	US 12,445,459 B2
	Detecting malicious mobile applications using machine learning in a cloud-based system
Rohit Goyal, Mohali (IN)
Assigned to Zscaler, Inc., San Jose, CA (US)
Filed by Zscaler, Inc., San Jose, CA (US)
Filed on Oct. 7, 2020, as Appl. No. 17/064,634.
Claims priority of application No. 202011036631 (IN), filed on Aug. 25, 2020.
Prior Publication US 2022/0070183 A1, Mar. 3, 2022
Int. Cl. H04L 9/40 (2022.01); G06N 20/00 (2019.01)

CPC H04L 63/1416 (2013.01) [G06N 20/00 (2019.01)]

14 Claims

1. A non-transitory computer-readable medium storing computer-executable instructions, and in response to execution by a node and a user device in a cloud-based system, the computer-executable instructions cause the node to perform steps of:

establishing a cloud tunnel between the node and a connector application executing on the user device, the tunnel defining a first tunnel and a second tunnel, wherein the cloud tunnel comprises one or more data channels for transmitting and receiving user Internet Protocol (IP) packets and a TLS encrypted control channel for mobile device and user authentication and control messages, the one or more data channels being bound to the control channel, and wherein the one or more data channels are bound to the control channel by a session identifier in a device authentication acknowledgement;

obtaining network traffic associated with mobile applications operating on the user device via the one or more data channels of the cloud tunnel, wherein the cloud tunnel provides the network traffic for various ports and protocols via the one or more data channels, and wherein the connector application executing on the user device provides data associated with the network traffic to the node, wherein the data includes destination Internet Protocol (IP) addresses, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, extra header fields, and mobile application identifiers, and wherein the connector application executing on the user device is adapted to derive mobile application names associated with established connections and tag a mobile application identifier on every packet over the data channel to support per-application awareness;

extracting the data from the network traffic for each transaction;

analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of a mobile application associated with the transaction;

communicating the score to the application executing on the user device via the control channel of the tunnel, wherein the control channel of the tunnel is encrypted; and

responsive to communicating the score to the application executing on the user device via the control channel of the tunnel, and responsive to the score indicating that the mobile application executing on the user device is a malicious mobile application, causing the application executing on the user device to delete the mobile application from the user device based on the score communicated to the application executing on the user device by the node, thereby deleting the malicious mobile application from the user device.