ABSTRACT
Application-level network-traffic classification is important for many security-related tasks in network management. With the knowledge of which application certain network traffic belongs to, the network managers are able to allow/block certain applications in the network (whitelisting/blacklisting), or to locate known malicious applications in the network. To support application level network-traffic classification, the network managers require a network-signature for each possible applications in the network, so that they can match these signatures with the network traffic at runtime to identify the ownership of the traffic. The traditional approaches to generating network-signatures for applications require either manual inspection of the application or accumulated annotated network traffic of the application. These approaches are not efficient enough nowadays, given the recent emergence of mobile application markets, where hundreds to thousands of mobile apps are added everyday. In this paper, we present a fully automatic tool called NTApps to generate network signatures for the mobile apps in android market. NTApps is based on string analysis, and generates network signatures by statically estimating the possible values of network API arguments.
- U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda. Scalable, behavior-based malware clustering. In NDSS, 2009.Google Scholar
- L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian. Traffic classification on the fly. SIGCOMM Comput. Commun. Rev., 36:23--26, April 2006. Google ScholarDigital Library
- A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proceedings of the 6th international conference on Mobile systems, applications, and services, MobiSys '08, pages 225--238, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- A. Christensen, A. Møller, and M. Schwartzbach. Precise analysis of string expressions. In Proc. SAS, pages 1--18, 2003. Google ScholarDigital Library
- S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song. Networkprofiler: Towards automatic fingerprinting of android apps. In INFOCOM, 2013.Google ScholarCross Ref
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.Google Scholar
- W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, pages 393--407, 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. D. McDaniel. On lightweight mobile phone application certification. In ACM Conference on Computer and Communications Security, pages 235--245, 2009. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 627--638, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- A. Gember, A. Anand, and A. Akella. A comparative study of handheld and non-handheld traffic in campus Wi-Fi networks. In Passive and active measurement, PAM, pages 173--183, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In Network and Distributed System Security Symposium, Feb. 2012.Google Scholar
- P. Haffner, S. Sen, O. Spatscheck, and D. Wang. Acas: automated construction of application signatures. In Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, MineNet '05, pages 197--202, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- W. G. J. Halfond and A. Orso. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proc. ASE, pages 174--183, 2005. Google ScholarDigital Library
- N. James, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 226--241, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- J. Kam and J. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM (JACM), 23(1):158--171, January 1976. Google ScholarDigital Library
- R. Keralapura, A. Nucci, Z.-L. Zhang, and L. Gao. Profiling users in a 3g network using hourglass co-clustering. In Proceedings of the sixteenth annual international conference on Mobile computing and networking, MobiCom '10, pages 341--352, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proc. ICSE, pages 199--209, 2009. Google ScholarDigital Library
- H. Kim, K. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, and K. Lee. Internet traffic classification demystified: myths, caveats, and the best practices. In ACM CoNEXT Conference, CoNEXT, pages 11:1--11:12, New York, NY, USA, 2008. Google ScholarDigital Library
- H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 19--19, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 32--47, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G. M. Voelker. Unexpected means of protocol inference. In Conference on Internet measurement, IMC, pages 313--326, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- Y. Minamide. Static approximation of dynamically generated web pages. In Proc. WWW, pages 432--441, 2005. Google ScholarDigital Library
- A. W. Moore and D. Zuev. Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, SIGMETRICS '05, pages 50--60, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- S. Mostafa and X. Wang. An empirical study on the usage of mocking frameworks in software testing. In Quality Software (QSIC), 2014 14th International Conference on, pages 127--132. IEEE, 2014. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328--332, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- B.-C. Park, Y. J. Won, M.-S. Kim, and J. W. Hong. Towards automated application signature generation for traffic identification. In NOMS, pages 160--167, 2008.Google Scholar
- R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 26--26, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM '06, pages 291--302, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In DIMVA, pages 108--125, 2008. Google ScholarDigital Library
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In IEEE Symposium on Security and Privacy, pages 513--528, 2010. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. Cute: A concolic unit testing engine for c. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, pages 263--272, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable in-network identification of p2p traffic using application signatures. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 512--521, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- S. Sen, O. Spatscheck, and D. Wang. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. In WWW2004, May 2004. Google ScholarDigital Library
- S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6, pages 4--4, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- R. Slavin, X. Wang, M. B. Hosseini, J. Hester, R. Krishnan, J. Bhatia, T. D. Breaux, and J. Niu. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering, pages 25--36. ACM, 2016. Google ScholarDigital Library
- H. Tang, X. Wang, L. Zhang, B. Xie, L. Zhang, and H. Mei. Summary-based context-sensitive data-dependence analysis in presence of callbacks. In ACM SIGPLAN Notices, volume 50, pages 83--95. ACM, 2015. Google ScholarDigital Library
- X. Wang, D. Lo, J. Cheng, L. Zhang, H. Mei, and J. X. Yu. Matching dependence-related queries in the system dependence graph. In Proceedings of the IEEE/ACM international conference on Automated software engineering, pages 457--466. ACM, 2010. Google ScholarDigital Library
- X. Wang, L. Zhang, and P. Tanofsky. Experience report: How is dynamic symbolic execution different from manual testing? a study on klee. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 199--210. ACM, 2015. Google ScholarDigital Library
- X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Transtrl: An automatic need-to-translate string locator for software internationalization. In Proceedings of the 31st International Conference on Software Engineering, pages 555--558. IEEE Computer Society, 2009. Google ScholarDigital Library
- X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Locating need-to-translate constant strings in web applications. In Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering, pages 87--96. ACM, 2010. Google ScholarDigital Library
- X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Locating need-to-externalize constant strings for software internationalization with generalized string-taint analysis. IEEE Transactions on Software Engineering, 39(4):516--536, 2013. Google ScholarDigital Library
- X. Wang, L. Zhang, T. Xie, Y. Xiong, and H. Mei. Automating presentation changes in dynamic web applications via collaborative hybrid analysis. In Proc. FSE, 2012. Google ScholarDigital Library
- G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proc. PLDI, pages 32--41, 2007. Google ScholarDigital Library
- G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proc. ICSE, pages 171--180, 2008. Google ScholarDigital Library
- G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proc. ISSTA, pages 249--260, 2008. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. USENIX Security Symposium, 2006. Google ScholarDigital Library
- Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM '08, pages 171--182, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- Q. Xu, J. Erman, A. Gerber, Z. Mao, J. Pang, and S. Venkataraman. Identifying diverse usage behaviors of smartphone apps. In SIGCOMM conference on Internet measurement conference, IMC '11, pages 329--344, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In Proceedings of the 4th international conference on Trust and trustworthy computing, TRUST'11, pages 93--107, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
Index Terms
- NTApps: A Network Traffic Analyzer of Android Applications
Recommendations
Android authorship attribution through string analysis
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityWith the rising popularity of Android mobile devices, the amount of malicious applications targeting the Android platform has been increasing tremendously. To mitigate the risk of malicious apps, there is a need for an automated system to detect these ...
Monitoring Network Traffic to Detect Stepping-Stone Intrusion
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - WorkshopsMost network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. ...
Spam Mobile Apps: Characteristics, Detection, and in the Wild Analysis
The increased popularity of smartphones has attracted a large number of developers to offer various applications for the different smartphone platforms via the respective app markets. One consequence of this popularity is that the app markets are also ...
Comments