research-article

Public Access

NTApps: A Network Traffic Analyzer of Android Applications

Authors:

Rodney Rodriguez,

Shaikh Mostafa,

Xiaoyin WangAuthors Info & Claims

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Pages 199 - 206

https://doi.org/10.1145/3078861.3084175

Published: 07 June 2017 Publication History

Abstract

Application-level network-traffic classification is important for many security-related tasks in network management. With the knowledge of which application certain network traffic belongs to, the network managers are able to allow/block certain applications in the network (whitelisting/blacklisting), or to locate known malicious applications in the network. To support application level network-traffic classification, the network managers require a network-signature for each possible applications in the network, so that they can match these signatures with the network traffic at runtime to identify the ownership of the traffic. The traditional approaches to generating network-signatures for applications require either manual inspection of the application or accumulated annotated network traffic of the application. These approaches are not efficient enough nowadays, given the recent emergence of mobile application markets, where hundreds to thousands of mobile apps are added everyday. In this paper, we present a fully automatic tool called NTApps to generate network signatures for the mobile apps in android market. NTApps is based on string analysis, and generates network signatures by statically estimating the possible values of network API arguments.

References

[1]

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda. Scalable, behavior-based malware clustering. In NDSS, 2009.

[2]

L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian. Traffic classification on the fly. SIGCOMM Comput. Commun. Rev., 36:23--26, April 2006.

Digital Library

[3]

A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proceedings of the 6th international conference on Mobile systems, applications, and services, MobiSys '08, pages 225--238, New York, NY, USA, 2008. ACM.

Digital Library

[4]

A. Christensen, A. Møller, and M. Schwartzbach. Precise analysis of string expressions. In Proc. SAS, pages 1--18, 2003.

Digital Library

[5]

S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song. Networkprofiler: Towards automatic fingerprinting of android apps. In INFOCOM, 2013.

[6]

M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.

[7]

W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, pages 393--407, 2010.

Digital Library

[8]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX Security Symposium, 2011.

Digital Library

[9]

W. Enck, M. Ongtang, and P. D. McDaniel. On lightweight mobile phone application certification. In ACM Conference on Computer and Communications Security, pages 235--245, 2009.

Digital Library

[10]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 627--638, New York, NY, USA, 2011. ACM.

Digital Library

[11]

A. Gember, A. Anand, and A. Akella. A comparative study of handheld and non-handheld traffic in campus Wi-Fi networks. In Passive and active measurement, PAM, pages 173--183, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[12]

M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In Network and Distributed System Security Symposium, Feb. 2012.

[13]

P. Haffner, S. Sen, O. Spatscheck, and D. Wang. Acas: automated construction of application signatures. In Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, MineNet '05, pages 197--202, New York, NY, USA, 2005. ACM.

Digital Library

[14]

W. G. J. Halfond and A. Orso. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proc. ASE, pages 174--183, 2005.

Digital Library

[15]

N. James, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 226--241, Washington, DC, USA, 2005. IEEE Computer Society.

Digital Library

[16]

J. Kam and J. Ullman. Global data flow analysis and iterative algorithms. Journal of the ACM (JACM), 23(1):158--171, January 1976.

Digital Library

[17]

R. Keralapura, A. Nucci, Z.-L. Zhang, and L. Gao. Profiling users in a 3g network using hourglass co-clustering. In Proceedings of the sixteenth annual international conference on Mobile computing and networking, MobiCom '10, pages 341--352, New York, NY, USA, 2010. ACM.

Digital Library

[18]

A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proc. ICSE, pages 199--209, 2009.

Digital Library

[19]

H. Kim, K. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, and K. Lee. Internet traffic classification demystified: myths, caveats, and the best practices. In ACM CoNEXT Conference, CoNEXT, pages 11:1--11:12, New York, NY, USA, 2008.

Digital Library

[20]

H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 19--19, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[21]

Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 32--47, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[22]

J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G. M. Voelker. Unexpected means of protocol inference. In Conference on Internet measurement, IMC, pages 313--326, New York, NY, USA, 2006. ACM.

Digital Library

[23]

Y. Minamide. Static approximation of dynamically generated web pages. In Proc. WWW, pages 432--441, 2005.

Digital Library

[24]

A. W. Moore and D. Zuev. Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, SIGMETRICS '05, pages 50--60, New York, NY, USA, 2005. ACM.

Digital Library

[25]

S. Mostafa and X. Wang. An empirical study on the usage of mocking frameworks in software testing. In Quality Software (QSIC), 2014 14th International Conference on, pages 127--132. IEEE, 2014.

Digital Library

[26]

M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328--332, New York, NY, USA, 2010. ACM.

Digital Library

[27]

B.-C. Park, Y. J. Won, M.-S. Kim, and J. W. Hong. Towards automated application signature generation for traffic identification. In NOMS, pages 160--167, 2008.

[28]

R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 26--26, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[29]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM '06, pages 291--302, New York, NY, USA, 2006. ACM.

Digital Library

[30]

K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In DIMVA, pages 108--125, 2008.

Digital Library

[31]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In IEEE Symposium on Security and Privacy, pages 513--528, 2010.

Digital Library

[32]

K. Sen, D. Marinov, and G. Agha. Cute: A concolic unit testing engine for c. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, pages 263--272, New York, NY, USA, 2005. ACM.

Digital Library

[33]

S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable in-network identification of p2p traffic using application signatures. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 512--521, New York, NY, USA, 2004. ACM.

Digital Library

[34]

S. Sen, O. Spatscheck, and D. Wang. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. In WWW2004, May 2004.

Digital Library

[35]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6, pages 4--4, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[36]

R. Slavin, X. Wang, M. B. Hosseini, J. Hester, R. Krishnan, J. Bhatia, T. D. Breaux, and J. Niu. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering, pages 25--36. ACM, 2016.

Digital Library

[37]

H. Tang, X. Wang, L. Zhang, B. Xie, L. Zhang, and H. Mei. Summary-based context-sensitive data-dependence analysis in presence of callbacks. In ACM SIGPLAN Notices, volume 50, pages 83--95. ACM, 2015.

Digital Library

[38]

X. Wang, D. Lo, J. Cheng, L. Zhang, H. Mei, and J. X. Yu. Matching dependence-related queries in the system dependence graph. In Proceedings of the IEEE/ACM international conference on Automated software engineering, pages 457--466. ACM, 2010.

Digital Library

[39]

X. Wang, L. Zhang, and P. Tanofsky. Experience report: How is dynamic symbolic execution different from manual testing? a study on klee. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 199--210. ACM, 2015.

Digital Library

[40]

X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Transtrl: An automatic need-to-translate string locator for software internationalization. In Proceedings of the 31st International Conference on Software Engineering, pages 555--558. IEEE Computer Society, 2009.

Digital Library

[41]

X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Locating need-to-translate constant strings in web applications. In Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering, pages 87--96. ACM, 2010.

Digital Library

[42]

X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun. Locating need-to-externalize constant strings for software internationalization with generalized string-taint analysis. IEEE Transactions on Software Engineering, 39(4):516--536, 2013.

Digital Library

[43]

X. Wang, L. Zhang, T. Xie, Y. Xiong, and H. Mei. Automating presentation changes in dynamic web applications via collaborative hybrid analysis. In Proc. FSE, 2012.

Digital Library

[44]

G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proc. PLDI, pages 32--41, 2007.

Digital Library

[45]

G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proc. ICSE, pages 171--180, 2008.

Digital Library

[46]

G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proc. ISSTA, pages 249--260, 2008.

Digital Library

[47]

Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. USENIX Security Symposium, 2006.

Digital Library

[48]

Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM '08, pages 171--182, New York, NY, USA, 2008. ACM.

Digital Library

[49]

Q. Xu, J. Erman, A. Gerber, Z. Mao, J. Pang, and S. Venkataraman. Identifying diverse usage behaviors of smartphone apps. In SIGCOMM conference on Internet measurement conference, IMC '11, pages 329--344, New York, NY, USA, 2011. ACM.

Digital Library

[50]

Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In Proceedings of the 4th international conference on Trust and trustworthy computing, TRUST'11, pages 93--107, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

Cited By

Rodriguez RWang X(2021)Understanding Execution Environment of File-Manipulation Scripts by Extracting Pre-Conditions2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC)10.1109/ICPC52881.2021.00048(406-410)Online publication date: May-2021
https://doi.org/10.1109/ICPC52881.2021.00048
Ruiz EAvelar RWang XChaudron MCrnkovic IChechik MHarman M(2018)Protecting remote controlling apps of smart-home-oriented IOT devicesProceedings of the 40th International Conference on Software Engineering: Companion Proceeedings10.1145/3183440.3195101(212-213)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3183440.3195101
George NMateti P(2017)Keeping the android user aware of past and present network traffic2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI)10.1109/ICACCI.2017.8125928(729-735)Online publication date: Sep-2017
https://doi.org/10.1109/ICACCI.2017.8125928

Index Terms

NTApps: A Network Traffic Analyzer of Android Applications
1. Networks
  1. Network properties
    1. Network security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Software reverse engineering

Recommendations

Android authorship attribution through string analysis
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

With the rising popularity of Android mobile devices, the amount of malicious applications targeting the Android platform has been increasing tremendously. To mitigate the risk of malicious apps, there is a need for an automated system to detect these ...
Monitoring Network Traffic to Detect Stepping-Stone Intrusion
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - Workshops

Most network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. ...
Spam Mobile Apps: Characteristics, Detection, and in the Wild Analysis

The increased popularity of smartphones has attracted a large number of developers to offer various applications for the different smartphone platforms via the respective app markets. One consequence of this popularity is that the app markets are also ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

June 2017

276 pages

ISBN:9781450347020

DOI:10.1145/3078861

General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chairs:
Ravi Sandhu
University of Texas at San Antonio, USA
,
Edgar Weippl
SBA Research, Austria

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

SACMAT'17

Sponsor:

SIGSAC

SACMAT'17: The 22nd ACM Symposium on Access Control Models and Technologies

June 21 - 23, 2017

Indiana, Indianapolis, USA

Acceptance Rates

SACMAT '17 Abstracts Paper Acceptance Rate 14 of 50 submissions, 28%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
386
Total Downloads

Downloads (Last 12 months)62
Downloads (Last 6 weeks)10

Reflects downloads up to 19 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rodriguez RWang X(2021)Understanding Execution Environment of File-Manipulation Scripts by Extracting Pre-Conditions2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC)10.1109/ICPC52881.2021.00048(406-410)Online publication date: May-2021
https://doi.org/10.1109/ICPC52881.2021.00048
Ruiz EAvelar RWang XChaudron MCrnkovic IChechik MHarman M(2018)Protecting remote controlling apps of smart-home-oriented IOT devicesProceedings of the 40th International Conference on Software Engineering: Companion Proceeedings10.1145/3183440.3195101(212-213)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3183440.3195101
George NMateti P(2017)Keeping the android user aware of past and present network traffic2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI)10.1109/ICACCI.2017.8125928(729-735)Online publication date: Sep-2017
https://doi.org/10.1109/ICACCI.2017.8125928

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents