File Download
There are no files associated with this item.
Links for fulltext
(May Require Subscription)
- Publisher Website: 10.1145/3133956.3134009
- Scopus: eid_2-s2.0-85041431168
- Find via
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Conference Paper: Mass discovery of android tra‡ic imprints through instantiated partial execution
| Title | Mass discovery of android tra‡ic imprints through instantiated partial execution |
|---|---|
| Authors | |
| Keywords | ISP Large scale Partial execution Slicing Traffic signature |
| Issue Date | 2017 |
| Citation | Proceedings of the ACM Conference on Computer and Communications Security, 2017, p. 815-828 How to Cite? |
| Abstract | Monitoring network behaviors of mobile applications, controlling their resource access and detecting potentially harmful apps are becoming increasingly important for the security protection within todayffifs organizational, ISP and carriers. For this purpose, apps need to be identified from their communication, based upon their individual tra.c signatures (called imprints in our research). Creating imprints for a large number of apps is nontrivial, due to the challenges in comprehensively analyzing their network activities at a large scale, for millions of apps on todayffifs rapidly-growing app marketplaces. Prior research relies on automatic exploration of an appffifs user interfaces (UIs) to trigger its network activities, which is less likely to scale given the cost of the operation (at least 5 minutes per app) and its e.ectiveness (limited coverage of an appffifs behaviors). In this paper, we present Tiger (Tra.c Imprint Generator), a novel technique that makes comprehensive app imprint generation possible in a massive scale. At the center of Tiger is a unique instantiated slicing technique, which aggressively prunes the program slice extracted from the appffifs network-related code by evaluating each variableffifs impact on possible network invariants, and removing those unlikely to contribute through assigning them concrete values. In this way, Tiger avoids exploring a large number of program paths unrelated to the appffifs identifiable tra.c, thereby reducing the cost of the code analysis by more than one order of magnitude, in comparison with the conventional slicing and execution approach. Our experiments show that Tiger is capable of recovering an appffifs full network activities within 18 seconds, achieving over 98% coverage of its identifiable packets and 0.742% false detection rate on app identification. Further running the technique on over 200,000 real-world Android apps (including 78.23% potentially harmful apps) leads to the discovery of surprising new types of traffic invariants, including fake device information, hardcoded time values, session IDs and credentials, as well as complicated trigger conditions for an app's network activities, such as human involvement, Intent trigger and server-side instructions. Our .ndings demonstrate that many network activities cannot easily be invoked through automatic UI exploration and code-analysis based approaches present a promising alternative. |
| Persistent Identifier | http://hdl.handle.net/10722/350218 |
| ISSN | 2023 SCImago Journal Rankings: 1.430 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Chen, Yi | - |
| dc.contributor.author | You, Wei | - |
| dc.contributor.author | Lee, Yeonjoon | - |
| dc.contributor.author | Chen, Kai | - |
| dc.contributor.author | Wang, Xiao Feng | - |
| dc.contributor.author | Zou, Wei | - |
| dc.date.accessioned | 2024-10-21T04:35:08Z | - |
| dc.date.available | 2024-10-21T04:35:08Z | - |
| dc.date.issued | 2017 | - |
| dc.identifier.citation | Proceedings of the ACM Conference on Computer and Communications Security, 2017, p. 815-828 | - |
| dc.identifier.issn | 1543-7221 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/350218 | - |
| dc.description.abstract | Monitoring network behaviors of mobile applications, controlling their resource access and detecting potentially harmful apps are becoming increasingly important for the security protection within todayffifs organizational, ISP and carriers. For this purpose, apps need to be identified from their communication, based upon their individual tra.c signatures (called imprints in our research). Creating imprints for a large number of apps is nontrivial, due to the challenges in comprehensively analyzing their network activities at a large scale, for millions of apps on todayffifs rapidly-growing app marketplaces. Prior research relies on automatic exploration of an appffifs user interfaces (UIs) to trigger its network activities, which is less likely to scale given the cost of the operation (at least 5 minutes per app) and its e.ectiveness (limited coverage of an appffifs behaviors). In this paper, we present Tiger (Tra.c Imprint Generator), a novel technique that makes comprehensive app imprint generation possible in a massive scale. At the center of Tiger is a unique instantiated slicing technique, which aggressively prunes the program slice extracted from the appffifs network-related code by evaluating each variableffifs impact on possible network invariants, and removing those unlikely to contribute through assigning them concrete values. In this way, Tiger avoids exploring a large number of program paths unrelated to the appffifs identifiable tra.c, thereby reducing the cost of the code analysis by more than one order of magnitude, in comparison with the conventional slicing and execution approach. Our experiments show that Tiger is capable of recovering an appffifs full network activities within 18 seconds, achieving over 98% coverage of its identifiable packets and 0.742% false detection rate on app identification. Further running the technique on over 200,000 real-world Android apps (including 78.23% potentially harmful apps) leads to the discovery of surprising new types of traffic invariants, including fake device information, hardcoded time values, session IDs and credentials, as well as complicated trigger conditions for an app's network activities, such as human involvement, Intent trigger and server-side instructions. Our .ndings demonstrate that many network activities cannot easily be invoked through automatic UI exploration and code-analysis based approaches present a promising alternative. | - |
| dc.language | eng | - |
| dc.relation.ispartof | Proceedings of the ACM Conference on Computer and Communications Security | - |
| dc.subject | ISP | - |
| dc.subject | Large scale | - |
| dc.subject | Partial execution | - |
| dc.subject | Slicing | - |
| dc.subject | Traffic signature | - |
| dc.title | Mass discovery of android tra‡ic imprints through instantiated partial execution | - |
| dc.type | Conference_Paper | - |
| dc.description.nature | link_to_subscribed_fulltext | - |
| dc.identifier.doi | 10.1145/3133956.3134009 | - |
| dc.identifier.scopus | eid_2-s2.0-85041431168 | - |
| dc.identifier.spage | 815 | - |
| dc.identifier.epage | 828 | - |