Cong Wang,Yanru Xiao,Xing Gao,Li,Jun Wang

DOI: https://doi.org/10.1145/3343031.3350904

2019-01-01

Abstract:Pre-trained deep learning models can be deployed on mobile devices to conduct inference. However, they are usually not updated thereafter. In this paper, we take a step further to incorporate training deep neural networks on battery-powered mobile devices and overcome the difficulties from the lack of labeled data. We design and implement a new framework to enlarge sample space via data paring and learn a deep metric under the privacy, memory and computational constraints. A case study of deep behavioral authentication is conducted. Our experiments demonstrate accuracy over 95% on three public datasets, a sheer 15% gain from traditional multi-class classification with less data and robustness against brute-force attacks with 99% success. We demonstrate the training performance on various smartphone models, where training 100 epochs takes less than 10 mins and can be boosted 3-5 times with feature transfer. We also profile memory, energy and computational overhead. Our results indicate that training consumes lower energy than watching videos so can be scheduled intermittently on mobile devices.

Hao Pan,Lanqing Yang,Honglu Li,Chuang-Wen You,Xiaoyu Ji,Yi-Chao Chen,Zhenxian Hu,Guangtao Xue

DOI: https://doi.org/10.1109/secon52354.2021.9491601

2021-01-01

Abstract:Various characteristics of mobile applications (apps) and associated in-app services have been used reveal potentially-sensitive user information; however, privacy concerns have prompted third-party apps to rigorously restrict access to data related to mobile app usage. This paper outlines a novel approach to the extraction of detailed app usage information based on analysis of the electromagnetic (EM) signals emitted from mobile devices when executing app-related tasks. Note that this type of EM leakage becomes high-complex when multiple apps are used simultaneously and is subject to interference from geomagnetic signals generated by device movement. This paper proposes a deep learning-based multi-label classification system to identify apps and in-app services based on magnetometer readings. The proposed MAGTHIEF system uses accelerometer and gyroscope data to cancel out the offset in geomagnetic signals followed by an elaborate deep region convolution neural network (DRCNN) to differentiate among multiple apps and the corresponding inapp services. Experiments on 50 apps demonstrated the efficacy of MAGTHIEF in identifying multiple apps and in-app services, achieving high average macro F1 scores of 0.87 and 0.95, respectively. MAGTHIEF also achieved time duration accuracy of 89.5% in recognizing app trajectory in the real-world scene.

Wang Cong,Xiao Yanru,Gao Xing,Li Li,Wang Jun

2020-01-01

Abstract: The fast-growing smart applications on mobile devices leverage pre-trained deep learning models for inference. However, the models are usually not updated thereafter. This leaves a big gap to adapt the new data distributions. In this paper, we take a step further to incorporate training deep neural networks on battery-powered mobile devices. We identify several challenges from performance and privacy that hinder effective learning in a dynamic mobile environment. We re-formulate the problem as metric learning to tackle overfitting and enlarge sample space via data paring under the memory constraints. We also make the scheme robust against side-channel attacks and run-time fluctuations. A case study based on deep behavioral authentication is conducted. The experiments demonstrate accuracy over 95% on three public datasets, a sheer 15% gain from multi-class classification with less data and robustness against brute-force and side-channel attacks with 99% and 90% success, respectively. We show the feasibility of training with mobile CPUs, where training 100 epochs takes less than 10 mins and can be boosted 3-5 times with feature transfer. Finally, we profile memory, energy and computational overhead. Our results indicate that training consumes lower energy than watching videos and slightly higher energy than playing games.

Mao Tian,Peng Chang,Yafei Sang,Yongzheng Zhang,Shuhao Li

DOI: https://doi.org/10.1109/ict.2019.8798799

2019-04-01

Abstract:The expanding volume of HTTPS traffic (both legitimate and malicious) creates even more challenges for mobile network security and management. In this work, we propose AIBMF(Application Identification Based on Multi-view Features), a fine-grained approach to classify HTTPS traffic by their application type. The key idea of AIBMF is to combine three kinds of features—payload convolution features, packet size sequence and packet content type sequence. Based on these different view features, a deep learning model (using CNN, embedding and RNN) is constructed for HTTPS traffic identification task. To evaluate the effectiveness of AIBMF, we run a comprehensive set of experiments on a real-world dataset (about 100,000+ flows), which shows that our approach achieves 96.06% accuracy and outperforms the state-of-the-art method (3.6% on F1 score).

Haonan Peng,Chunming Wu,Yanfeng Xiao

DOI: https://doi.org/10.3390/app132111629

2023-01-01

Applied Sciences

Abstract:The importance of network security has become increasingly prominent due to the rapid development of network technology. Network intrusion detection systems (NIDSs) play a crucial role in safeguarding networks from malicious attacks and intrusions. However, the issue of class imbalance in the dataset presents a significant challenge to NIDSs. In order to address this concern, this paper proposes a new NIDS called CBF-IDS, which combines convolutional neural networks (CNNs) and bidirectional long short-term memory networks (BiLSTMs) while employing the focal loss function. By utilizing CBF-IDS, spatial and temporal features can be extracted from network traffic. Moreover, during model training, CBF-IDS applies the focal loss function to give more weight to minority class samples, thereby mitigating the impact of class imbalance on model performance. In order to evaluate the effectiveness of CBF-IDS, experiments were conducted on three benchmark datasets: NSL-KDD, UNSW-NB15, and CIC-IDS2017. The experimental results demonstrate that CBF-IDS outperforms other classification models, achieving superior detection performance.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Minghao Jiang,Mingxin Cui,Chang Liu,Gaopeng Gou,Gang Xiong,Zhen Li

DOI: https://doi.org/10.1016/j.comnet.2023.109728

IF: 5.493

2023-03-30

Computer Networks

Abstract:Mobile-app identification over encrypted network traffic plays a vital role in network management, cyberspace security, and advertising analysis. Combining machine learning algorithms and traffic features is the mainstream approach, which assumes the training and test traffic is independent and identically distributed ( i.i.d ). However, the distribution of test flows could drift due to the updating app, diverse mobile platforms, and regions, resulting in low accuracy. Existing methods relabel the non- i.i.d traffic manually and retrain the model from scratch, which takes lots of human effort and thus limits deployment. In this paper, we propose a Flow Domain Adaptation Neural Network (FDAN) to improve the accuracy in identifying mobile apps over non- i.i.d traffic under zero-relabeling. FDAN transforms the drifted test flows into approximate i.i.d samples by reducing the differences between traffic distributions in a trainable feature space. Specifically, we adopt two domain discriminators and a feature generator to strengthen the feature's invariance under an adversarial loss. An app predictor is used to enhance the discrimination with supervised data from the source domain. We conduct extensive experiments on public and private datasets, including changing app versions, platforms, and regions. With theoretical guarantees, our FDAN achieves a remarkable improvement (7.8% ∼47%↑ in F1 ) with zero-relabeling and outperforms other comparisons.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1109/access.2020.3029190

IF: 3.9

2020-01-01

IEEE Access

Abstract:The proliferation of handheld devices has led to an explosive growth of mobile traffic volumes on the Internet. Identifying mobile apps from network traffic has become a crucial task for mobile network management and security. Traditionally, the design of accurate identifiers relies on the deep packet inspection (DPI) techniques. However, such approaches have become less effective with the raising adoption of encrypted protocols in mobile applications (mostly TLS). To address the problem, various machine learning methods have been studied and used. Most of them use linear classifiers on top of hand-engineered features, which are unreliable due to the complexity of mobile traffic. In this article we propose App-Net, an end-to-end hybrid neural network for mobile app identification from encrypted TLS traffic. App-Net is designed by combining RNN and CNN in a parallel way and can automatically learn effective features from raw TLS flows. With coordinated fusion and optimized training, the hybrid and multimodal architecture is able to characterize both flow sequence patterns and app signatures to learn a joint flow-app embedding. We evaluate App-Net on a real-world dataset covering 80 apps. The results show that our method can achieve an excellent performance and outperform the state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shahbaz Rezaei,Bryce Kroencke,Xin Liu

DOI: https://doi.org/10.1109/access.2019.2962018

IF: 3.9

2020-01-01

IEEE Access

Abstract:Many network services and tools (e.g. network monitors, malware-detection systems, routing and billing policy enforcement modules in ISPs) depend on identifying the type of traffic that passes through the network. With the widespread use of mobile devices, the vast diversity of mobile apps, and the massive adoption of encryption protocols (such as TLS), large-scale encrypted traffic classification becomes increasingly difficult. In this paper, we propose a deep learning model for mobile app identification that works even with encrypted traffic. The proposed model only needs the payload of the first few packets for classification, and, hence, it is suitable even for applications that rely on early prediction, such as routing and QoS provisioning. The deep model achieves between 84% to 98% accuracy for the identification of 80 popular apps. We also perform occlusion analysis to bring insight into what data is leaked from SSL/TLS protocol that allows accurate app identification. Moreover, our traffic analysis shows that many apps generate not only app-specific traffic, but also numerous ambiguous flows. Ambiguous flows are flows generated by common functionality modules, such as advertisement and traffic analytics. Because such flows are common among many different apps, identifying the source app that generates ambiguous flows is challenging. To address this challenge, we propose a CNN+LSTM model that uses adjacent flows to learn the order and pattern of multiple flows, to better identify the app that generates them. We show that such flow association considerably improves the accuracy, particularly for ambiguous flows. Furthermore, we show that our approach is robust to mixed traffic scenarios where some unrelated flows may appear in adjacent flows. To the best of our knowledge, this is the first work that identifies the source app for ambiguous flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Gang Zhang,Hao Li,Zhenxiang Chen,Lizhi Peng,Yuhui Zhu,Chuan Zhao

DOI: https://doi.org/10.1109/trustcom53373.2021.00097

2021-01-01

Abstract:Android platform is facing serious malware threats due to its popularity, as evidenced by the drastic increase on the number of mobile malware families and variants in recent years. Detecting malware variants and zero-day malware is a critical challenge that must be addressed to protect mobile devices against malware attacks. In this study, we present AndroCreme, a novel network intrusion detection system (NIDS) that can identify unseen malware by analyzing the network behavior of Android malware. To address the temporal bias issue in NIDS, we propose a method for rapid iterative update of the model based on data selection and data size limitation. The selection of effective data is carried out by induction and conformal technology, and the data scale is controlled by the method of time window and data cycle selection. To further achieve fast training speed and high efficiency, we leverage a gradient boosting framework that uses a tree-based learning algorithm, namely, LightGBM, as the meta predictor. We evaluate the performance of AndroCreme over 400K real-world network flows, which are collected from over 30K Android benignware and 21K malware applications. The experimental results show that, compared with the retraining method using all data, AndroCreme requires only a small amount of datareduce more than 3x to obtain better detection performance, which effectively solves the temporal bias.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1155/2020/4707909

2020-02-19

Wireless Communications and Mobile Computing

Abstract:The proliferation of mobile devices over recent years has led to a dramatic increase in mobile traffic. Demand for enabling accurate mobile app identification is coming as it is an essential step to improve a multitude of network services: accounting, security monitoring, traffic forecasting, and quality-of-service. However, traditional traffic classification techniques do not work well for mobile traffic. Besides, multiple machine learning solutions developed in this field are severely restricted by their handcrafted features as well as unreliable datasets. In this paper, we propose a framework for real network traffic collection and labeling in a scalable way. A dedicated Android traffic capture tool is developed to build datasets with perfect ground truth. Using our established dataset, we make an empirical exploration on deep learning methods for the task of mobile app identification, which can automate the feature engineering process in an end-to-end fashion. We introduce three of the most representative deep learning models and design and evaluate our dedicated classifiers, namely, a SDAE, a 1D CNN, and a bidirectional LSTM network, respectively. In comparison with two other baseline solutions, our CNN and RNN models with raw traffic inputs are capable of achieving state-of-the-art results regardless of TLS encryption. Specifically, the 1D CNN classifier obtains the best performance with an accuracy of 91.8% and macroaverage F -measure of 90.1%. To further understand the trained model, sample-specific interpretations are performed, showing how it can automatically learn important and advanced features from the uppermost bytes of an app’s raw flows.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Ding Li,Wenzhong Li,Xiaoliang Wang,Cam-Tu Nguyen,Sanglu Lu

DOI: https://doi.org/10.1016/j.comnet.2020.107372

IF: 5.493

2020-01-01

Computer Networks

Abstract:Despite the increasing popularity of mobile applications and the widespread adoption of encryption techniques, mobile devices are still susceptible to security and privacy risks. In this paper, we propose ActiveTracker, a new type of sniffing attack that can reveal the fine-grained trajectory of userâs mobile app usage from a sniffed encrypted Internet traffic stream. It firstly adopts a sliding window based approach to divide the encrypted traffic stream into a sequence of segments corresponding to different app activities. Then each traffic segment is represented by a normalized temporal-spacial traffic matrix and a traffic spectrum vector. Based on the normalized representation, a deep neural network (DNN) model which consists of an app filter and an activity classifier is developed to extract comprehensive features from the input and uncover the crucial app usage trajectory conducted by the user. By extensive experiments on real-world app usage traffic collected from volunteers and on our synthetic traffic data, we show that the proposed approach achieves up to 79.65% accuracy in recognizing app trajectory over encrypted traffic streams.

Gaofeng He,Bingfeng Xu,Lu Zhang,Haiting Zhu

DOI: https://doi.org/10.1177/1550147718817292

IF: 1.938

2018-12-01

International Journal of Distributed Sensor Networks

Abstract:Mobile application (simply “app”) identification at a per-flow granularity is vital for traffic engineering, network management, and security practices. However, uncertainty is caused by a growing fraction of encrypted traffic such as Hypertext Transfer Protocol Secure. To address this challenge, we have carefully analyzed mobile app traffic (mainly including Domain Name System, Hypertext Transfer Protocol, and encrypted traffic such as Secure Sockets Layer and Transport Layer Security) and observed that (1) the sets of server hostnames queried by different apps are distinguishable; (2) mobile apps may query multiple server hostnames simultaneously, that is, apps may send several Domain Name System lookups within a short time interval; and (3) the encrypted traffic may be similar to various other network flows generated by the same app. Based on these three observations, in this article, we propose a novel app identification methodology for encrypted network flows. To be specific, temporal, lexical, and metadata similarity are investigated to select correlated traffic and information retrieving techniques are adopted to identify apps. We ran a thorough set of experiments to assess the performance of the proposed approaches. The experimental results show that the identification accuracy can be as high as 95%, and the proposed methods have low storage requirements as well as fast training speeds.

computer science, information systems,telecommunications

Madushi H Pathmaperuma,Yogachandran Rahulamathavan,Safak Dogan,Ahmet M Kondoz

DOI: https://doi.org/10.3390/s22197643

2022-10-09

Abstract:Despite the widespread use of encryption techniques to provide confidentiality over Internet communications, mobile device users are still susceptible to privacy and security risks. In this paper, a novel Deep Neural Network (DNN) based on a user activity detection framework is proposed to identify fine-grained user activities performed on mobile applications (known as in-app activities) from a sniffed encrypted Internet traffic stream. One of the challenges is that there are countless applications, and it is practically impossible to collect and train a DNN model using all possible data from them. Therefore, in this work, we exploit the probability distribution of a DNN output layer to filter the data from applications that are not considered during the model training (i.e., unknown data). The proposed framework uses a time window-based approach to divide the traffic flow of activity into segments so that in-app activities can be identified just by observing only a fraction of the activity-related traffic. Our tests have shown that the DNN-based framework has demonstrated an accuracy of 90% or above in identifying previously trained in-app activities and an average accuracy of 79% in identifying previously untrained in-app activity traffic as unknown data when this framework is employed.

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhouz,Yipeng Wang,Yuan Zhou

DOI: https://doi.org/10.1109/icnp.2019.8888043

2019-10-01

Abstract:With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

TianYue Liu,HongQi Zhang,HaiXia Long,Jinmei Shi,YuHua Yao

DOI: https://doi.org/10.1038/s41598-022-18402-6

2022-08-17

Abstract:Deep learning technology is changing the landscape of cybersecurity research, especially the study of large amounts of data. With the rapid growth in the number of malware, developing of an efficient and reliable method for classifying malware has become one of the research priorities. In this paper, a new method, BIR-CNN, is proposed to classify of Android malware. It combines convolution neural network (CNN) with batch normalization and inception-residual (BIR) network modules by using 347-dim network traffic features. CNN combines inception-residual modules with a convolution layer that can enhance the learning ability of the model. Batch Normalization can speed up the training process and avoid over-fitting of the model. Finally, experiments are conducted on the publicly available network traffic dataset CICAndMal2017 and compared with three traditional machine learning algorithms and CNN. The accuracy of BIR-CNN is 99.73% in binary classification (2-classifier). Moreover, the BIR-CNN can classify malware by its category (4-classifier) and malicious family (35-classifier), with a classification accuracy of 99.53% and 94.38%, respectively. The experimental results show that the proposed model is an effective method for Android malware classification, especially in malware category and family classifier.

Yanfang Ye,Shifu Hou,Lingwei Chen,Jingwei Lei,Wenqiang Wan,Jiabin Wang,Qi Xiong,Fudong Shao

DOI: https://doi.org/10.48550/arXiv.1811.01027

2019-05-21

Abstract:The explosive growth and increasing sophistication of Android malware call for new defensive techniques that are capable of protecting mobile users against novel threats. In this paper, we first extract the runtime Application Programming Interface (API) call sequences from Android apps, and then analyze higher-level semantic relations within the ecosystem to comprehensively characterize the apps. To model different types of entities (i.e., app, API, IMEI, signature, affiliation) and the rich semantic relations among them, we then construct a structural heterogeneous information network (HIN) and present meta-path based approach to depict the relatedness over apps. To efficiently classify nodes (e.g., apps) in the constructed HIN, we propose the HinLearning method to first obtain in-sample node embeddings and then learn representations of out-of-sample nodes without rerunning/adjusting HIN embeddings at the first attempt. Afterwards, we design a deep neural network (DNN) classifier taking the learned HIN representations as inputs for Android malware detection. A comprehensive experimental study on the large-scale real sample collections from Tencent Security Lab is performed to compare various baselines. Promising experimental results demonstrate that our developed system AiDroid which integrates our proposed method outperforms others in real-time Android malware detection. AiDroid has already been incorporated into Tencent Mobile Security product that serves millions of users worldwide.

Cryptography and Security,Machine Learning