FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted - - PowerPoint PPT Presentation

flowprint semi supervised mobile app fingerprinting on
SMART_READER_LITE
LIVE PREVIEW

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted - - PowerPoint PPT Presentation

May 21, 2023 250 likes •774 views

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic Thijs van Ede , Riccardo Bortolameotti, Andrea Continella, Jingjing Ren, Daniel J. Dubois, Martina Lindorfer, David Choffnes, Maarten van Steen and Andreas Peter

slide-1
SLIDE 1

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Thijs van Ede, Riccardo Bortolameotti, Andrea Continella, Jingjing Ren, Daniel J. Dubois, Martina Lindorfer, David Choffnes, Maarten van Steen and Andreas Peter Contact: t.s.vanede@utwente.nl

slide-2
SLIDE 2

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

. . .

  • Apps communicate with the internet
slide-3
SLIDE 3

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

. . .

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

slide-4
SLIDE 4

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

. . .

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
slide-5
SLIDE 5

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

Analytics Advertisement Authentication CDN Firebase ...

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
slide-6
SLIDE 6

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

Analytics Advertisement Authentication CDN Firebase ...

slide-7
SLIDE 7

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Analytics Advertisement Authentication CDN Firebase ...

Monitoring network traffic

2

Internet

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

  • Generated traffic depends on dynamic

user input

slide-8
SLIDE 8

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Analytics Advertisement Authentication CDN Firebase ...

Monitoring network traffic

2

Internet

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

  • Generated traffic depends on dynamic

user input

  • Apps on the device evolve over time
slide-9
SLIDE 9

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

  • Generated traffic depends on dynamic

user input

  • Apps on the device evolve over time

○ Removal

Analytics Advertisement Authentication CDN Firebase ...

slide-10
SLIDE 10

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Analytics Advertisement Authentication CDN Firebase ...

Monitoring network traffic

2

Internet

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

  • Generated traffic depends on dynamic

user input

  • Apps on the device evolve over time

○ Removal ○ Installation

slide-11
SLIDE 11

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Analytics Advertisement Authentication CDN Firebase ...

Monitoring network traffic

2

Internet

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

  • Generated traffic depends on dynamic

user input

  • Apps on the device evolve over time

○ Removal ○ Installation ○ Update

slide-12
SLIDE 12

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Monitoring network traffic

2

Internet

Analytics Advertisement Authentication CDN Firebase ...

  • Apps communicate with the internet
  • Can we infer mobile app usage from

network traffic?

  • Traffic is encrypted
  • Apps consist of modules
  • Modules are shared by apps, leading to

homogeneous traffic

  • Generated traffic depends on dynamic

user input

  • Apps on the device evolve over time

○ Removal ○ Installation ○ Update

Can we infer mobile app usage from network traffic without prior knowledge of installed apps?

slide-13
SLIDE 13

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Intuition

3

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

slide-14
SLIDE 14

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

Intuition

3

App Y

Advertisement Authentication CDN Firebase

App X

Analytics Advertisement CDN Core logic

slide-15
SLIDE 15

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

Intuition

3

App Y

Advertisement Authentication CDN Firebase

App X

Analytics Advertisement CDN

Server X

Core logic

slide-16
SLIDE 16

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

Intuition

3

App Y

Advertisement Authentication CDN Firebase

App X

Analytics Advertisement CDN

CDN

Core logic

slide-17
SLIDE 17

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

Intuition

3

CDN Ad network Analytics Authentication Firebase CDN App Y

Advertisement Authentication CDN Firebase

App X

Analytics Advertisement CDN Core logic

Server X

slide-18
SLIDE 18

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

Intuition

3

App Y

Advertisement Authentication CDN Firebase

App X

Analytics Advertisement CDN

CDN Ad network Authentication Firebase CDN

Core logic

Analytics Server X

slide-19
SLIDE 19

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations

Intuition

3

App Y

Advertisement Authentication CDN Firebase

App X

Analytics Advertisement CDN

CDN Ad network Authentication Firebase CDN

Core logic

Analytics Server X

slide-20
SLIDE 20

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Apps are composed of a unique set of modules that each communicate with a relatively invariable set of network destinations App Y App X CDN Ad network Authentication Firebase CDN

Intuition

3

Advertisement Authentication CDN Firebase Analytics Advertisement CDN Core logic

Analytics Server X

How do we extract these patterns without prior knowledge of the apps?

slide-21
SLIDE 21

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Overview

4

slide-22
SLIDE 22

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

For each flow in the network, we extract

  • Originating device
  • Destination (IP, port)-tuple
  • TLS certificate
  • Timestamps

FlowPrint - Feature extraction

5

slide-23
SLIDE 23

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Clustering

6

In 5 minute batches, we cluster flows by network destination:

  • Destination (IP, port)-tuple or
  • TLS certificate

CDN Ad network Analytics Authentication Firebase CDN

slide-24
SLIDE 24

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Clustering

6

In 5 minute batches, we cluster flows by network destination:

  • Destination (IP, port)-tuple or
  • TLS certificate
slide-25
SLIDE 25

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Clustering

6

In 5 minute batches, we cluster flows by network destination:

  • Destination (IP, port)-tuple or
  • TLS certificate
  • Some of these clusters are shared
slide-26
SLIDE 26

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Cross-correlation

7

  • Network destinations that are active together

likely belong to the same app

slide-27
SLIDE 27

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Cross-correlation

7

  • Network destinations that are active together

likely belong to the same app

  • Compute correlation based on activity
slide-28
SLIDE 28

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Cross-correlation

7

  • Network destinations that are active together

likely belong to the same app

  • Compute correlation based on activity
slide-29
SLIDE 29

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic 8

slide-30
SLIDE 30

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Cross-correlation

9

  • Network destinations that are active together

likely belong to the same app

  • Compute correlation based on activity
slide-31
SLIDE 31

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Fingerprinting

10

  • Remove weak correlations in graph
slide-32
SLIDE 32

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Fingerprinting

10

  • Remove weak correlations in graph
  • Find cliques of strongly correlated clusters
slide-33
SLIDE 33

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Fingerprinting

10

  • Remove weak correlations in graph
  • Find cliques of strongly correlated clusters
  • Extract fingerprints as the set of destinations

○ Destination (IP, port)-tuple ○ TLS certificate

slide-34
SLIDE 34

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Fingerprint matching

11

  • Fingerprints are a set of destinations

○ Destination (IP, port)-tuple ○ TLS certificate

slide-35
SLIDE 35

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Fingerprint matching

11

  • Fingerprints are a set of destinations

○ Destination (IP, port)-tuple ○ TLS certificate

  • Compare using the Jaccard similarity
slide-36
SLIDE 36

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

  • How well does our approach work?

Evaluation

12

Analytics Advertisement Authentication CDN Firebase ...

Internet

slide-37
SLIDE 37

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation

12

  • How well does our approach work?

○ Recognizing known apps

Analytics Advertisement Authentication CDN Firebase ...

Internet

?=

  • r
slide-38
SLIDE 38

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation

12

  • How well does our approach work?

○ Recognizing known apps ○ Detecting previously unseen apps

Analytics Advertisement Authentication CDN Firebase ...

Internet

?=

  • r
  • r
slide-39
SLIDE 39

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation

12

  • How well does our approach work?

○ Recognizing known apps ○ Detecting previously unseen apps

  • Datasets

Dataset Encrypted Homogeneous Dynamic Evolving Malicious Cross Platform ✔ ✔ ✔ ReCon ✔ ✔ ✔ Andrubis ✔ ✔ ✔

slide-40
SLIDE 40

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation - Recognizing known apps

13

  • Stable performance if number of apps

increase

Apps per device

slide-41
SLIDE 41

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation - Recognizing known apps

13

  • Stable performance if number of apps

increase

  • Compared FlowPrint with supervised

approach AppScanner ○ F1-score of 0.89 vs 0.58 ○ Precision of 0.92 vs 0.88 ○ Recall of 0.89 vs 0.50

Apps per device

slide-42
SLIDE 42

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation - Detecting previously unknown apps

14

  • Good performance in detecting and

isolating previously unseen apps

Apps per device

slide-43
SLIDE 43

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation - Detecting previously unknown apps

14

  • Good performance in detecting and

isolating previously unseen apps

  • Low number of flows gives worse

performance ○ Low code coverage

Apps per device

slide-44
SLIDE 44

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Evaluation - Detecting previously unknown apps

14

  • Good performance in detecting and

isolating previously unseen apps

  • Low number of flows gives worse

performance ○ Low code coverage

  • No observable difference between

benign and malicious apps

Apps per device

slide-45
SLIDE 45

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Conclusion

15

FlowPrint isolates apps within encrypted network traffic without requiring prior knowledge

  • Performs better than supervised detectors
  • Requires no training
  • Recognizes known apps
  • Isolates and detects previously unseen apps

https://github.com/Thijsvanede/FlowPrint

slide-46
SLIDE 46

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Questions?

FlowPrint isolates apps within encrypted network traffic without requiring prior knowledge

  • Performs better than supervised detectors
  • Requires no training
  • Recognizes known apps
  • Isolates and detects previously unseen apps

https://github.com/Thijsvanede/FlowPrint

Thijs van Ede t.s.vanede@utwente.nl @EdeThijs

slide-47
SLIDE 47

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint - Browser Isolation

16

  • Browser shows fewer repeatable patterns
  • Each website has its own fingerprint
  • Isolate browser using Random Forest

○ Relative change in active clusters ○ Relative change in bytes uploaded ○ Relative change in bytes downloaded ○ Relative change in upload/download ratio

slide-48
SLIDE 48

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Different app versions

17

slide-49
SLIDE 49

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Changing features

18

slide-50
SLIDE 50

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Fingerprints per app

19

slide-51
SLIDE 51

UNIVERSITY OF TWENTE

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Execution time

20