Skip to main content
SpringerLink
Log in
Book cover

International Conference on Passive and Active Network Measurement

PAM 2021: Passive and Active Measurement pp 531–546Cite as

Characterizing the Security of Endogenous and Exogenous Desktop Application Network Flows

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12671))

Abstract

Most desktop applications use the network, and insecure communications can have a significant impact on the application, the system, the user, and the enterprise. Understanding at scale whether desktop application use the network securely is a challenge because the application provenance of a given network packet is rarely available at centralized collection points. In this paper, we collect flow data from 39,758 MacOS devices on an enterprise network to study the network behaviors of individual applications. We collect flows locally on-device and can definitively identify the application responsible for every flow. We also develop techniques to distinguish “endogenous” flows common to most executions of a program from “exogenous” flows likely caused by unique inputs. We find that popular MacOS applications are in fact using the network securely, with 95.62% of the applications we study using HTTPS. Notably, we observe security sensitive-services (including certificate management and mobile device management) do not use ports associated with secure communications. Our study provides important insights for users, device and network administrators, and researchers interested in secure communication.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    This is fewer hosts than are in the flows dataset, but certainly large enough to be a representative sample. OSQuery data was not available for every host that NVM was installed on.

  2. 2.

    This overapproximates possible domains, risking misclassifying an IP as disreputable in our analysis. Because our results do not identify any endogenous domain as disreputable, this concern is moot.

References

  1. https://transparencyreport.google.com/https/overview

    Google Scholar 

  2. https://spark.apache.org/

  3. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7/nvm.html

  4. https://osquery.io/

  5. https://parquet.apache.org/

  6. https://snort.org/downloads/ip-block-list

  7. https://umbrella.cisco.com/blog/cisco-umbrella-1-million

  8. https://docs.umbrella.com/investigate-api/docs/security-information-for-a-domain-1

  9. https://github.com/osquery/osquery/blob/master/packs/incident-response.conf#L211

  10. https://tools.ietf.org/html/rfc1918

  11. https://github.com/georg-un/kneebow

  12. https://blog.jacopo.io/en/post/apple-ocsp/

  13. https://nvd.nist.gov/vuln/detail/CVE-2019-13450

  14. https://nvd.nist.gov/vuln/detail/CVE-2019-13449

  15. https://nvd.nist.gov/vuln/detail/CVE-2019-15006

  16. Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec 2016, pp. 35–46. ACM, New York (2016)

    Google Scholar 

  17. Anderson, B., McGrew, D.: TLS beyond the browser: combining end host and network data to understand application behavior. In: Proceedings of the Internet Measurement Conference, IMC 2019, pp. 379–392. Association for Computing Machinery, New York (2019)

    Google Scholar 

  18. Bellissimo, A., Burgess, J., Fu, K.: Secure Software Updates: Disappointments and New Challenges. HotSec, pp. 37–43 (2006)

    Google Scholar 

  19. Chen, Y., Antonakakis, M., Perdisci, R., Nadji, Y., Dagon, D., Lee, W.: DNS Noise: Measuring the pervasiveness of disposable domains in modern DNS traffic. In: Proceedings - 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2014, pp. 598–609 (2014)

    Google Scholar 

  20. Cisco Systems Inc: Cisco Security Analytics White Paper (2018). https://www.cisco.com/c/dam/en/us/products/collateral/security/stealthwatch/white-paper-c11-740605.pdf

  21. Cisco Systems Inc: Cisco Encrypted Traffic Analytics - White Paper (2019). https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf

  22. Denning, D.E.: An intrusion-detection model. In: 1986 IEEE Symposium on Security and Privacy, pp. 118–118 (1986)

    Google Scholar 

  23. Dormann, W.: The Consequences of Insecure Software Updates (2017). https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html

  24. Durumeric, Z., et al.: The Security Impact of HTTPS Interception (2017)

    Google Scholar 

  25. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (USENIX Security 2013), pp. 605–620. USENIX Association, Washington, D.C., August 2013

    Google Scholar 

  26. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for Unix processes, pp. 120–128. Institute of Electrical and Electronics Engineers (IEEE), December 2002

    Google Scholar 

  27. Frolov, S., Wustrow, E.: The use of TLS in censorship circumvention. In: Proceedings of The Network and Distributed System Security Symposium (2019)

    Google Scholar 

  28. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: ACM Conference on Computer and Communications Security, pp. 38–49 (2012)

    Google Scholar 

  29. Hofstede, R., Bartoš, V., Sperotto, A., Pras, A.: Towards real-time intrusion detection for NetFlow and IPFIX. In: 2013 9th International Conference on Network and Service Management, pp. 227–234 (2013)

    Google Scholar 

  30. Houmansadr, A., Brubaker, C., Shmatikov, V.: The parrot is dead: observing unobservable network communications. In: Proceedings - IEEE Symposium on Security and Privacy, pp. 65–79 (2013)

    Google Scholar 

  31. Kleopa, C., Judge, C.: Snort - OpenAppID (2015) https://www.snort.org/documents/openappid-detection-webinar

  32. Kountouras, A., et al.: Enabling network security through active DNS datasets. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 188–208. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_9

    Chapter  Google Scholar 

  33. Leonhard, W.: Microsoft is distributing security patches through insecure HTTP links | Computerworld (2018). https://www.computerworld.com/article/3256304/microsoft-is-distributing-security-patches-through-insecure-http-links.html

    Google Scholar 

  34. Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)

    Google Scholar 

  35. Nemec, M., Klinec, D., Svenda, P., Sekan, P., Matyas, V.: Measuring popularity of cryptographic libraries in internet-wide scans, pp. 162–175 (2017)

    Google Scholar 

  36. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, USA (1999)

    Google Scholar 

  37. Shamsi, Z., Cline, D.B.H., Loguinov, D.: Faulds: a non-parametric iterative classifier for internet-wide OS fingerprinting. In: ACM Conference on Computer and Communications Security, pp. 971–982 (2017)

    Google Scholar 

  38. Shamsi, Z., Nandwani, A., Leonard, D., Loguinov, D.: Hershel: single-Packet OS Fingerprinting. IEEE/ACM Trans. Netw. 24(4), 2196–2209 (2016)

    Article  Google Scholar 

  39. Springall, D., Durumeric, Z., Halderman, J.A.: Measuring the Security Harm of TLS Crypto Shortcuts, pp. 33–47 (2016)

    Google Scholar 

  40. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 255–264. Association for Computing Machinery, New York (2002)

    Google Scholar 

  41. Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recogn. 36(1), 229–243 (2003)

    Article  Google Scholar 

  42. Zalewski, M.: P0F V3: Passive Fingerprinter (2012). http://lcamtuf.coredump.cx/p0f3/README

  43. Zhenqi, W., Xinyu, W.: NetFlow based intrusion detection system. In: Proceedings - 2008 International Conference on MultiMedia and Information Technology, MMIT 2008, pp. 825–828 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. North Carolina State University, Raleigh, NC, USA

    Matthew R. McNiece & Bradley Reaves

  2. Cisco Systems, Inc., Raleigh, NC, USA

    Matthew R. McNiece & Ruidan Li

Authors
  1. Matthew R. McNiece
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruidan Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bradley Reaves
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bradley Reaves .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology (BTU), Cottbus, Germany

    Oliver Hohlfeld

  2. Telefonica Research, Barcelona, Spain

    Andra Lutu

  3. Iribe Center, University of Maryland, College Park, MD, USA

    Dave Levin

Appendices

A Data Ethics

While working on this project, we followed all institutional procedures from all affiliated institutions. Our IRB reviewed our proposal and datasets and determined that this was not human subjects research. All human and machine identifiers in our dataset have been removed and replaced with encrypted versions that are encrypted with a key that the research team does not have access to. All telemetry was collected through existing monitoring infrastructure that has strict ACLs. Furthermore, all telemetry was collected from corporate managed and owned devices where users are made aware that the devices are monitored for security and compliance. Throughout our analysis we focus on the network behavior of applications not individual users. Any individual user’s data could be excluded from our dataset without impact to our findings. We made no attempt to find evidence of sensitive actions or non-work-related activity (video games, streaming video, social media, etc.) The focus of our research is on the network behavior of applications, not of the individuals using the applications.

B RFC 1918

RFC 1918 [10] describes and reserves 3 IP ranges for private use only, we used this to label each source IP and destination IP as “private” or “public”. If an IP is “private” then it is not on the Internet, and is instead on some internal/private network. After labeling each flow, there are four possible combinations:

  • Private Source to Private Destination (Internal) - Neither end is an Internet facing IP, communication to internal services

  • Private Source to Public Destination (Outbound) - Destination is an Internet facing IP, likely an outbound connection

  • Public Source to Private Destination (Inbound) - Destination is not an Internet facing IP, so is either a connection from a NAT device to an internal service, or an inbound connection from a public service to a device

  • Public Source to Private Destination (NAT) - Both ends have an Internet facing IP, but one must be local device with a NAT IP though we can’t tell which.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

McNiece, M.R., Li, R., Reaves, B. (2021). Characterizing the Security of Endogenous and Exogenous Desktop Application Network Flows. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72582-2_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72581-5

  • Online ISBN: 978-3-030-72582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation