DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-Inference
Authors: 
Euijin Choo, Mohamed Nabeel, Mashael Alsabah, Issa Khalil, Ting Yu, Wei WangAuthors Info & Claims
Euijin Choo, Mohamed Nabeel, Mashael Alsabah, Issa Khalil, Ting Yu, Wei WangAuthors Info & ClaimsArticle No.: 9, Pages 1 - 32
Abstract
We propose to identify compromised mobile devices from a network administrator’s point of view. Intuitively, inadvertent users (and thus their devices) who download apps through untrustworthy markets are often lured to install malicious apps through in-app advertisements or phishing. We thus hypothesize that devices sharing similar apps would have a similar likelihood of being compromised, resulting in an association between a compromised device and its apps. We propose to leverage such associations to identify unknown compromised devices using the guilt-by-association principle. Admittedly, such associations could be relatively weak as it is hard, if not impossible, for an app to automatically download and install other apps without explicit user initiation. We describe how we can magnify such associations by carefully choosing parameters when applying graph-based inferences. We empirically evaluate the effectiveness of our approach on real datasets provided by a major mobile service provider. Specifically, we show that our approach achieves nearly 98% AUC (area under the ROC curve) and further detects as many as 6 ~ 7 times of new compromised devices not covered by the ground truth by expanding the limited knowledge on known devices. We show that the newly detected devices indeed present undesirable behavior in terms of leaking private information and accessing risky IPs and domains. We further conduct in-depth analysis of the effectiveness of graph inferences to understand the unique structure of the associations between mobile devices and their apps, and its impact on graph inferences, based on which we propose how to choose key parameters.
References
[1]
2019. Koodous: Online malware analysis platform. https://koodous.com/.
[2]
Hasan Faik Alan and Jasleen Kaur. 2016. Can Android applications be identified using only TCP/IP headers of their launch time traffic? In ACM Conference on Security & Privacy in Wireless and Mobile Networks. 61–66.
[3]
Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting millions of Android apps for the research community. In MSR’16 (Austin, Texas). ACM, New York, NY, USA, 468–471.
[4]
Eihal Alowaisheq, Peng Wang, Sumayah A. Alrwais, Xiaojing Liao, XiaoFeng Wang, Tasneem Alowaisheq, Xianghang Mi, Siyuan Tang, and Baojun Liu. 2019. Cracking the wall of confinement: Understanding and analyzing malicious domain take-downs. In NDSS.
[5]
Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In NDSS, Vol. 14. 23–26.
[6]
Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In NDSS. 1–17.
[7]
Chad Brubaker. 2018. Protecting users with TLS by default in Android P. https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html.
[8]
Chad Brubaker. 2019. An Update on Android TLS Adoption. https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html.
[9]
Graeme Burton. 2017. Australia wants to force ISPs to protect customers from malware. https://www.theinquirer.net/inquirer/news/3009045/australian-wants-to-force-isps-to-protect-customers-from-malware.
[10]
Fangda Cai, Hao Chen, Yuanyi Wu, and Yuan Zhang. 2015. AppCracker: Widespread vulnerabilities in user and session authentication in mobile apps. MoST (2015).
[11]
Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2016. Measurement and analysis of private key sharing in the https ecosystem. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 628–640.
[12]
Duen Horng Chau, Carey Nachenberg, Jeffrey Wilhelm, Adam Wright, and Christos Faloutsos. 2011. Polonium: Tera-scale graph mining and inference for malware detection. In SDM. SIAM, 131–142.
[13]
Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-Play scale. In Usenix Security 15. 659–674.
[14]
Xin Chen and Sencun Zhu. 2015. DroidJust: Automated functionality-aware privacy leakage analysis for Android applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 5.
[15]
Zhenxiang Chen, Qiben Yan, Hongbo Han, Shanshan Wang, Lizhi Peng, Lin Wang, and Bo Yang. 2018. Machine learning based mobile malware detection using highly imbalanced network traffic. Information Sciences 433 (2018), 346–364.
[16]
Mauro Conti, Qian Qian Li, Alberto Maragno, and Riccardo Spolaor. 2018. The dark side (-channel) of mobile devices: A survey on network traffic analysis. IEEE Communications Surveys & Tutorials 20, 4 (2018), 2658–2713.
[17]
Shuaifu Dai, Alok Tongaonkar, Xiaoyin Wang, Antonio Nucci, and Dawn Song. 2013. NetworkProfiler: Towards automatic fingerprinting of Android apps. Proceedings - IEEE INFOCOM, 809–817.
[18]
William Denniss and John Bradley. 2016. OAuth 2.0 for native apps. Internet Engineering Task Force, Internet-Draft draft-ietf-oauthnative-apps-05 (2016).
[19]
Google Developers. 2019. Mixed content weakens HTTPS. https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content.
[20]
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.
[21]
James Eyers. 2017. Cyber Security Minister says firms need to tell customers more about threats. https://www.afr.com/technology/cyber-security-minister-says-firms-need-to-tell-customers-more-about-threats-20170422-gvqbl7.
[22]
Farsight Security, Inc.2019. DNS Database. https://www.dnsdb.info/.
[23]
Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and David Wagner. 2011. A survey of mobile malware in the wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. 3–14.
[24]
Aditya Grover and Jure Leskovec. 2016. Node2Vec: Scalable feature learning for networks. In KDD’16 (San Francisco, California, USA). New York, NY, USA, 855–864.
[25]
Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix C. Freiling. 2008. Measuring and detecting fast-flux service networks. In NDSS.
[26]
Boyang Hu, Qicheng Lin, Yao Zheng, Qiben Yan, Matthew Troglia, and Qingyang Wang. 2019. Characterizing location-based mobile tracking in mobile ad networks. arXiv preprint arXiv:1903.09916 (2019).
[27]
Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, and Vern Paxson. 2016. An analysis of the privacy and security risks of Android VPN permission-enabled apps. In IMC. ACM, 349–364.
[28]
Paul Jaccard. 1912. The distribution of the flora in the alpine zone. 1. New Phytologist 11, 2 (1912), 37–50.
[29]
Ruofan Jin and Bing Wang. 2013. Malware detection for mobile devices using software-defined networking. In 2013 Second GENI Research and Educational Experiment Workshop. IEEE, 81–88.
[30]
Issa M. Khalil, Bei Guan, Mohamed Nabeel, and Ting Yu. 2018. A domain is only as good as its buddies: Detecting stealthy malicious domains via graph inference. In CODASPY. ACM, 330–341.
[31]
Platon Kotzias, Juan Caballero, and Leyla Bilge. 2021. How did that get in my phone? Unwanted app distribution on Android devices. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 53–69.
[32]
Bum Jun Kwon, Jayanta Mondal, Jiyong Jang, Leyla Bilge, and Tudor Dumitraş. 2015. The dropper effect: Insights into malware distribution with downloader graph analytics. In CCS. ACM, 1118–1129.
[33]
Charles Lever, Manos Antonakakis, Bradley Reaves, Patrick Traynor, and Wenke Lee. 2013. The core of the matter: Analyzing malicious traffic in cellular carriers. In NDSS.
[34]
Jyoti Malik and Rishabh Kaushal. 2016. CREDROID: Android malware detection by network traffic analysis. In Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile Computing. ACM, 28–36.
[35]
Pratyusa K. Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In European Symposium on Research in Computer Security. Springer, 1–18.
[36]
Claudio Marforio, Ramya Jayaram Masti, Claudio Soriente, Kari Kostiainen, and Srdjan Capkun. 2015. Personalized security indicators to detect application phishing attacks in mobile platforms. arXiv preprint arXiv:1502.06824 (2015).
[37]
McAfee. 2019. McAfee mobile threat report 2019. (2019).
[38]
Yisroel Mirsky, Asaf Shabtai, Lior Rokach, Bracha Shapira, and Yuval Elovici. 2016. Sherlock vs Moriarty: A smartphone dataset for cybersecurity research. In Proc. of the 2016 ACM Workshop on Artificial Intelligence and Security. 1–12.
[39]
Stanislav Miskovic, Gene Moo Lee, Yong Liao, and Mario Baldi. 2015. AppPrint: Automatic fingerprinting of mobile applications in network traffic. In International Conference on Passive and Active Network Measurement. Springer, 57–69.
[40]
Pejman Najafi, Alexander Mühle, Wenzel Pünter, Feng Cheng, and Christoph Meinel. 2019. MalRank: A measure of maliciousness in SIEM-based knowledge graphs. In ACSAC. 417–429.
[41]
Fairuz Amalina Narudin, Ali Feizollah, Nor Badrul Anuar, and Abdullah Gani. 2016. Evaluation of machine learning classifiers for mobile malware detection. Soft Computing 20, 1 (2016), 343–357.
[42]
Alina Oprea, Zhou Li, Ting-Fang Yen, Sang H. Chin, and Sumayah Alrwais. 2015. Detection of early-stage enterprise infection by mining large-scale log data. In DSN. IEEE, 45–56.
[43]
Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. 2017. The long-standing privacy debate: Mobile websites vs mobile apps. In WWW. 153–162.
[44]
Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In NSDI, Vol. 10. 14.
[45]
Andrea Possemato and Yanick Fratantonio. 2020. Towards HTTPS everywhere on Android: We are not there yet. In USENIX Security’20. USENIX Association, 343–360.
[46]
Babak Rahbarinia, Marco Balduzzi, and Roberto Perdisci. 2016. Real-time detection of malware downloads via large-scale URL file machine graph mining. In ASIACCS. ACM, 783–794.
[47]
Gyan Ranjan. 2015. SAMPLES: Self adaptive mining of persistent lexical snippets for classifying mobile application traffic.
[48]
Gyan Ranjan, Alok Tongaonkar, and Ruben Torres. 2016. Approximate matching of persistent lexicon using search-engines for classifying mobile app traffic. In IEEE INFOCOM. IEEE, 1–9.
[49]
Jingjing Ren, Martina Lindorfer, Daniel J. Dubois, Ashwin Rao, David Choffnes, and Narseo Vallina-Rodriguez. 2018. Bug fixes, improvements, ...and privacy leaks. (2018).
[50]
Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. 2016. ReCon: Revealing and controlling PII leaks in mobile network traffic. In 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 361–374.
[51]
Kevin A. Roundy, Paula Barmaimon Mendelberg, Nicola Dell, Damon McCoy, Daniel Nissani, Thomas Ristenpart, and Acar Tamersoy. 2020. The many kinds of creepware used for interpersonal attacks. In IEEE S&P.
[52]
Asaf Shabtai, Lena Tenenboim-Chekina, Dudu Mimran, Lior Rokach, Bracha Shapira, and Yuval Elovici. 2014. Mobile malware detection through analysis of deviations in application network behavior. Computers & Security 43 (2014), 1–18.
[53]
Mahmood Sharif, Jumpei Urakawa, Nicolas Christin, Ayumu Kubota, and Akira Yamada. 2018. Predicting impending exposure to malicious content from user behavior. In CCS. ACM, 1487–1501.
[54]
Gianluca Stringhini, Yun Shen, Yufei Han, and Xiangliang Zhang. 2017. Marmite: Spreading malicious file reputation through download graphs. In ACSAC. ACM, 91–102.
[55]
Acar Tamersoy, Kevin Roundy, and Duen Horng Chau. 2014. Guilt by association: Large scale malware detection by mining file-relation graphs. In KDD. ACM, 1524–1533.
[56]
Jinjun Tang, Yinhai Wang, Hua Wang, Shen Zhang, and Fang Liu. 2014. Dynamic analysis of traffic time series at different temporal scales: A complex networks approach. Physica A: Statistical Mechanics and Its Applications 405 (2014), 303–315.
[57]
Vincent F. Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. 2016. AppScanner: Automatic fingerprinting of smartphone apps from encrypted network traffic. In Euro S&P. IEEE, 439–454.
[58]
Vincent F. Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. 2017. Robust smartphone app identification via encrypted network traffic analysis. IEEE Transactions on Information Forensics and Security (2017).
[59]
Alok Tongaonkar, Shuaifu Dai, Antonio Nucci, and Dawn Song. 2013. Understanding mobile app usage patterns using in-app advertisements. In International Conference on Passive and Active Network Measurement. Springer, 63–72.
[60]
Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta. 2009. On cellular botnets: Measuring the impact of malicious devices on a cellular network core. In CCS. ACM, 223–234.
[61]
Thijs van Ede, Riccardo Bortolameotti, Andrea Continella, Jingjing Ren, Daniel J. Dubois, Martina Lindorfer, David Choffnes, Maarten van Steen, and Andreas Peter. [n. d.]. FLOWPRINT: Semi-supervised mobile-app fingerprinting on encrypted network traffic. ([n. d.]).
[62]
Eline Vanrykel, Gunes Acar, Michael Herrmann, and Claudia Diaz. 2017. Leaky birds: Exploiting mobile application traffic for surveillance. 367–384.
[63]
Verizon. 2019. Mobile Security Index. (2019).
[64]
VirusTotal. 2019. VirusTotal. http://www.virustotal.com.
[65]
Thomas Vissers, Jan Spooren, Pieter Agten, Dirk Jumpertz, Peter Janssen, Marc Van Wesemael, Frank Piessens, Wouter Joosen, and Lieven Desmet. 2017. Exploring the ecosystem of malicious domain registrations in the .eu TLD. In Research in Attacks, Intrusions, and Defenses. Springer International Publishing, 472–493.
[66]
Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, and Guoai Xu. 2018. Beyond Google Play: A large-scale comparative study of Chinese Android app markets. In IMC 2018 (Boston, MA, USA). ACM, 293–307.
[67]
Shanshan Wang, Zhenxiang Chen, Lei Zhang, Qiben Yan, Bo Yang, Lizhi Peng, and Zhongtian Jia. 2016. TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic. In IwQoS. IEEE, 1–6.
[68]
Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. 2017. Deep ground truth analysis of current Android malware. In International Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment. 252–276.
[69]
Ning Xia, Han Hee Song, Yong Liao, Marios Iliofotou, Antonio Nucci, Zhi-Li Zhang, and Aleksandar Kuzmanovic. 2013. Mosaic: Quantifying privacy leakage in mobile networks. In ACM SIGCOMM Computer Communication Review, Vol. 43. 279–290.
[70]
Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In USENIX Security Symposium. 569–584.
[71]
Chao Yang, Zhaoyan Xu, Guofei Gu, Vinod Yegneswaran, and Phillip Porras. 2014. DroidMiner: Automated mining and characterization of fine-grained malicious behaviors in Android applications. In European Symposium on Research in Computer Security. Springer, 163–182.
[72]
Jaemin Yoo, Saehan Jo, and U Kang. 2017. Supervised belief propagation: Scalable supervised inference on attributed networks. In ICDM. IEEE, 595–604.
[73]
Apostolis Zarras, Antonis Papadogiannakis, Robert Gawlik, and Thorsten Holz. 2014. Automated generation of models for fast and precise detection of HTTP-based malware. In PST. IEEE, 249–256.
[74]
Min Zhao, Tao Zhang, Fangbin Ge, and Zhijian Yuan. 2012. RobotDroid: A lightweight malware detection framework on smartphones. Journal of Networks 7, 4 (2012), 715.
[75]
Xiaojin Zhu and Zoubin Ghahramani. 2002. Learning from labeled and unlabeled data with label propagation.
[76]
Zhichao Zhu, Guohong Cao, Sencun Zhu, Supranamaya Ranjan, and Antonio Nucci. 2012. A social network based patching scheme for worm containment in cellular networks. In Handbook of Optimization in Complex Networks. Springer, 505–533.
Index Terms
- DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-Inference
Recommendations
Android on Mobile Devices: An Energy Perspective
CIT '10: Proceedings of the 2010 10th IEEE International Conference on Computer and Information TechnologyMobile devices and embedded devices need more processing power but energy consumption should be less to save battery power. Open Handset Alliance (OHA) hosting members like Google, Motorola, HTC etc released an open source platform Android for mobile ...
Exploitation and threat analysis of open mobile devices
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications SystemsThe increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as ...
Comments
Information & Contributors
Information
Published In
February 2023
342 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2022
Online AM: 25 August 2022
Accepted: 17 August 2022
Revised: 21 June 2022
Received: 19 January 2021
Published in TOPS Volume 26, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
- Refereed
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 428Total Downloads
- Downloads (Last 12 months)137
- Downloads (Last 6 weeks)12
Reflects downloads up to 03 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format