FIELD OF INVENTION
[001] The present invention generally relates to electronic devices, and more particularly to a mechanism for controlling malware spreading across electronic devices by alerting the vulnerable electronic devices about the malware.

BACKGROUND OF INVENTION
[002] Generally, malware is a collective term used to refer to any malicious software which enters a system without authorization of user of the system. The malware is commonly designed, for example, to sneak confidential information, control remote systems for malicious purposes, disrupt mission-critical services, and the like. Malware can include the ability to infect other executable code, data/system files, boot partitions of drives, create excessive traffic on network leading to denial of service, and the like. Due to the pervasive multitude of various electronic devices (such as for example, but not limited to, smart phones, tablets, computers, and the like), the electronic devices have become an easy means for spreading the malware. The electronic devices connect (directly or indirectly) with many other electronic devices, such as for example, through Wi-Fi, Bluetooth, Infrared (IR), Near-Field communication (NFC), in the form of message (for example: emails, SMS, MMS, Instant Message (IM)) exchange, and the like.
[003] Different methods and systems are proposed to detect malware in electronic devices. Conventional systems and methods allow the network operators to blacklist IP (Internet Protocol) addresses, domain names and Uniform Resource Locators (URLs) to control the spread of malware. Based on the blacklist information, policy engines and web filtering applications can be used to identify such malware sources and block communication with the known malware sources. However, malware-spreading-agents found ways to spread malware from reputable sites and domains, which creates significant challenges for the policy engines and the web filtering applications to detect and control the spread of malware. Also, blocking user communication with potentially vulnerable websites can inadvertently impact authentic traffic, much to the dismay of subscribers looking to perform legitimate communication with websites and portals that have malware affecting only a portion of the site. Further, anti-malware software is used to detect and control the spread of malware. Most of the anti-malware solutions for the electronic devices rely on malware signature (for example, binary pattern characteristic of malicious code). Such a malware solution includes maintaining a repository of the malware signatures and checking suspected files for presence of any such malware signatures. Furthermore, behavior-based monitoring approach, mass mailers, and the like techniques are used to monitor actions of programs to determine whether it is malicious or not. Using this approach, profiles are created that outline normal program behavior and any deviations from that profile can be flagged as suspicious. Such approach may be complicated and may include significant challenges in the profile construction process. Furthermore, basic detection, rate-limiting, blocking, and quarantine mechanisms can be used to detect and control the spread of the malware. While detection based mechanism protect an enterprise from incoming infections, rate-liming and quarantine mechanisms seek to contain outbound infected messages.
[004] Thus, there remains a need of a robust system and method to detect and proactively control malware spreading across the electronic devices.

OBJECT OF INVENTION
[005] The principal object of the embodiments herein is to provide a method and system for controlling malware spreading across electronic devices.

SUMMARY
[006] Accordingly the invention provides a method for controlling malware spreading across electronic devices over a communication network. In an embodiment, the method includes replicating a running image of the electronic devices on virtual machines in the communication network. Further, the method includes clustering the virtual machines into cluster(s) based on one or more parameters associated with the electronic devices. Furthermore, the method includes detecting a malware associated with the electronic device. Furthermore, the method includes identifying the cluster(s) vulnerable to the malware based on the one or more parameters associated with the electronic device. Furthermore, the method includes notifying each virtual machine associated with the identified cluster about the malware.
[007] In an embodiment, each virtual machine is associated with a corresponding electronic device. In an embodiment, each virtual machine is a clone of a corresponding electronic device. In an embodiment, the virtual machines are connected to each other in the network creating a Clone2Clone network. In an embodiment, the network is a cloud network.
[008] In an embodiment, the running image includes the one or more parameters, such as for example, but not limited to, electronic device configuration parameter, electronic device interaction parameter, and the like. In an embodiment, the configuration parameter includes for example but, but not limited to, operating system version, browser version, device drivers information, middleware information, transmission control software’s, and the like. In an embodiment, the interaction parameter includes for example, but not limited to, call data, contact list data, SMS data, MMS data, email data, NFC communication logs, Wi-Fi communication logs, Bluetooth paired devices, and the like.
[009] Furthermore, the method includes computing a feature vector using the one or more parameters associated with the electronic device. Furthermore, the method includes computing an interaction vector using the one or more parameters associated with the electronic device. Furthermore, the method includes computing a profile vector using the feature vector and the interaction vector.
[0010] Furthermore, the method includes sharing the profile vector with the virtual machine in the network. Furthermore, the method includes computing a similarity metric using the profile vector. Furthermore, the method includes clustering the virtual machines using the similarity metric. In an embodiment, the cluster(s) includes the virtual machine with similar and/or substantially similar parameters. Furthermore, the method includes replicating the malware information associated with the electronic device on the virtual machine and generating a notification message about the malware.
[0011] Accordingly the invention provides a system for controlling malware spreading across electronic devices. The system includes one or more clouds including virtual machines associated with the electronic devices and a controller. In an embodiment, the controller is configured to replicate a running image of the electronic devices on virtual machines in the communication network. Further, the controller is configured to cluster the virtual machines into cluster(s) based on one or more parameters associated with the electronic devices. Furthermore, the controller is configured to detect a malware associated with the electronic device. Furthermore, the controller is configured to identify the cluster(s) vulnerable to the malware based on the one or more parameters associated with the electronic device. Furthermore, the controller is configured to notify each virtual machine associated with the identified cluster about the malware.
[0012] Furthermore, the controller is configured to compute a feature vector using the one or more parameters associated with the electronic device. Furthermore, the controller is configured to compute an interaction vector using the one or more parameters associated with the electronic device. Furthermore, the controller is configured to compute a profile vector using the feature vector and the interaction vector.
[0013] Furthermore, the controller is to share the profile vector with the virtual machine in the network, and compute a similarity metric using the profile vector. Furthermore, the controller is configured to cluster the virtual machines using the similarity metric. In an embodiment, the cluster(s) includes the virtual machine with similar and/or substantially similar parameters. Furthermore, the controller is configured to replicate the malware information associated with the electronic device on the virtual machine and generate a notification message about the malware.
[0014] Accordingly the invention provides a computer program product for controlling malware spreading across electronic devices. The computer program product includes an integrated circuit. The integrated circuit includes a processor, a memory including a computer program code within the circuit. Further, the memory and the computer program code with the processor cause the product to replicate a running image of the electronic devices on virtual machines in the communication network. Furthermore, the memory and the computer program code with the processor cause the product to cluster the virtual machines into cluster(s) based on one or more parameters associated with the electronic devices. Furthermore, the memory and the computer program code with the processor cause the product to detect a malware associated with the electronic device. Furthermore, the memory and the computer program code with the processor cause the product to identify the cluster(s) vulnerable to the malware based on the one or more parameters associated with the electronic device. Furthermore, the memory and the computer program code with the processor cause the product to notify each virtual machine associated with the identified cluster about the malware.
[0015] These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following descriptions, while indicating preferred embodiments and numerous specific details thereof, are given by way of illustration and not of limitation. Many changes and modifications may be made within the scope of the embodiments herein without departing from the spirit thereof, and the embodiments herein include all such modifications.

BRIEF DESCRIPTION OF FIGURES
[0016] This invention is illustrated in the accompanying drawings, throughout which like reference letters indicate corresponding parts in the various figures. The embodiments herein will be better understood from the following description with reference to the drawings, in which:
[0017] FIG. 1 is a diagram illustrating, among other things, a high level overview of a system, according to embodiments as disclosed herein;
[0018] FIG. 2 is a diagram illustrating, among other things, another way of implementing the system as shown in the FIG. 1, according to embodiments as disclosed herein;
[0019] FIG. 3 is a diagram illustrating, among other things, yet another way of implementing the system as shown in the FIG. 1, according to embodiments as disclosed herein;
[0020] FIG. 4 is a diagram showing an exemplary illustration of a C2C network allowing electronic devices and clones to exchange information among each other, according to embodiments disclosed herein;
[0021] FIG. 5 is a sequence diagram illustrating various operations performed by the system as described in the FIGS. 1 through 4, according to embodiments disclosed herein;
[0022] FIG. 6 is a diagram showing an exemplary illustration for computation of profile vector, according to embodiments disclosed herein;
[0023] FIG. 7a is a diagram showing an exemplary illustration of a similarity graph used to cluster the clones in the communication network, according to embodiments disclosed herein;
[0024] FIG. 7b is a diagram showing an exemplary cluster created by the controller using the similarity metrics, according to embodiments described herein;
[0025] FIG. 8 is a diagram showing an exemplary illustration for detection of malware in an electronic device, according to embodiments disclosed herein;
[0026] FIG. 9 is a diagram showing an exemplary illustration for detection of vulnerable cluster(s), according to embodiments disclosed herein;
[0027] FIG. 10 is a flow chart illustrating a method for controlling malware spreading across electronic devices, according to embodiments disclosed herein; and
[0028] FIG. 11 depicts a computing environment implementing the system and method, in accordance with various embodiments of the present invention.

DETAILED DESCRIPTION OF INVENTION
[0029] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein can be practiced and to further enable those skilled in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0030] The embodiments herein achieve a method and system for controlling malware spreading across electronic devices over a communication network. In an embodiment, a cloud including a plurality of interconnected virtual machines is provided, wherein each virtual machine is associated with an electronic device. The method includes replicating a running image of the electronic devices on the respective virtual machines. In an embodiment, the running image described herein can include one or more parameters such as for example, but not limited to, configuration parameters, interaction parameters, and the like, associated with the electronic device. In an embodiment, the configuration parameters can include for example, but not limited to, operating system version, browser version, device drivers information, middleware information, transmission control software’s, and the like. Each virtual machine associated with respective electronic devices can be configured to compute a feature vector using the configuration parameter. In an embodiment, the interaction parameters can include information related to the electronic device data transfer and connection with other electronic devices, such as for example, but not limited to, call detail, contact list, SMS details, MMS details, Email details, list of paired devices over NFC, Wi-Fi, Bluetooth, and the like. Each virtual machine associated with respective electronic devices can be configured to compute an interaction vector using the interaction parameters.
[0031] In an embodiment, each virtual machine can compute a profile vector using the feature vector and the interaction vector. In an embodiment, whenever the electronic devices communicate with each other, links between the electronic devices are established. The virtual machines can be configured to compute a similarity metric using the profile vectors. Further, the system includes a controller configured to receive similarity metric associated with each virtual machine in the network. The controller can then be configured to cluster the virtual machines into a single group or cluster based on the similarity metric. For example, the controller can be configured to cluster a set of virtual machines having similar or substantially similar configuration parameters and which often interacts with each other as a one group or cluster. Furthermore, in an embodiment, the controller can be configured to detect any malware associated with the electronic devices. In response to detecting any malware, the controller can be configured to generate a notification including information about the malware. The controller can then identify the clusters including the electronic devices vulnerable to the malware and notify each electronic device associated with the cluster about the malware.
[0032] The method and system disclosed herein is dynamic, robust, and reliable to detect and control malware spreading across the electronic devices. The method and system can be used to identify potentially vulnerable electronic devices and send them an alert notification in advance so that users may become aware of the possible manipulation by malware well in advance. In response to the notification, the vulnerable devices can restrict themselves from downloading applications or perform any other action shared by any means from the infected electronic device. Furthermore, the proposed system and method can be implemented using the existing infrastructure, components, and modules, and may not require extensive set-up or instrumentation.
[0033] Referring now to the drawings, and more particularly to FIGS. 1 through 11, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments.
[0034] Throughout the description, terms “virtual machine” and “clone” are used interchangeably.
[0035] Throughout the description, terms “network” and “cloud” are used interchangeably.
[0036] FIG. 1 is a diagram illustrating, among other things, a high level overview of a system 100, according to embodiments as disclosed herein. The system 100 includes one or more electronic devices 1021-N (hereafter referred as electronic device(s) 102), one or more clones/virtual machines 1041-N (hereafter referred as clone(s) 104), and a controller 106 communicating among each other over a communication network 108.
[0037] In an embodiment, the electronic device 102 described herein can include for example, but not limited to, smartphones, tablets, laptop, computers, communicators, portable electronic devices, and the like. Each electronic device 102 can be configured to collaborate with its own clone 104 in running an application together. The network 108 of clones 104 associated with respective electronic device 102 can collaborate with each other by sharing their resources and generating collective intelligence. In an embodiment, the communication network 108 described herein can include for example, a cloud, wire line network, wireless network, cellular network, global system for mobile communication, local area network, wide area network, a combination thereof, or any other communication network. In an embodiment, the electronic device 102 may use the local or remote network to communicate with the clones 104 over the communication network 108, such as shown at 110, 112, and 114. The local or remote network, such as 110, 112, and 114, used by the electronic device 102 can be the different or same communication network as 108.
[0038] In an embodiment, the clones 104 described can be a running image of an electronic device 102 such as a Smartphone. In practice, the clone 104 can be a mobile OS or a phone emulator, hosted in the cloud 108. In an embodiment, each electronic device 102 can be configured to replicate its running image on the respective clone 104 over the communication network 108. In an embodiment, the running image described herein can include one or more parameters such as for example, but not limited to, configuration parameters, interaction parameters, and the like. In an embodiment, the configuration parameters can include for example but not limited to, operating system version, browser version, device drivers information, middleware information, transmission control software, and the like. In an embodiment, the interaction parameters can include information related to the electronic device data transfer and connection with other electronic devices, such as for example, but not limited to, call detail, contact list, SMS details, MMS details, email details, and the like. Further, in an embodiment, each clone can communicate with each other forming an inter-cloud network, called clone2clone (C2C) network, such as described in conjunction with the FIG. 2. The C2C network runs on top of the cloud infrastructure and provides a platform for service providers to deploy their services on top of clones, such as for example, but not limited to, content search, malware detection, malware control, and the like.
[0039] In an embodiment, the controller 106 can be configured to communicate with the clones 104 over the communication network 108, such as to receive information about the electronic devices 102. The controller 106 can then be configured to cluster the clones 104 into a single group or cluster based on the parameters associated with the electronic devices 102. For example, the controller 106 can cluster a set of clones 104 having similar or substantially similar configuration parameters and which often interacts with each other as a one group or cluster. In an embodiment, the controller 106 can be configured to detect any malware associated with the electronic devices 102. In response to detecting any malware, the controller 106 can be configured to generate a notification including information about the malware. The controller 106 can then identify the clusters including the electronic devices 102 vulnerable to the malware and notify each electronic device 102 associated with the cluster about the malware. Furthermore, various operations performed by the system 100 are described in conjunction with the FIG.3.
[0040] Though the FIG. 1 shows few electronic devices associated with their clones and one controller communicating among each other over the cloud but, it is to be understood that another embodiment is not limited thereto. Furthermore, the system 100 can include any number of electronic devices, clones, controller along with other hardware or software components communicating among each other over the communication network. For example, the component can be, but not limited to, a process running in the controller/processor, an object, an executable process, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on an electronic device and the electronic device can be the component.
[0041] FIG. 2 is a diagram 200 illustrating, among other things, another way of implementing the system 100 as shown in the FIG. 1, according to embodiments as disclosed herein. In an embodiment, the controller 106 can be implemented as a part of the cloud 108. In an embodiment, the controller 106 may be a separate component residing locally or remotely apart from the cloud 108. Further, in an embodiment, the controller 106 be may implement or communicate with different modules to perform the different operations. Furthermore, the implementation shown with respect to the FIG. 2 is only for illustrative purpose and it is to be understood that another exemplary embodiment is not limited to thereto.
[0042] FIG. 3 is a diagram 300 illustrating, among other things, yet another way of implementing the system 100 as shown in the FIG. 1, according to embodiments as disclosed herein. In an embodiment, the controller 106 can reside on the electronic device 102 to perform the different operations. Furthermore, the implementation shown with respect to the FIG. 3 is only for illustrative purpose and does not limit the scope of the invention.
[0043] FIG. 4 is a diagram showing an exemplary illustration 400 of a clone2clone (C2C) network allowing electronic devices and clones to exchange information among each other, according to embodiments as disclosed herein. In an embodiment, each clone 104 can communicate with each other forming an inter-cloud network, called C2C network. As shown in the FIG. 4, whenever an electronic device 102 communicates/calls other electronic devices, a link between the clones 104 associated with the electronic devices can be created to exchange the configuration and interaction parameters among each other, such as shown at 402. In an embodiment, each clone 104 can include a routable network name. It can be a public IP address or a private, which can be routable in the cloud 108. Each clone 104 can communicate with respective electronic device 102 that it belongs. Further, the system 100 allows clones 104 to communicate with other clones, or other internet clients in the cloud, such as shown at 404. In an embodiment, in the C2C network, each clone 104 can be associated with a unique owner. To protect the data and information stored in each clone 104 from unauthenticated access, the system 100 can be configured to provide a security and identity management service, such as to control what to share and who to share in the clone network.
[0044] FIG. 5 is a sequence diagram illustrating various operations 300 performed by the system 100 as described in the FIGS. 1 through 4, according to embodiments as disclosed herein. In an embodiment, at 502, the electronic device 102 can be configured to replicate the running image on the respective clone 104 in the cloud network 108. In an embodiment, the running image can be configured to include the one or more parameters such as for example, but not limited to, configuration parameters, interaction parameters, and the like, associated with the electronic device 102. In an embodiment, the configuration parameters can include for example, but not limited to, operating system version, browser version, device drivers information, middleware information, transmission control software, and the like. In an embodiment, the interaction parameters can include information related to the electronic device data transfer and connection with other electronic devices, such as for example, but not limited to, call detail, contact list, SMS details, MMS details, Email details, list of paired devices over NFC, Wi-Fi, Bluetooth, and the like.
[0045] In an embodiment, at 504, each clone 104 associated with the respective electronic devices 102 can be configured to compute a feature vector using the configuration parameter. In an embodiment, the feature vector can be used to represent each device configuration parameter in a binary bit pattern. For example, if an electronic device includes configuration parameters as Android platform, Android browser, device driver, middleware, and transmission control software then the clone, associated with that electronic device, represents the parameters in the form of codes such as Android platform coded as a code 0110, Android browser coded as a code 0011, device driver coded as a code 0011, middleware coded as a code 0101, transmission control software coded as, 1110, respectively. The feature vector of the electronic device (C1) at time (t1) can then be represented as Feature vector (C1, t1) = bit pattern (0110 0011 0011 0101 1110). An exemplary representation of the feature vector in the form of a metric is shown below:

Operating system version Browser version Device driver Middleware Transmission control software
0110 0011 0011 0101 1110
[0046] In an embodiment, at 506, each clone 104 associated with respective electronic devices 102 can be configured to compute an interaction vector using the interaction parameter. For example, if a contact list of an electronic device C1 consists of N users represented as U1, U2…UN respectively, then frequency of interactions of device C1 with other users in the contact list can be represented in the interaction vector. In an embodiment, each entry of the interaction vector can represent the user identifier and the frequency of recurrent interactions. The frequency of recurrent interactions may be defined as the frequency of calls made, SMS/MMS sent to a specific user, and the like. An exemplary representation of the interaction vector (C1, t1) in the form of a metric is shown below:
U1 U2 U3 U4 U5
29 21 15 7 3
[0047] In an embodiment, each entry in the interaction vector can specify the number of calls/interactions made by the device (C1) with each user. For example, as shown in the metric, the number of interactions made with the user U1 is 29, with user U2 is 21, and the like.
[0048] In an embodiment, at 508, each clone 104 associated with the respective electronic device 102 can be configured to compute a profile vector using the feature vector and the interaction vector. The clone 104 of each electronic device 102 can store the profile vector of the corresponding device. An exemplary representation of the profile vector is shown below:
[0049] Profile vector (C1, P) = Feature vector (C1, t1) + interaction vector (C1, t1).
[0050] In an embodiment, at 510, the system 100 allows the clones 104 to share the profile vector among each other. The device clones 104 can periodically exchange the profile vectors with each other. For example, whenever two electronic devices say C1 and C2 communicate with each other (through call, SMS, MMS, or the like) the system 100 creates a link between clones C1 and C2 and they exchange profile vectors with each other. Similarly, the clone of each device will obtain the profile information of the other electronic devices with which it communicated in over a period of time. Further, an exemplary illustration showing computation of the profile vector is described in conjunction with the FIG. 6.
[0051] In an embodiment, at 512, each clone 104 can be configured to compute a similarity metric using the profile vectors received from the clones 104 associated with the electronic device 102 over the communication network 108. As the clone 104 includes profile vectors from other devices, each clone device (Ci) can compute the profile similarity metric between the clone device Ci and other clone devices. The profile similarity between two devices can be computed with using a Cosine function. For example, consider that a clone device (Ci) includes two profile vectors A and B of size n. So the similarity between two vectors A and B can be calculated using the following expression:

[0052] In an embodiment, the similarity between two vectors A and B can be in between -1 and+1. The positive similarity index between two devices C1 and C2 indicates that these two devices have similar device configuration and they frequently interact with each other. In an embodiment, the negative similarity index indicates the dissimilar configuration and rare interaction between two devices. An exemplary representation of a similarity metric between a clone (C) with other clone devices (Ci, Ck, Cl, Cm, Cn, and Cp) is shown below:
Cj Ck Cl Cm Cn Cp
-0.6 +0.9 0.03 0.44 0.12 -0.6
[0053] In an embodiment, at 514, each clone 104 can be configured to share the similarity metric with the controller 106. In an embodiment, at 516, the controller 106 can be configured to cluster the clones 104 into a single group or cluster based on the similarity metric. For example, the controller 106 can be configured to cluster a set of clones 104 having similar or substantially similar configuration parameters and often interacts with each other as a one group or cluster. Further, an exemplary illustration showing clusters of the clones 104 is described in conjunction with the FIG. 7b.
[0054] In an embodiment, at 518, the controller 106 can be configured to detect any malware associated with the electronic devices 102. In an embodiment, the controller 106 can be configured to communicate with third-party sources, such as for example anti-malware software, and the like, to detect the malware associated with the electronic device 102. Further, an exemplary illustration showing detection of malware in an electronic device is described in conjunction with the FIG. 8.
[0055] In response to detecting any malware, the controller 106 can be configured to generate a notification including information about the malware, such as shown at the 520. For example, if at time (t) a malware has been detected in a device C then the malware information can be automatically conveyed to the controller 106 through the corresponding clone 104 in the network 108. In response to detecting the malware, the controller can generate notification message about the malware. In an embodiment, the notification message described herein can include for example, but not limited to, audio message, video message, text message, alert window/pop-ups, or the like.
[0056] In an embodiment, at 522, the controller 106 can be configured to identify the clusters including the electronic devices vulnerable to the malware and notify each electronic device associated with the cluster about the malware. The controller 106 can identify the potentially vulnerable electronic devices 104 and send them an alert notification in advance so that users may become aware of the possible infection well in advance. Further, an exemplary illustration showing detection of vulnerable cluster(s) is described in conjunction with the FIG. 9. In an embodiment, the controller 106 can be configured to detect the vulnerable cluster(s) associated with malware infected device X, based on the similarity metric. In an embodiment, the controller 106 can send the notifications to the electronic device 102 through their respective clones 104. In an embodiment, the controller 106 can be configured to communicate with third-party sources, such as for example social networking sites, to send the notifications to the electronic device 102. In response to the notification, the vulnerable devices can restrict themselves from downloading applications or perform any other action shared by any means from the infected electronic device.
[0057] FIG. 6 is a diagram 600 showing an exemplary illustration for computation of profile vector, according to embodiments disclosed herein. In an embodiment, each clone 104 associated with the respective electronic device 102 can be configured to compute the feature vector 602 using the configuration parameter. In an embodiment, the configuration parameters can include for example, but not limited to, operating system version, browser version, device drivers information, middleware information, transmission control software, and the like. In an embodiment, each clone 104 associated with respective electronic device 102 can be configured to compute an interaction vector 604 using the interaction parameter. In an embodiment, the interaction parameters can include information related to the electronic device data transfer and connection with other electronic devices, such as for example, but not limited to, call detail, contact list, SMS details, MMS details, Email details, list of paired devices over NFC, Wi-Fi, Bluetooth, and the like. In an embodiment, each entry of the interaction vector 604 can represent the user identifier and the frequency of recurrent interactions. In an embodiment, each clone 104 associated with the respective electronic device 102 can be configured to compute a profile vector 606 using a feature vector 602 and an interaction vector 604.
[0058] FIG. 7A is a diagram showing an exemplary illustration 700 of a similarity graph used to cluster the clones in the communication network, according to embodiments disclosed herein. In an embodiment, each clone 104 can be configured to share the similarity metric with the controller 106. The controller 106 can be configured to cluster the clones 104 into a single group or cluster based on the similarity metric. The controller 106 can be configured to construct a similarity graph based on the similarity tables sent by all the clones 104, such as to cluster the clones104 having similar or substantially similar configuration parameters and often interacts with each other as a one group or cluster.
[0059] The FIG. 7a shows an exemplary representation of an undirected weighted graph 702 in which each node 704 is an electronic device 102 and the controller 106 can connect two nodes for example (u, v). In an embodiment, if the similarity between two nodes is more than a threshold then the weight assigned to a link (u, v) can be maximum (similarity (u, v), similarity (v, u)).
[0060] In an embodiment, the controller 106 can be configured to use one or more clustering techniques such as for example, but not limited to, partitioning technique, hierarchical technique, single-link technique, grid-based clustering technique, distance-based clustering technique, locality-based technique, similarity-based clustering technique, and the like techniques known in the art to cluster the clones 104. The controller 106 can be configured to partition the clones 104 such that each cluster can include clones 104 having similar configuration and who frequently interact with each other can be clustered as one group.
[0061] FIG. 7b shows exemplary cluster created by the controller using the similarity metrics, according to embodiments described herein. In an embodiment, as shown in the FIG. 7b, the set of devices which share common device configurations and interact with each other quite frequently is placed in the same cluster. For example, if the nodes C3, C9, C15, C14 include similar or substantially similar configuration parameters and frequently interact with each other then the controller can be configured to create a cluster. The controller can be configured to designate these nodes C3, C9, C15, and C14 as vulnerable, in an event of detection of malware at any of these nodes.
[0062] FIG. 8 is a diagram 800 showing an exemplary illustration for detection of malware in an electronic device 102, according to embodiments disclosed herein. In an embodiment, the system 100 allows the controller 106 or any other third-party sources to identify the malware associated with an electronic device. As shown in the FIG. 8, the system 100 identifies that the central electronic device X includes a malware or effected by the malware.
[0063] FIG. 9 is a diagram 900 showing an exemplary illustration for detection of vulnerable cluster(s), according to embodiments disclosed herein. In an embodiment, the controller 106 can be configured to identify the clusters including the electronic devices vulnerable to the malware and notify each electronic device associated with the cluster about the malware. For example, as shown in the FIG. 9, if the electronic device X includes malware or has been affected by the malware then X may share this application shortly with the electronic devices A, B, and C,. Unlike existing systems, the present invention allows the controller 106 to identify those vulnerable set of devices (such as A, B, and C) and send them alert notifications. FIG. 10 is a flow chart illustrating a method 1000 for controlling malware spreading across electronic devices, according to embodiments as disclosed herein. In an embodiment, at step 1002, the method 1000 includes replicating the running image on the respective clone 104 in the cloud network 108. In an embodiment, the running image can include the one or more parameters such as for example, but not limited to, configuration parameters, interaction parameters, and the like, associated with the electronic device 102. In an embodiment, the configuration parameters can include for example but not limited to, operating system version, browser version, device drivers information, middleware information, transmission control software, and the like. In an embodiment, the interaction parameters can include information related to the electronic device data transfer and connection with other electronic devices such as for example, but not limited to, call detail, contact list, SMS details, MMS details, Email details, NFC, Wi-Fi, Bluetooth, and the like.
[0064] In an embodiment, at step 1004, the method 1000 includes computing a feature vector using the configuration parameters associated with the electronic device 102. In an example, for each clone 104, the method 1000 allows the controller 106 to compute the feature vector using the configuration parameter associated with the respective electronic device 102. The method 1000 allows the controller 106 to represent each device configuration parameter in the feature vector using a binary bit pattern.
[0065] In an embodiment, at step 1006, the method 1000 includes computing an interaction vector using the interaction parameters associated with the electronic device 102. In an example, for each clone 104, the method 1000 allows the controller 106 to compute the interaction vector using the configuration parameter associated with the respective electronic device 102. In an embodiment, each entry of the interaction vector can store the user identifier and the frequency of recurrent interactions. The frequency of recurrent interactions may be defined as the frequency of calls made, SMS/MMS sent to a specific user, and the like.
[0066] In an embodiment, at step 1008, the method 1000 includes computing a profile vector using the feature vector and the interaction vector. In an example, for each clone 104, the method 1000 allows the controller 106 to compute the profile vector using the feature vector and the interaction vector. The clone 104 of each electronic device 102 can represent the profile vector of the corresponding device. An exemplary representation of the profile vector is shown below: Profile vector = Feature vector + interaction vector
[0067] In an embodiment, at step 1010, the method 1000 includes computing a similarity metric using the profile vector. In an example, the method 1000 allows the clones 104 to share the profile vector among each other. The device clones 104 can periodically exchange the profile vectors with each other. For example, whenever two electronic devices say C1 and C2 communicate with each other (through call, SMS, MMS, or the like) the controller 106 creates a link between clones C1 and C2 and they exchange profile vectors with each other. Similarly, the clone of each device will obtain the profile information of the other electronic devices with which it communicated over a period of time. As the clones 104 include profile vectors from other devices, each clone device (Ci) can compute the profile similarity metric between the clone device Ci and other clone devices. The method 1000 allows the controller 106 to use Cosine functions to compute the similarity between the profile vectors. For example, consider that a clone device (Ci) includes two profile vectors A and B of size n. So the similarity between two vectors A and B can be calculated using the following expression:

[0068] In an embodiment, the similarity between two vectors A and B can be in between -1 and+1. The positive similarity index between two devices C1 and C2 indicates that these two devices have similar device configuration and they frequently interact with each other. In an embodiment, the negative similarity index indicates the dissimilar configuration and rare interaction between two devices.
[0069] In an embodiment, at step 1012, the method 1000 includes clustering the clones 104 associated with electronic device 106 into one or more cluster based on the similarities between the clones 104. In an example, the method 1000 allows each clone 104 to share the similarity metric with the controller 106. The method 1000 allows the controller 106 to cluster the clones 104 into a single group or cluster based on the similarity metric. For example, the controller 106 can cluster a set of clones 104 having similar or substantially similar configuration parameters and often interacts with each other as a one group or cluster.
[0070] In an embodiment, at step 1014, the method 1000 includes detecting any malware associated with the electronic devices 102. In an example, the method 1000 allows the controller 106 to detect any malware associated with the electronic devices 102. In an embodiment, the method 700 allows third-party sources, such as for example anti-malware software, to detect the malware associated with the electronic device 102. In an embodiment, at step 1016, the method 1000 includes generating a notification including information about the malware. In an example, in response to detecting any malware, the method 1000 allows the controller 106 to generate a notification including information about the malware. For example if at time t a malware has been detected in a device C then the malware information can automatically be conveyed to the controller 106 through the corresponding clone 104 in the network 108 and generate notification message about the malware. In an embodiment, the notification message described herein can include for example, but not limited to, audio message, video message, text message, alert window/pop-ups, or the like.
[0071] In an embodiment, at step 1018, the method 1000 includes identifying and notifying the identified cluster about the malware. In an example, the method 1000 allows the controller 106 to identify the clusters including the electronic devices 102 vulnerable to the malware and notify each electronic device 102 associated with the cluster about the malware. The controller 106 can identify the potentially vulnerable electronic devices 104 and send them an alert notification in advance so that users may become aware of the possible infection well in advance. In an embodiment, the method 1000 allows the controller 106 to send the notifications to the electronic device 102 through their respective clones 104. In an embodiment, the method 700 allows third-party sources, such as for example social networking sites, to send the notifications to the electronic device 102. In response to the notification, the vulnerable devices can restrict themselves from downloading applications or perform any other action shared by any means from the infected electronic device.
[0072] The various steps, blocks, operations, and acts described with respect to the FIGS. 1 through 10 can be performed in sequential order, in random order, simultaneously, parallel, or a combination thereof. Further, in some embodiments, some of the steps, blocks, operations, and acts can be omitted, skipped, modified, or added without departing from scope of the invention. Although the above description is described using stereoscopic technique but, it is understood that the use of other techniques are not limited thereto.
[0073] FIG. 11 depicts a computing environment 1102 implementing the application, in accordance with various embodiments of the present invention. As depicted, the computing environment 1102 comprises at least one processing unit 1104 that is equipped with a control unit 1106 and an Arithmetic Logic Unit (ALU) 1108, a memory 1110, a storage unit 1112, a clock chip 1114, plurality of networking devices 1116, and a plurality of Input/output (I/O) devices 1118. The processing unit 1104 is responsible for processing the instructions of the algorithm. The processing unit 1104 receives commands from the control unit 1106 in order to perform its processing. Further, any logical and arithmetic operations involved in the execution of the instructions are computed with the help of the ALU 1108.
[0074] The overall computing environment 1102 can be composed of multiple homogeneous and/or heterogeneous cores, multiple CPUs of different kinds, special media and other accelerators. The processing unit 1104 is responsible for processing the instructions of the algorithm. The processing unit 1104 receives commands from the control unit 1106 in order to perform its processing. Further, any logical and arithmetic operations involved in the execution of the instructions are computed with the help of the ALU 1108. Further, the plurality of process units may be located on a single chip or over multiple chips.
[0075] The algorithm comprising of instructions and codes required for the implementation are stored in either the memory unit 1110 or the storage 1112 or both. At the time of execution, the instructions may be fetched from the corresponding memory 1110 and/or storage 1112, and executed by the processing unit 1104. The processing unit 1104 synchronizes the operations and executes the instructions based on the timing signals generated by the clock chip 1114. The embodiments disclosed herein can be implemented through at least one software program running on at least one hardware device and performing network management functions to control the elements. The elements shown in the FIGS. 1-11 include various units, blocks, modules, or steps described in relation with methods, processes, algorithms, or systems of the present invention, which can be implemented using any general purpose processor and any combination of programming language, application, and embedded processor.
[0076] The foregoing description of the specific embodiments will so fully reveal the general nature of the embodiments herein that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the spirit and scope of the embodiments as described herein.

STATEMENT OF CLAIMS
We claim:
1. A method for controlling malware spreading across electronic devices over a communication network, the method comprising:
replicating a running image of at least one electronic device on at least one virtual machine in said communication network;
clustering said at least one virtual machine into at least one cluster based on at least one parameter associated with said at least one electronic device;
detecting a malware associated with said at least one electronic device;
identifying said at least one cluster vulnerable to said malware based on said at least one parameter associated with said at least one electronic device; and
notifying each virtual machine associated with said at least one identified cluster about said malware.
2. The method of claim 1, wherein said at least one virtual machine is associated with said at least one electronic device.
3. The method of claim 1, wherein said virtual machines are clones of said electronic devices.
4. The method of claim 1, wherein said virtual machines is connected to each other in said network creating a Clone2Clone network.
5. The method of claim 1, wherein said network is a cloud network.
6. The method of claim 1, wherein said running image comprises said at least one parameter associated with said at least one electronic device.
7. The method of claim 1, wherein said at least one parameter comprises at least one of said electronic device configuration parameter and interaction parameter.
8. The method of claim 7, wherein said configuration parameter comprises at least one of operating system version, browser version, device driver information, middleware information, and transmission control software.
9. The method of claim 7, wherein said interaction parameter comprises at least one of call data, contact list data, SMS data, MMS data, email data, NFC communication, Bluetooth, and Wi-Fi.
10. The method of claim 1, wherein said method further comprises computing a profile vector using at least one of a feature vector and an interaction vector.
11. The method of claim 10, wherein said method further comprises computing said feature vector using said at least one parameter associated with at least one electronic device;
12. The method of claim 10, wherein said method further comprises computing said interaction vector using said at least one parameter associated with at least one electronic device.
13. The method of claim 1, wherein said method further comprises sharing said profile vector with said at least one virtual machine in said network.
14. The method of claim 1, wherein said method further comprises computing a similarity metric using said profile vector.
15. The method of claim 1, wherein said at least one virtual machine is clustered based on said similarity metric.
16. The method of claim 1, wherein said cluster comprises said at least one virtual machine with similar said at least one parameter.
17. The method of claim 1, wherein said cluster comprises said at least one virtual machine with substantially similar said at least one parameter.
18. The method of claim 1, wherein said method further comprises replicating said malware information associated with said at least one electronic device on said at least one virtual machine.
19. The method of claim 1, wherein said method further comprises generating a notification message about said malware.
20. A system for controlling malware spreading across electronic devices, the system comprising:
at least one cloud including at least one virtual machine replicating a running image of at least one electronic device;
a controller configured to:
cluster said at least one virtual machine into at least one cluster based on at least one parameter associated with said at least one electronic device,
detect a malware associated with said at least one electronic device,
identify said at least one cluster vulnerable to said malware based on said at least one parameter associated with said at least one electronic device, and
notify each virtual machine associated with said at least one identified cluster about said malware.
21. The system of claim 20, wherein said at least one virtual machine is associated with said at least one electronic device.
22. The system of claim 208, wherein said virtual machines are clones of said electronic devices.
23. The system of claim 20, wherein said virtual machines is connected to each other in said at least one cloud creating a Clone2Clone network.
24. The system of claim 20, wherein said running image comprises said at least one parameter associated with said at least one electronic device.
25. The system of claim 20, wherein said at least one parameter comprises at least one of said electronic device configuration parameter and interaction parameter.
26. The system of claim 25, wherein said configuration parameter comprises at least one of operating system version, browser version, device driver information, middleware information, and transmission control software.
27. The system of claim 20, wherein said interaction parameter comprises at least one of call data, contact list data, SMS data, MMS data, email data, NFC communication, Bluetooth, and Wi-Fi.
28. The system of claim 20, wherein said controller is further configured to compute a profile vector using at least one of a feature vector and an interaction vector.
29. The system of claim 28, wherein said controller is further configured to compute said feature vector using said at least one parameter associated with at least one electronic device,
30. The system of claim 28, wherein said controller is further configured to compute said interaction vector using said at least one parameter associated with at least one electronic device.
31. The system of claim 20, wherein said controller is further configured to share said profile vector with said at least one virtual machine in said network.
32. The system of claim 20, wherein said controller is further configured to compute a similarity metric using said profile vector.
33. The system of claim 20, wherein said at least one virtual machine is clustered based on said similarity metric.
34. The system of claim 20, wherein said cluster comprises said at least one virtual machine with similar said at least one parameter.
35. The system of claim 20, wherein said cluster comprises said at least one virtual machine with substantially similar said at least one parameter.
36. The system of claim 20, wherein said controller is further configured to replicate said malware information associated with said at least one electronic device on said at least one virtual machine.
37. The system of claim 20, wherein said controller is further configured to generate a notification message about said malware.
38. A computer program product for controlling malware spreading across electronic devices over a communication network, the product comprising:
an integrated circuit comprising at least one processor;
at least one memory having a computer program code within said circuit, wherein said at least one memory and said computer program code with said at least one processor cause said product to:
replicate a running image of at least one electronic device on at least one virtual machine in said communication network,
cluster said at least one virtual machine into at least one cluster based on at least one parameter associated with said at least one electronic device,
detect a malware associated with said at least one electronic device,
notify each virtual machine associated with said at least one cluster vulnerable to said malware about said malware.

CLIAMS:We claim:
1. A method for controlling malware spreading across electronic devices over a communication network, the method comprising:
replicating a running image of at least one electronic device on at least one virtual machine in said communication network;
clustering said at least one virtual machine into at least one cluster based on at least one parameter associated with said at least one electronic device;
detecting a malware associated with said at least one electronic device;
identifying said at least one cluster vulnerable to said malware based on said at least one parameter associated with said at least one electronic device; and
notifying each virtual machine associated with said at least one identified cluster about said malware.
2. The method of claim 1, wherein said at least one virtual machine is associated with said at least one electronic device.
3. The method of claim 1, wherein said virtual machines are clones of said electronic devices.
4. The method of claim 1, wherein said virtual machines is connected to each other in said network creating a Clone2Clone network.
5. The method of claim 1, wherein said network is a cloud network.
6. The method of claim 1, wherein said running image comprises said at least one parameter associated with said at least one electronic device.
7. The method of claim 1, wherein said at least one parameter comprises at least one of said electronic device configuration parameter and interaction parameter.
8. The method of claim 7, wherein said configuration parameter comprises at least one of operating system version, browser version, device driver information, middleware information, and transmission control software.
9. The method of claim 7, wherein said interaction parameter comprises at least one of call data, contact list data, SMS data, MMS data, email data, NFC communication, Bluetooth, and Wi-Fi.
10. The method of claim 1, wherein said method further comprises computing a profile vector using at least one of a feature vector and an interaction vector.
11. The method of claim 10, wherein said method further comprises computing said feature vector using said at least one parameter associated with at least one electronic device;
12. The method of claim 10, wherein said method further comprises computing said interaction vector using said at least one parameter associated with at least one electronic device.
13. The method of claim 1, wherein said method further comprises sharing said profile vector with said at least one virtual machine in said network.
14. The method of claim 1, wherein said method further comprises computing a similarity metric using said profile vector.
15. The method of claim 1, wherein said at least one virtual machine is clustered based on said similarity metric.
16. The method of claim 1, wherein said cluster comprises said at least one virtual machine with similar said at least one parameter.
17. The method of claim 1, wherein said cluster comprises said at least one virtual machine with substantially similar said at least one parameter.
18. The method of claim 1, wherein said method further comprises replicating said malware information associated with said at least one electronic device on said at least one virtual machine.
19. The method of claim 1, wherein said method further comprises generating a notification message about said malware.
20. A system for controlling malware spreading across electronic devices, the system comprising:
at least one cloud including at least one virtual machine replicating a running image of at least one electronic device;
a controller configured to:
cluster said at least one virtual machine into at least one cluster based on at least one parameter associated with said at least one electronic device,
detect a malware associated with said at least one electronic device,
identify said at least one cluster vulnerable to said malware based on said at least one parameter associated with said at least one electronic device, and
notify each virtual machine associated with said at least one identified cluster about said malware.
21. The system of claim 20, wherein said at least one virtual machine is associated with said at least one electronic device.
22. The system of claim 208, wherein said virtual machines are clones of said electronic devices.
23. The system of claim 20, wherein said virtual machines is connected to each other in said at least one cloud creating a Clone2Clone network.
24. The system of claim 20, wherein said running image comprises said at least one parameter associated with said at least one electronic device.
25. The system of claim 20, wherein said at least one parameter comprises at least one of said electronic device configuration parameter and interaction parameter.
26. The system of claim 25, wherein said configuration parameter comprises at least one of operating system version, browser version, device driver information, middleware information, and transmission control software.
27. The system of claim 20, wherein said interaction parameter comprises at least one of call data, contact list data, SMS data, MMS data, email data, NFC communication, Bluetooth, and Wi-Fi.
28. The system of claim 20, wherein said controller is further configured to compute a profile vector using at least one of a feature vector and an interaction vector.
29. The system of claim 28, wherein said controller is further configured to compute said feature vector using said at least one parameter associated with at least one electronic device,
30. The system of claim 28, wherein said controller is further configured to compute said interaction vector using said at least one parameter associated with at least one electronic device.
31. The system of claim 20, wherein said controller is further configured to share said profile vector with said at least one virtual machine in said network.
32. The system of claim 20, wherein said controller is further configured to compute a similarity metric using said profile vector.
33. The system of claim 20, wherein said at least one virtual machine is clustered based on said similarity metric.
34. The system of claim 20, wherein said cluster comprises said at least one virtual machine with similar said at least one parameter.
35. The system of claim 20, wherein said cluster comprises said at least one virtual machine with substantially similar said at least one parameter.
36. The system of claim 20, wherein said controller is further configured to replicate said malware information associated with said at least one electronic device on said at least one virtual machine.
37. The system of claim 20, wherein said controller is further configured to generate a notification message about said malware.
38. A computer program product for controlling malware spreading across electronic devices over a communication network, the product comprising:
an integrated circuit comprising at least one processor;
at least one memory having a computer program code within said circuit, wherein said at least one memory and said computer program code with said at least one processor cause said product to:
replicate a running image of at least one electronic device on at least one virtual machine in said communication network,
cluster said at least one virtual machine into at least one cluster based on at least one parameter associated with said at least one electronic device,
detect a malware associated with said at least one electronic device,
notify each virtual machine associated with said at least one cluster vulnerable to said malware about said malware.