NTApps: A Network Traffic Analyzer of Android Applications

Authors:
Rodney Rodriguez

University of Texas at San Antonio, San Antonio, TX, USA

University of Texas at San Antonio, San Antonio, TX, USA
View Profile

,
Shaikh Mostafa

University of Texas at San Antonio, San Antonio, TX, USA

University of Texas at San Antonio, San Antonio, TX, USA
View Profile

,
Xiaoyin Wang

University of Texas at San Antonio, San Antonio, TX, USA

University of Texas at San Antonio, San Antonio, TX, USA
View Profile

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesJune 2017Pages 199–206https://doi.org/10.1145/3078861.3084175

Published:07 June 2017Publication History

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Pages 199–206

ABSTRACT

Application-level network-traffic classification is important for many security-related tasks in network management. With the knowledge of which application certain network traffic belongs to, the network managers are able to allow/block certain applications in the network (whitelisting/blacklisting), or to locate known malicious applications in the network. To support application level network-traffic classification, the network managers require a network-signature for each possible applications in the network, so that they can match these signatures with the network traffic at runtime to identify the ownership of the traffic. The traditional approaches to generating network-signatures for applications require either manual inspection of the application or accumulated annotated network traffic of the application. These approaches are not efficient enough nowadays, given the recent emergence of mobile application markets, where hundreds to thousands of mobile apps are added everyday. In this paper, we present a fully automatic tool called NTApps to generate network signatures for the mobile apps in android market. NTApps is based on string analysis, and generates network signatures by statically estimating the possible values of network API arguments.

References

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda. Scalable, behavior-based malware clustering. In NDSS, 2009.Google Scholar
L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian. Traffic classification on the fly. SIGCOMM Comput. Commun. Rev., 36:23--26, April 2006. Google ScholarDigital Library
A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proceedings of the 6th international conference on Mobile systems, applications, and services, MobiSys '08, pages 225--238, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
A. Christensen, A. Møller, and M. Schwartzbach. Precise analysis of string expressions. In Proc. SAS, pages 1--18, 2003. Google ScholarDigital Library
S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song. Networkprofiler: Towards automatic fingerprinting of android apps. In INFOCOM, 2013.Google ScholarCross Ref
M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.Google Scholar
W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, pages 393--407, 2010. Google ScholarDigital Library
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. D. McDaniel. On lightweight mobile phone application certification. In ACM Conference on Computer and Communications Security, pages 235--245, 2009. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 627--638, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
A. Gember, A. Anand, and A. Akella. A comparative study of handheld and non-handheld traffic in campus Wi-Fi networks. In Passive and active measurement, PAM, pages 173--183, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In Network and Distributed System Security Symposium, Feb. 2012.Google Scholar
P. Haffner, S. Sen, O. Spatscheck, and D. Wang. Acas: automated construction of application signatures. In Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, MineNet '05, pages 197--202, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
W. G. J. Halfond and A. Orso. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proc. ASE, pages 174--183, 2005. Google ScholarDigital Library
N. James, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 226--241, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
J. Kam and J. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM (JACM), 23(1):158--171, January 1976. Google ScholarDigital Library
R. Keralapura, A. Nucci, Z.-L. Zhang, and L. Gao. Profiling users in a 3g network using hourglass co-clustering. In Proceedings of the sixteenth annual international conference on Mobile computing and networking, MobiCom '10, pages 341--352, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proc. ICSE, pages 199--209, 2009. Google ScholarDigital Library
H. Kim, K. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, and K. Lee. Internet traffic classification demystified: myths, caveats, and the best practices. In ACM CoNEXT Conference, CoNEXT, pages 11:1--11:12, New York, NY, USA, 2008. Google ScholarDigital Library
H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 19--19, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 32--47, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G. M. Voelker. Unexpected means of protocol inference. In Conference on Internet measurement, IMC, pages 313--326, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
Y. Minamide. Static approximation of dynamically generated web pages. In Proc. WWW, pages 432--441, 2005. Google ScholarDigital Library
A. W. Moore and D. Zuev. Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, SIGMETRICS '05, pages 50--60, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
S. Mostafa and X. Wang. An empirical study on the usage of mocking frameworks in software testing. In Quality Software (QSIC), 2014 14th International Conference on, pages 127--132. IEEE, 2014. Google ScholarDigital Library
M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328--332, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
B.-C. Park, Y. J. Won, M.-S. Kim, and J. W. Hong. Towards automated application signature generation for traffic identification. In NOMS, pages 160--167, 2008.Google Scholar
R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 26--26, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM '06, pages 291--302, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In DIMVA, pages 108--125, 2008. Google ScholarDigital Library
P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In IEEE Symposium on Security and Privacy, pages 513--528, 2010. Google ScholarDigital Library
K. Sen, D. Marinov, and G. Agha. Cute: A concolic unit testing engine for c. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, pages 263--272, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable in-network identification of p2p traffic using application signatures. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 512--521, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
S. Sen, O. Spatscheck, and D. Wang. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. In WWW2004, May 2004. Google ScholarDigital Library
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6, pages 4--4, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
R. Slavin, X. Wang, M. B. Hosseini, J. Hester, R. Krishnan, J. Bhatia, T. D. Breaux, and J. Niu. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering, pages 25--36. ACM, 2016. Google ScholarDigital Library
H. Tang, X. Wang, L. Zhang, B. Xie, L. Zhang, and H. Mei. Summary-based context-sensitive data-dependence analysis in presence of callbacks. In ACM SIGPLAN Notices, volume 50, pages 83--95. ACM, 2015. Google ScholarDigital Library
X. Wang, D. Lo, J. Cheng, L. Zhang, H. Mei, and J. X. Yu. Matching dependence-related queries in the system dependence graph. In Proceedings of the IEEE/ACM international conference on Automated software engineering, pages 457--466. ACM, 2010. Google ScholarDigital Library
X. Wang, L. Zhang, and P. Tanofsky. Experience report: How is dynamic symbolic execution different from manual testing? a study on klee. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 199--210. ACM, 2015. Google ScholarDigital Library
X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Transtrl: An automatic need-to-translate string locator for software internationalization. In Proceedings of the 31st International Conference on Software Engineering, pages 555--558. IEEE Computer Society, 2009. Google ScholarDigital Library
X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Locating need-to-translate constant strings in web applications. In Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering, pages 87--96. ACM, 2010. Google ScholarDigital Library
X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Locating need-to-externalize constant strings for software internationalization with generalized string-taint analysis. IEEE Transactions on Software Engineering, 39(4):516--536, 2013. Google ScholarDigital Library
X. Wang, L. Zhang, T. Xie, Y. Xiong, and H. Mei. Automating presentation changes in dynamic web applications via collaborative hybrid analysis. In Proc. FSE, 2012. Google ScholarDigital Library
G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proc. PLDI, pages 32--41, 2007. Google ScholarDigital Library
G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proc. ICSE, pages 171--180, 2008. Google ScholarDigital Library
G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proc. ISSTA, pages 249--260, 2008. Google ScholarDigital Library
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. USENIX Security Symposium, 2006. Google ScholarDigital Library
Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM '08, pages 171--182, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
Q. Xu, J. Erman, A. Gerber, Z. Mao, J. Pang, and S. Venkataraman. Identifying diverse usage behaviors of smartphone apps. In SIGCOMM conference on Internet measurement conference, IMC '11, pages 329--344, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In Proceedings of the 4th international conference on Trust and trustworthy computing, TRUST'11, pages 93--107, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library

Index Terms

NTApps: A Network Traffic Analyzer of Android Applications
1. Networks
  1. Network properties
    1. Network security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Software reverse engineering

Recommendations

Android authorship attribution through string analysis
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

With the rising popularity of Android mobile devices, the amount of malicious applications targeting the Android platform has been increasing tremendously. To mitigate the risk of malicious apps, there is a need for an automated system to detect these ...
Read More
Monitoring Network Traffic to Detect Stepping-Stone Intrusion
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - Workshops

Most network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. ...
Read More
Spam Mobile Apps: Characteristics, Detection, and in the Wild Analysis

The increased popularity of smartphones has attracted a large number of developers to offer various applications for the different smartphone platforms via the respective app markets. One consequence of this popularity is that the app markets are also ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies
June 2017
276 pages
ISBN:9781450347020
DOI:10.1145/3078861
General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chairs:
Ravi Sandhu
University of Texas at San Antonio, USA
,
Edgar Weippl
SBA Research, Austria
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 June 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
mobile apps
network traffic
string analysis
Qualifiers
- research-article
Conference

Acceptance Rates
SACMAT '17 Abstracts Paper Acceptance Rate14of50submissions,28%Overall Acceptance Rate177of597submissions,30%
More
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 357
  Total Downloads
- Downloads (Last 12 months)41
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

NTApps: A Network Traffic Analyzer of Android Applications

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

Android authorship attribution through string analysis

Monitoring Network Traffic to Detect Stepping-Stone Intrusion

Spam Mobile Apps: Characteristics, Detection, and in the Wild Analysis