skip to main content
10.1145/3308558.3313738acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

Exploiting Diversity in Android TLS Implementations for Mobile App Traffic Classification

Published: 13 May 2019 Publication History

Abstract

Network traffic classification is an important tool for network administrators in enabling monitoring and service provisioning. Traditional techniques employed in classifying traffic do not work well for mobile app traffic due to lack of unique signatures. Encryption renders this task even more difficult since packet content is no longer available to parse. More recent techniques based on statistical analysis of parameters such as packet-size and arrival time of packets have shown promise; such techniques have been shown to classify traffic from a small number of applications with a high degree of accuracy. However, we show that when employed to a large number of applications, the performance falls short of satisfactory. In this paper, we propose a novel set of bit-sequence based features which exploit differences in randomness of data generated by different applications. These differences originating due to dissimilarities in encryption implementations by different applications leave footprints on the data generated by them. We validate that these features can differentiate data encrypted with various ciphers (89% accuracy) and key-sizes (83% accuracy). Our evaluation shows that such features can not only differentiate traffic originating from different categories of mobile apps (90% accuracy), but can also classify 175 individual applications with 95% accuracy.

References

[1]
{n. d.}. Cisco Visual Networking Index White Paper. https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/mobile-white-paper-c11-520862.html
[2]
{n. d.}. Github Library: r4nd0m. https://github.com/StuartGordonReid/r4nd0m
[3]
{n. d.}. Package Crypto: Python Cryptography Toolkit. https://www.dlitz.net/software/pycrypto/api/current/
[4]
{n. d.}. Random Bit Generation: Guide to the Statistical Tests. https://csrc.nist.gov/Projects/Random-Bit-Generation/Documentation-and-Software/Guide-to-the-Statistical-Tests
[5]
{n. d.}. Statistical Tricks Extract Sensitive Data from Encrypted Communications.
[6]
Berkin Akin, Franz Franchetti, and James C Hoe. 2014. Understanding the design space of dram-optimized hardware FFT accelerators. In Application-specific Systems, Architectures and Processors (ASAP), 2014 IEEE 25th International Conference on. IEEE, 248-255.
[7]
Hasan Faik Alan and Jasleen Kaur. 2016. Can Android Applications Be Identified Using Only TCP/IP Headers of Their Launch Time Traffic?. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 61-66.
[8]
Mohammed M Alani. 2010. Testing randomness in ciphertext of block-ciphers using DieHard tests. Int. J. Comput. Sci. Netw. Secur 10, 4 (2010), 53-57.
[9]
Noah Apthorpe, Dillon Reisman, and Nick Feamster. 2017. A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic. arXiv preprint arXiv:1705.06805(2017).
[10]
Subir Biswas and Yan Shi. 2016. Protocol independent identification of encrypted video traffic sources using traffic analysis. In Communications (ICC), 2016 IEEE International Conference on. IEEE, 1-6.
[11]
Tomasz Bujlow, Tahir Riaz, and Jens Myrup Pedersen. 2012. A method for classification of network traffic based on C5. 0 Machine Learning Algorithm. In Computing, Networking and Communications (ICNC), 2012 International Conference on. IEEE, 237-241.
[12]
Arthur Callado, Carlos Kamienski, Ge´za Szabó, Balázs Pe´ter Gerö, Judith Kelner, St≖nio Fernandes, and Djamel Sadok. 2009. A survey on internet traffic identification. Communications Surveys & Tutorials, IEEE 11, 3 (2009), 37-52.
[13]
Louma Chaddad, Ali Chehab, Imad H Elhajj, and Ayman Kayssi. 2018. App traffic mutation: Toward defending against mobile statistical traffic analysis. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE.
[14]
Nitesh V Chawla, Kevin W Bowyer, Lawrence O Hall, and W Philip Kegelmeyer. 2002. SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research 16 (2002), 321-357.
[15]
Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. 2010. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 191-206.
[16]
Yeongrak Choi, Jae Yoon Chung, Byungchul Park, and James Won-Ki Hong. 2012. Automated classifier generation for application-level mobile traffic identification. In Network Operations and Management Symposium (NOMS), 2012 IEEE. 1075-1081.
[17]
Mauro Conti, Qian Qian Li, Alberto Maragno, and Riccardo Spolaor. 2018. The Dark Side (-Channel) of Mobile Devices: A Survey on Network Traffic Analysis. IEEE Communications Surveys & Tutorials(2018).
[18]
Mauro Conti, Luigi V Mancini, Riccardo Spolaor, and Nino Vincenzo Verde. 2015. Can't you hear me knocking: Identification of user actions on android apps via traffic analysis. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. ACM, 297-304.
[19]
RR Coveyou and Robert D MacPherson. 1967. Fourier analysis of uniform random number generators. Journal of the ACM (JACM) 14, 1 (1967), 100-119.
[20]
Shuaifu Dai, Alok Tongaonkar, Xiaoyin Wang, Antonio Nucci, and Dong Song. 2013. Networkprofiler: Towards automatic fingerprinting of android apps. In INFOCOM, 2013 Proceedings IEEE. IEEE, 809-817.
[21]
Sourav Kumar Dandapat, Swadhin Pradhan, Bivas Mitra, Romit Roy Choudhury, and Niloy Ganguly. 2015. Activpass: your daily activity is your password. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2325-2334.
[22]
Aveek K Das, Parth H Pathak, Chen-Nee Chuah, and Prasant Mohapatra. 2017. Privacy-aware contextual localization using network traffic analysis. Computer Networks 118(2017), 24-36.
[23]
Ali Doganaksoy, Baris Ege, Onur Koçak, and Fatih Sulak. 2010. Cryptographic Randomness Testing of Block Ciphers and Hash Functions.IACR Cryptology ePrint Archive 2010 (2010), 564.
[24]
Hossein Falaki, Dimitrios Lymberopoulos, Ratul Mahajan, Srikanth Kandula, and Deborah Estrin. 2010. A first look at traffic on smartphones. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, 281-287.
[25]
Horst Feistel. 1973. Cryptography and Computer Privacy. Scientific American 228, 5 (1973), 15-23.
[26]
Michael Finsterbusch, Chris Richter, Eduardo Rocha, Jean-Alexander Muller, and Klaus Hanssgen. 2014. A survey of payload-based traffic classification approaches. Communications Surveys & Tutorials, IEEE 16, 2 (2014), 1135-1156.
[27]
Yanjie Fu, Hui Xiong, Xinjiang Lu, Jin Yang, and Can Chen. 2016. Service usage classification with encrypted internet traffic in mobile messaging apps. IEEE Transactions on Mobile Computing 15, 11 (2016), 2851-2864.
[28]
Aaron Gember, Ashok Anand, and Aditya Akella. 2011. A comparative study of handheld and non-handheld traffic in campus Wi-Fi networks. In Passive and Active Measurement. Springer, 173-183.
[29]
Xun Gong, Negar Kiyavash, and Nikita Borisov. 2010. Fingerprinting websites using remote traffic analysis. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 684-686.
[30]
Alina Hang, Alexander De Luca, and Heinrich Hussmann. 2015. I know what you did last week! do you?: Dynamic security questions for fallback authentication on smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 1383-1392.
[31]
Min Hur and Myung-Sup Kim. 2012. Towards smart phone traffic classification. In Network Operations and Management Symposium (APNOMS), 2012 14th Asia-Pacific. IEEE, 1-4.
[32]
Alfonso Iacovazzi and Andrea Baiocchi. 2014. Internet traffic privacy enhancement with masking: Optimization and tradeoffs. IEEE Transactions on Parallel and Distributed Systems 25, 2 (2014), 353-362.
[33]
Rozanna Nadeera Jesudasan, Philip Branch, and Jason But. 2010. Generic attributes for Skype identification using machine learning. Centre for Advanced Internet Architectures, Swinburne University of Technology, Melbourne, Australia, Tech. Rep. A 100820 (2010), 20.
[34]
John B. Kam and George I. Davida. 1979. Structured Design of Substitution-Permutation Encryption Networks. IEEE Trans. Comput.10(1979), 747-753.
[35]
Vasilios Katos. 2005. A randomness test for block ciphers. Applied mathematics and computation 162, 1 (2005), 29-35.
[36]
Donald E Knuth. 1981. The Art of Programming, vol. 2, Semi-Numerical Algorithms. Addison Wesley, Reading, MA.
[37]
Conti Mauro, Luigi Vincenzo Mancini, Riccardo Spolaor, and Nino Vincenzo Verde. 2016. Analyzing android encrypted network traffic to identify user actions. IEEE Transactions on Information Forensics and Security 11, 1(2016), 114-125.
[38]
Stanislav Miskovic, Gene Moo Lee, Yong Liao, and Mario Baldi. 2015. AppPrint: Automatic Fingerprinting of Mobile Applications in Network Traffic. In Proceedings of Passive and Active Measurement Conference. 57-69.
[39]
Thuy TT Nguyen and Grenville Armitage. 2008. A survey of techniques for internet traffic classification using machine learning. Communications Surveys & Tutorials, IEEE 10, 4 (2008), 56-76.
[40]
Pavel Piskac and Jiri Novotny. 2011. Using of time characteristics in data flow for traffic classification. Managing the Dynamics of Networks and Services (2011), 173-176.
[41]
Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS usage in Android apps. In Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies. ACM, 350-362.
[42]
Satadal Sengupta, Vinay Kumar Yadav, Yash Saraf, Harshit Gupta, Niloy Ganguly, Sandip Chakraborty, and Pradipta De. 2017. MoViDiff: Enabling service differentiation for mobile video apps. In Integrated Network and Service Management (IM), 2017 IFIP/IEEE Symposium on. IEEE, 537-543.
[43]
Yan Shi and Subir Biswas. 2015. Characterization of Traffic Analysis based video stream source identification. In Advanced Networks and Telecommuncations Systems (ANTS), 2015 IEEE International Conference on. IEEE, 1-6.
[44]
Juan Soto and Lawrence Bassham. 2000. Randomness testing of the advanced encryption standard finalist candidates. Technical Report. BOOZ-ALLEN AND HAMILTON INC MCLEAN VA.
[45]
Raphael Spreitzer, Veelasha Moonsamy, Thomas Korak, and Stefan Mangard. 2018. Systematic classification of side-channel attacks: a case study for mobile devices. (2018).
[46]
Tim Stöber, Mario Frank, Jens Schmitt, and Ivan Martinovic. 2013. Who do you sync you are?: smartphone fingerprinting via application behaviour. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks. ACM, 7-12.
[47]
Qixiang Sun, Daniel R Simon, Yi-Min Wang, Wilf Russell, Venkata N Padmanabhan, and Lili Qiu. 2002. Statistical identification of encrypted web browsing traffic. In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on. IEEE, 19-30.
[48]
Vincent F Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. 2018. Robust smartphone app identification via encrypted network traffic analysis. IEEE Transactions on Information Forensics and Security 13, 1(2018), 63-78.
[49]
Qinglong Wang, Amir Yahyavi, Bettina Kemme, and Wenbo He. 2015. I know what you did on your smartphone: Inferring app usage over encrypted data traffic. In Communications and Network Security (CNS), 2015 IEEE Conference on. IEEE, 433-441.
[50]
Tzy-Shiah Wang, Hui-Tang Lin, Wei-Tsung Cheng, and Chang-Yu Chen. 2017. DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis. Computers & Security 64(2017), 1-15.
[51]
Charles V Wright, Scott E Coull, and Fabian Monrose. 2009. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In NDSS, Vol. 9. Citeseer.
[52]
Yue Wu, Joseph P Noonan, and Sos Agaian. 2011. NPCR and UACI randomness tests for image encryption. Cyber journals: multidisciplinary journals in science and technology, Journal of Selected Areas in Telecommunications (JSAT) 1, 2 (2011), 31-38.
[53]
Qiang Xu, Yong Liao, Stanislav Miskovic, Mario Baldi, Z. Morley Mao, Antonio Nucci, and Thomas Andrews. 2015. Automatic Generation of Mobile App Signatures from Traffic Observations. In Proceedings of IEEE INFOCOM 2015(INFOCOM '15).
[54]
Hongyi Yao, Gyan Ranjan, Alok Tongaonkar, Yong Liao, and Zhuoqing Morley Mao. 2015. SAMPLES: Self Adaptive Mining of Persistent LExical Snippets for Classifying Mobile Application Traffic. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking(MobiCom '15). 439-451.

Cited By

View all
  • (2025)BCBA: An IIoT encrypted traffic classifier based on a serial network modelFuture Generation Computer Systems10.1016/j.future.2024.107603164(107603)Online publication date: Mar-2025
  • (2025)A graph representation framework for encrypted network traffic classificationComputers & Security10.1016/j.cose.2024.104134148(104134)Online publication date: Jan-2025
  • (2025)EAPT: An encrypted traffic classification model via adversarial pre-trained transformersComputer Networks10.1016/j.comnet.2024.110973257(110973)Online publication date: Feb-2025
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
WWW '19: The World Wide Web Conference
May 2019
3620 pages
ISBN:9781450366748
DOI:10.1145/3308558
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

  • IW3C2: International World Wide Web Conference Committee

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. bit-sequence
  2. randomness
  3. traffic classification

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

WWW '19
WWW '19: The Web Conference
May 13 - 17, 2019
CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)85
  • Downloads (Last 6 weeks)7
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)BCBA: An IIoT encrypted traffic classifier based on a serial network modelFuture Generation Computer Systems10.1016/j.future.2024.107603164(107603)Online publication date: Mar-2025
  • (2025)A graph representation framework for encrypted network traffic classificationComputers & Security10.1016/j.cose.2024.104134148(104134)Online publication date: Jan-2025
  • (2025)EAPT: An encrypted traffic classification model via adversarial pre-trained transformersComputer Networks10.1016/j.comnet.2024.110973257(110973)Online publication date: Feb-2025
  • (2024)LAMBERT: Leveraging Attention Mechanisms to Improve the BERT Fine-Tuning Model for Encrypted Traffic ClassificationMathematics10.3390/math1211162412:11(1624)Online publication date: 22-May-2024
  • (2024)Can We Create a TLS Lie Detector?Journal of Information Processing10.2197/ipsjjip.32.111432(1114-1124)Online publication date: 2024
  • (2024)Towards a Graph-based Foundation Model for Network Traffic AnalysisProceedings of the 3rd GNNet Workshop on Graph Neural Networking Workshop10.1145/3694811.3697817(41-45)Online publication date: 9-Dec-2024
  • (2024)A Multi-Scenario Traffic Classification Method Based on Pretrained Encoder and Text Convolutional Neural Network2024 IEEE 7th Advanced Information Technology, Electronic and Automation Control Conference (IAEAC)10.1109/IAEAC59436.2024.10503735(936-944)Online publication date: 15-Mar-2024
  • (2024)PETNet: Plaintext-aware encrypted traffic detection network for identifying Cobalt Strike HTTPS trafficsComputer Networks10.1016/j.comnet.2023.110120238(110120)Online publication date: Jan-2024
  • (2024)Block Cipher Algorithms Identification Scheme Based on KFDAAdvanced Intelligent Computing Technology and Applications10.1007/978-981-97-5606-3_2(13-24)Online publication date: 5-Aug-2024
  • (2023)BFCN: A Novel Classification Method of Encrypted Traffic Based on BERT and CNNElectronics10.3390/electronics1203051612:3(516)Online publication date: 19-Jan-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media