Detecting Information Theft Based on Mobile Network Flows for Android Users

With the widespread use of smartphones, more and more malicious attacks happen with information leakage from apps installed on users' devices. The adversary always uses a malware as the client to take remote control of smartphones, and leverages the vulnerability of operation systems to send back the collected information without users' permissions. All the information has to be transferred by network traffic. In this paper, we consider that different apps maybe generate different network flows by different operations, and the ``shapes" of the benign flows and malicious ones will be diverse. Thus we propose a detection model based on the analysis of relationships between behavior patterns and network flows, which achieves our goal by using the Random Forest machine learning algorithm to classify the network flows into benign or malicious. To further improve the controllability of the experiment, we design an app called Moledroid to simulate malwares by uploading the user's privacy without authorization, in addition, we can change the behavior pattern of the app to complete our evaluation. Finally, we run this app and several benign apps to generate traffic to detect the malicious network flows, and it shows that our detection model can achieve precision and accuracy higher than 95\%, which demonstrates that our model is suitable for detecting the network flows of information theft.

[1]  Ivan Martinovic,et al.  Who do you sync you are?: smartphone fingerprinting via application behaviour , 2013, WiSec '13.

[2]  Nino Vincenzo Verde,et al.  Analyzing Android Encrypted Network Traffic to Identify User Actions , 2016, IEEE Transactions on Information Forensics and Security.

[3]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[4]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[5]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[6]  Andrew Hintz,et al.  Fingerprinting Websites Using Traffic Analysis , 2002, Privacy Enhancing Technologies.

[7]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[8]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[9]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[10]  Deborah Estrin,et al.  A first look at traffic on smartphones , 2010, IMC '10.

[11]  Kang Li,et al.  ClickMiner: Towards Forensic Reconstruction of User-Browser Interactions from Network Traces , 2014, CCS.

[12]  Nino Vincenzo Verde,et al.  Can't You Hear Me Knocking: Identification of User Actions on Android Apps via Traffic Analysis , 2014, CODASPY.

[13]  Vrizlynn L. L. Thing,et al.  Securing Android , 2015, ACM Comput. Surv..

[14]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[15]  Michalis Faloutsos,et al.  ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[16]  Lior Rokach,et al.  Mobile malware detection through analysis of deviations in application network behavior , 2014, Comput. Secur..

[17]  Meinard Müller,et al.  Information retrieval for music and motion , 2007 .