""==''=.;==' '===I""==''===,,,,=~
`GREEN
`YELLOW
`ORANGE
`RED
`(HIGH RISK)
`(LOW RISK)
`(UNVERIFIED)
`(MEDIUM RISK)
`REPUTATION SCORE
`
`90
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 4 of 14
`
`

`

`US 2013/0254880 Al
`
`Sep. 26, 2013
`
`1
`
`SYSTEM AND METHOD FOR
`CROWDSOURCING OF MOBILE
`APPLICATION REPUTATIONS
`
`TECHNICAL FIELD
`
`[0001] This disclosure relates in general to the field of
`computer networks and, more particularly, to a system and a
`method for crowdsourcing of mobile application reputations.
`
`BACKGROUND
`
`[0002] The field of computer network security has become
`increasingly important and complicated in today's society.
`Computer network environments are configured for virtually
`every enterprise or organization, typically with multiple inter(cid:173)
`connected computers ( e.g., end user computers, laptops, serv(cid:173)
`ers, printing devices, etc.). In many such enterprises, Infor(cid:173)
`mation Technology (IT) administrators may be tasked with
`maintenance and control of the network environment, includ(cid:173)
`ing executable software files ( e.g., web application files) on
`hosts, servers, and other network computers. As the number
`of executable software files in a network environment
`increases, the ability to control, maintain, and remediate these
`files efficiently can become more difficult. Furthermore, com(cid:173)
`puter and communications networks today encompass
`mobile devices such as smartphones, tablet computers and the
`like, which allow users to download and install applications
`on these devices quickly and with minimal oversight. How(cid:173)
`ever, unrestricted access to mobile resources and application
`programming interfaces by applications of an unknown or
`untrusted origin could result in damage to the user, the device,
`and the network, if not managed by suitable security archi(cid:173)
`tectures and network precautions. Thus, innovative tools are
`needed to assist IT administrators in the effective control and
`management of applications on mobile devices within com(cid:173)
`puter and communication network environments.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0003] To provide a more complete understanding of the
`present disclosure and features and advantages thereof, ref(cid:173)
`erence is made to the following description, taken in conjunc(cid:173)
`tion with the accompanying figures, wherein like reference
`numerals represent like parts, in which:
`[0004] FIG. 1 is a simplified block diagram illustrating
`components of a system for crowdsourcing mobile applica(cid:173)
`tion reputations according to an example embodiment;
`[0005] FIG. 2 is a simplified block diagram illustrating
`additional details of the system for crowdsourcing mobile
`application reputations according to an example embodi(cid:173)
`ment;
`[0006] FIG. 3 is a simplified block diagram illustrating a
`system for crowdsourcing mobile application reputations
`according to another example embodiment;
`[0007] FIG. 4 is a simplified flow-chart illustrating example
`operational steps that may be associated with an embodiment
`of the present disclosure;
`[0008] FIG. 5 is a simplified flow-chart illustrating example
`operational steps that may be associated with embodiments of
`the present disclosure; and
`[0009] FIG. 6 is a bar chart showing an example scenario of
`a number of applications against reputation score in accor(cid:173)
`dance with this specification.
`
`DETAILED DESCRIPTION OF EXAMPLE
`EMBODIMENTS
`
`Overview
`
`[0010] A system and method in example embodiments
`include modules for obtaining a collection of attributes of a
`mobile application, comparing one or more of the attributes
`with crowdsourced data associated with other mobile appli(cid:173)
`cations to determine one or more trustworthiness indicators,
`and calculating a reputation score based on the one or more
`trustworthiness
`indicators. More specific embodiments
`include a collection of attributes comprising a manifest, and
`an application behavior. Other embodiments include deter(cid:173)
`mining a suitable action based on the reputation score, such as
`changing a configuration of the mobile application, deleting
`the mobile application from a mobile device, generating a
`security alert on a display of the mobile device, etc.
`
`Example Embodiments
`
`[0011] FIG. 1 is a simplified block diagram illustrating an
`example implementation of a system 10 for crowdsourcing of
`mobile application reputations. The exemplary environment
`illustrates a network 12 connecting one or more mobile
`devices 14a, 14b, and 14c with a cloud 16. In one example
`embodiment, mobile devices 14a-c may communicate with
`cloud 16 through server 17. Mobile devices (e.g., 14a-c), are
`inclusive of mobile phones, smart mobile phones (smart(cid:173)
`phones ), e-book readers, tablets, iPads, personal digital assis(cid:173)
`tants (PD As), laptops or electronic notebooks, portable navi(cid:173)
`gation systems, multimedia gadgets (e.g., cameras, video
`and/or audio players, etc.), gaming systems, other handheld
`electronic devices, and any other device, component, ele(cid:173)
`ment, or object capable of initiating voice, audio, video,
`media, or data exchanges within system 10.
`[0012] Mobile devices 14a-c may access mobile applica(cid:173)
`tions from one or more application stores 18 located in cloud
`16. As used herein, "mobile applications" encompass appli(cid:173)
`cation software that runs on (or is capable of running on)
`mobile devices and performs specific tasks for the mobile
`device's user. Mobile applications may include native appli(cid:173)
`cations pre-installed on the mobile device, such as address
`books, calendars, calculators, games, maps and Web brows(cid:173)
`ers. Mobile applications may also be downloaded from vari(cid:173)
`ous application stores 18. Application stores 18 encompass
`mobile application software distribution platforms such as
`Google® Android Market, Apple® App Store, Palm® Soft(cid:173)
`ware Store and App Catalog, RIM® App World, etc.
`[0013] Cloud 16 may comprise a reputation engine 20 for
`collecting and assessing mobile application reputations, also
`called herein as "reputation scores" (both terms may be inter(cid:173)
`changeably used throughout the Specification). A reputation
`score is a value (e.g., numeric, textual, pictorial, etc.) that
`denotes a relative level of trustworthiness of the mobile appli(cid:173)
`cation on a spectrum ( e.g., continuous or discrete) from
`benign (e.g., reputable) to malicious (e.g., non-reputable).
`Reputation score may indicate a probability that a mobile
`application is a malicious software. For example, mobile
`applications that have a high probability of being malicious
`may have a low reputation score. In one example scenario, a
`mobile application that automatically, and without authoriza(cid:173)
`tion, turns on a camera and a microphone ( or other recording
`device) of a mobile device may be deemed to be malicious.
`On the other hand, a mobile application that merely accesses
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 5 of 14
`
`

`

`US 2013/0254880 Al
`
`Sep. 26, 2013
`
`2
`
`the mobile device's processor and memory to facilitate a
`game of cards may be deemed to be benign.
`[0014] Each mobile device 14a, 14b and 14c may be pro(cid:173)
`visioned with one or more mobile applications (e.g., one or
`more respective applications 22a, 22b and 22c) and respec(cid:173)
`tive agents 24a, 24b and 24c. Agents 24a-c may monitor
`behavior and activities of any one or more mobile applica(cid:173)
`tions ( e.g., 22a-c) on respective mobile devices 14a-c. Agents
`24a-c may also access policies stored on respective mobile
`devices 14a-c to determine if mobile applications 22a-c vio(cid:173)
`late any policy. Agents 24a-c may also manage activities of
`mobile applications 22a-c, for example, by preventing execu(cid:173)
`tion of one or more applications based on the respective
`reputation scores.
`[0015] Reputation engine 20 may collect and aggregate an
`inventory of application fingerprints of substantially all
`mobile applications from a plurality of sources ( e.g., mobile
`devices 14a-c, application store 18, etc.). As used herein,
`"application fingerprint" encompasses a collection of
`attributes of the application ( e.g., obtained from the mobile
`application's manifest) and/or the application's behavior
`(e.g., application requests or actions, network activity, etc.)
`that uniquely identifies the application.
`[0016] As used herein, an application manifest includes
`one or more files that contain details about a mobile applica(cid:173)
`tion, such as unique application identification (ID) tag (e.g.,
`iPhone® App ID number, Android Marketplace ID number,
`or other series of characters that can uniquely identify a
`mobile application); application certificate; application
`name; application capabilities such as camera activation, net(cid:173)
`work connectivity, phone activation, geolocation, etc.; infor(cid:173)
`mation about the application store from which the application
`was downloaded/installed (e.g., URL/IP and other identify(cid:173)
`ing information); ports and protocols usable by the mobile
`application; application life span; a geographical origination
`of the mobile application; a day and/or time of a first and/or
`latest appearance of the mobile application on a mobile
`device; files and file hashes associated with the mobile appli(cid:173)
`cation; other static analysis information ( e.g., file size, unique
`or distinguishing human-readable strings from binary files
`associated with the application, interesting file header infor(cid:173)
`mation, etc.) from the application's executable and configu(cid:173)
`ration files; country/region where the mobile device is cur(cid:173)
`rently located; and geographical locations of subsequent
`appearances of the mobile application. The examples pro(cid:173)
`vided herein are merely for illustrative purposes and are not
`intended as limitations. Various other details relevant to the
`mobile application, the application store, and the application
`signer, may be included in the manifest within the broad
`scope of the present disclosure.
`[0017] The application's behavior may include network
`activity; attack history; ports and protocols actually used by
`the mobile application; association with other known Internet
`Protocol (IP) addresses; application requests for resources;
`and application actions. It will be understood that these types
`of details are set forth herein for example purposes, and are
`not intended to be limiting in any manner.
`[0018] According to the embodiment illustrated in FIG. 1,
`server 17 may be provisioned with an application fingerprints
`database 25a and policies database 25b. In an example
`embodiment, server 17 may be an enterprise server. In
`another embodiment, server 17 may be one or more interme(cid:173)
`diate servers. FIG. 1 showing mobile devices 14a-c commu(cid:173)
`nicating with cloud 16 through server 17 is merely represen-
`
`tative. One or more servers may be used for one group of
`associated mobile devices (e.g., mobile devices on an enter(cid:173)
`prise, or having a common local communications carrier,
`etc.); and multiple enterprises or groups of associated mobile
`devices may connect to the cloud through their own one or
`more servers. Reputation engine 20 may access application
`fingerprints database 25a to determine a reputation score for
`a mobile application. Reputation engine 20 may access poli(cid:173)
`cies database 25b to identify a suitable action that may be
`taken with respect to the mobile application based on its
`reputation score.
`[0019]
`In an example embodiment, the inventory may be
`collected through an enterprise mobility manager (EMM) of
`an enterprise network (e.g., McAfee® EMM). For example,
`an EMM could provide software applications installed on
`each mobile device to collect the mobile device's inventory
`and push it to a centralized or distributed repository. In
`another example embodiment, the inventory may be collected
`directly from mobile devices and other appropriate sources.
`Sources may include mobile devices, application stores, serv(cid:173)
`ers, web sites, etc. Reputation engine 20 in cloud 16 may
`crowdsource (e.g., obtain from an undefined plurality of
`sources rather than specific/identified sources) intelligence
`on proliferation of mobile applications and their capabilities
`and derive reputation scores for them based on the application
`fingerprint data in the inventory. As more information is col(cid:173)
`lected in the inventory (e.g., from more mobile devices),
`application fingerprint data in the inventory may be more
`accurate leading to higher confidence in the calculated repu(cid:173)
`tation score. In an example embodiment, each installed appli(cid:173)
`cation on a mobile device (e.g., 14a-c) may be queried in
`cloud 16 by reputation engine 20, which can return respective
`mobile application reputations calculated based on prolifera(cid:173)
`tion of the application, its capabilities and longevity, and
`potentially augmented by manual research analysis.
`[0020] According to embodiments of the present disclo(cid:173)
`sure, crowdsourcing (e.g., from mobile devices) can enable
`data collection more efficiently and effectively than by other
`methods (e.g., crawling application stores, analyzing indi(cid:173)
`vidual malware samples in isolation). For example, in some
`embodiments, data may be collected directly from user
`devices, rather than from other sources ( e.g., application
`stores). In scenarios where the application store does not
`permit retrieving a copy of the application without purchase,
`or where numerous application stores quickly appear and
`disappear in a marketplace, crowdsourcing ( e.g., from mobile
`devices) may enable efficient data collection for applications
`that have been downloaded and/or installed from such appli(cid:173)
`cation stores.
`[0021] Crowdsourced data from mobile devices can be
`used to calculate a reputation score of a mobile application. In
`example embodiments, crowdsourced data may be used to
`analyze various attributes of the mobile application to deter(cid:173)
`mine trustworthiness indicators, and reputation scores may
`be calculated based on the trustworthiness indicators. Trust(cid:173)
`worthiness indicators may include prevalence of the applica(cid:173)
`tion, reputation of the application store from which the appli(cid:173)
`cation was downloaded, reputation of the vendor signing the
`application (i.e., signer), predefined combination of capabili(cid:173)
`ties of the application ( e.g., capabilities of the application
`being analyzed and other similar applications), propagation
`factor of the application, origination of application, etc.
`Crowdsourced data could include attributes of other mobile
`applications that may be identical to the mobile application
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 6 of 14
`
`

`

`US 2013/0254880 Al
`
`Sep. 26, 2013
`
`3
`
`being analyzed, or may be similar with some significant dif(cid:173)
`ferences that potentially indicate a malicious component.
`Thus, crowdsourcing can also help identify mobile applica(cid:173)
`tions that have been repackaged to include malware.
`[0022]
`In instances where legitimate applications are
`repackaged (e.g., in subsequent versions) with malware,
`crowdsourcing may enable a determination that a particular
`application has been repackaged with malware and, accord(cid:173)
`ingly, a determination of an appropriate reputation score for
`the repackaged application. A repackaged application can
`may have similar measurements to a legitimate application,
`while exhibiting other critical differences ( e.g., different
`capabilities). For instance, the repackaged application may
`have a lower prevalence, leading to lower reputation score;
`comparisons of at least some of the data in the application's
`manifest to crowdsourced data may indicate red flags ( e.g., an
`application with the same name but different capabilities as
`another application may raise a red flag). Further, crowd(cid:173)
`sourcing may indicate that an application's store and signer
`have reputations that are low, and the application's reputation
`score can be reduced accordingly.
`[0023]
`In example embodiments, the reputation score may
`be calculated based on trustworthiness indicators of the
`mobile application, either alone or in combination. For
`example, reputation score may be calculated based on a
`prevalence of the application. A more widely used application
`and an application that has been in use for a longer time may
`be more likely to be non-malicious. Also, the fact that a user
`chose to download and install an application could be a tacit
`assertion by the user that the application is trustworthy and
`desirable. Conversely, a new application may be given a
`reduced reputation score, particularly if other factors ( e.g.,
`combinations of data indicating an application has been
`repackaged) indicate the application may be malicious.
`[0024] An application store's reputation may also be con(cid:173)
`sidered in the calculation of a reputation score for an appli(cid:173)
`cation associated with the application store. For example,
`reputations of various application stores may be determined
`by tracking externally available data (such as newspaper
`reports, financial filings, etc.), or deduced through detected
`malware ( e.g., application stores that have historically hosted
`malware may be assigned a reduced reputation). Crowd(cid:173)
`sourcing can provide information indicating the application
`stores from which particular applications have been down(cid:173)
`loaded. Accordingly, the reputations of the indicated applica(cid:173)
`tion stores can be considered when calculating reputation
`scores for the particular applications ( e.g., an application
`downloaded from an application store with a poor reputation
`may be assigned a reduced reputation score).
`[0025]
`In yet other example embodiments, the reputation
`score may be calculated based on capabilities of the mobile
`application. For example, an application may be assigned a
`lower reputation score if it asks for a large number of poten(cid:173)
`tially abusable behavior permissions. Crowdsourcing in such
`scenarios may be used to help identify unusual combinations
`of permissions, or unexpected permissions ( e.g., a purported
`game application sending unauthorized SMS messages). In
`yet other example embodiments, a reputation score may be
`calculated based on reputations of other applications from a
`signer (e.g., a vendor who digitally signs the application). For
`instance, if a signer has previously signed applications with
`low reputation scores, then any new applications with the
`same signer may be assigned a low reputation score. In yet
`other example embodiments, a combination of trustworthi-
`
`ness indicators and attributes may be used to calculate the
`reputation score. For example, prevalence and application
`behavior together with data from the manifest can be used to
`determine the reputation score of the mobile application.
`[0026] Reputation engine 20 may forward the respective
`reputation scores to agents 24a-c, which may determine fur(cid:173)
`ther action ( e.g., changing configuration of applications 22a(cid:173)
`c; deleting applications 22a-c from mobile devices 14a-c;
`generating security alerts on displays of mobile devices 14a(cid:173)
`c; generating security beeps on speakers of mobile devices
`14a-c; preventing execution of applications 22a-c; prevent(cid:173)
`ing download of the mo bile application from application store
`18; preventing access to resources in mobile device 14a;
`quarantining applications 22a-c; quarantining mobile device
`14a; not taking any security action, etc.) based on the mobile
`application reputation.
`[0027] The network environment illustrated in FIG. 1 may
`be generally configured or arranged to represent any commu(cid:173)
`nication architecture capable of electronically exchanging
`packets. In addition, the network may also be configured to
`exchange packets with other networks such as, for example,
`the Internet, or other LAN s. Other common network elements
`(e.g., email gateways, web gateways, routers, switches, load(cid:173)
`balancers, firewalls, etc.), may also be provisioned in the
`network.
`[0028] For purposes of illustrating the techniques of system
`10, it is important to understand the activities and security
`concerns that may be present in a given network such as the
`network shown in FIG. 1. The following foundational infor(cid:173)
`mation may be viewed as a basis from which the present
`disclosure may be properly explained. Such information is
`offered earnestly for purposes of explanation only and,
`accordingly, should not be construed in any way to limit the
`broad scope of the present disclosure and its potential appli(cid:173)
`cations.
`[0029] Typical network environments, both in organiza(cid:173)
`tions ( e.g., businesses, schools, government organizations,
`etc.) and in homes include a plurality of devices such as end
`user desktops, laptops, servers, network appliances, and the
`like, with each device having an installed set of executable
`software. Users in organizations and homes may also use
`mobile devices to connect to various wired and/or wireless
`networks. One difficulty users face when managing their
`devices in a network environment is ensuring that only trusted
`and approved executable software files are present on the
`devices. Although devices in a network may initially be con(cid:173)
`figured with trusted and approved executable software, con(cid:173)
`tinuous efforts (both electronic and manual) are usually nec(cid:173)
`essary to protect against unknown and/or malicious software.
`In particular, users may connect to a network using mobile
`devices, which may have vulnerabilities that hackers may use
`to spy on the users, or compromise secure information stored
`on servers and related networked devices.
`[0030] Certain mobile applications may be unwanted, or
`even malicious, to a user or a network. Malicious software
`(malware) includes hostile, intrusive, or annoying program(cid:173)
`ming ( e.g., code, script, active content, etc.) that can disrupt or
`deny operation, gather information that leads to loss of pri(cid:173)
`vacy or exploitation, gain unauthorized access to system
`resources, and exhibit other abusive behavior. For example, a
`mobile application on a mobile phone could be remotely
`controlled, and configured to turn on the phone's camera and
`microphone, permitting spying. In another example, a mobile
`application may track a user's location and convey that infor-
`
`Palo Alto Networks - Exhibit 1004
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 7 of 14
`
`

`

`US 2013/0254880 Al
`
`Sep. 26, 2013
`
`4
`
`mation to unauthorized persons. In yet another example,
`malicious mobile applications may provide a pathway for
`unauthorized access to critical and proprietary information,
`inappropriate use of resources, business interruptions, fraud,
`and security breaches. Research indicates that rogue mobile
`applications ( e.g., malware and spyware) are about to become
`a tremendous problem for the mobile security space.
`[0031] Currently, solutions for identifying such rogue
`mobile applications generally exist in an enterprise space.
`Some existing solutions for malware detection use blacklist(cid:173)
`ing. However, blacklisting solutions fail to detect and block
`day-zero and never-before-seen malware. Moreover, black(cid:173)
`listing is reactive and is not an effective solution to combat
`new and/or slightly modified malware. Other enterprise solu(cid:173)
`tions employ a reputation system to identify malicious appli(cid:173)
`cations. For example, McAfee® Enterprise Mobility Man(cid:173)
`agement (EMM) software configures mobile devices to
`match corporate security policies and enforces compliance
`prior to network access. The enterprise solutions may manage
`a few or thousands of mobile devices over a geographically
`dispersed enterprise network, safeguarding against threats
`(i.e., malware and spyware) that originate via email, instant
`messaging, and Internet downloads. However, such current
`enterprise solutions are limited in scope. For example, repu(cid:173)
`tation scores of applications may be based only on informa(cid:173)
`tion obtained form mobile devices within the enterprise net(cid:173)
`work. Malicious applications existing on mobile devices
`outside the enterprise network may be unknown, or may be
`characterized as benign inside the enterprise network ( due to
`lack of historical information), until an attack occurs.
`[0032] A system for crowdsourcing of mobile application
`reputations outlined by FIG. 1 can resolve these issues,
`among others. Embodiments of the present disclosure seek to
`vastly improve capabilities of existing technologies to allow
`for a more robust solution. Collection and analysis of repu(cid:173)
`tation information may happen in the cloud (e.g., cloud 16)
`for scale, efficiency, and pervasiveness. Mobile devices may
`be configured to permit access from the cloud to their agents
`and applications for purposes of aggregating information for
`calculating mobile application reputations.
`[0033] Knowledge gained from monitoring mobile appli(cid:173)
`cation activity on any one mobile device may be aggregated
`and analyzed against information about similar activity
`obtained from other mobile devices (e.g., through crowd(cid:173)
`sourcing), and correlated with data from other vectors ( e.g.,
`file, web, message, network connections, and manual efforts)
`for substantially comprehensive information about the
`mobile application. Additionally, any threat or vulnerability
`may be temporal in nature ( e.g., if a mobile application is
`interacting with an IP address that is temporarily compro(cid:173)
`mised), and components of system 10 may modify the appli(cid:173)
`cation's reputation score appropriately in real time to reme(cid:173)
`diate the threat to the host mobile device. For example,
`reputation engine 20 may incorporate and adjust mobile
`application reputations with each additional data point. Thus,
`rogue/malicious mobile applications that attempt to test mal(cid:173)
`ware or do a "dry run" of an attack/spying activity may
`inadvertently alert system 10 of such activities.
`[0034] Reputation engine 20 may determine a reputation
`score of mobile application 22a by evaluating one or more
`application fingerprints of mobile application 22a uploaded
`to reputation engine 20 by one or more sources. In an example
`embodiment, the aggregated application fingerprints may
`include information from various application manifests that
`
`can be evaluated to determine a reputation score. In another
`embodiment, the aggregated application fingerprints may
`include aggregated behaviors of the application that may also
`be evaluated to determine a reputation score of the mobile
`application. As more information about an application is
`reported or otherwise made available to reputation engine 20,
`a statistical confidence level of the reputation score may be
`higher.
`[0035] An overall reputation score may be determined
`based upon the calculated probabilities and provided to agent
`24a on mobile device 14a. Agent 24a may examine the
`mobile application reputation to determine what action
`should be taken based on the reputation score. Any suitable
`action could be taken, for example, changing configuration of
`application 22a; deleting application 22a from mobile device
`14a; generating a security alert on a display of mobile device
`14a; generating a security beep on a speaker of mobile device
`14a; preventing execution of application 22a; preventing
`download of application 22a from application store 18; trans(cid:173)
`mitting a security alert to application store 18; preventing
`access to resources in mobile device 14a; quarantining
`mobile application 22a; quarantining mobile device 14a; not
`taking any security action, etc.
`[0036] Not shown in system 10 of FIG. 1 is hardware that
`may be suitably coupled to reputation engine 20 in the form of
`consoles, user
`interfaces, memory management units
`(MMU), additional symmetric multiprocessing (SMP) ele(cid:173)
`ments, peripheral component interconnect (PCI) bus and cor(cid:173)
`responding bridges, small computer system interface (SCSI)/
`integrated drive electronics (IDE) elements, etc. In addition,
`suitable modems, routers, base stations, wireless access