Stanislav Miskovic

The Online Tracking Horde: A View from Passive Measurements

During the visit to any website, the average internaut may face scripts that upload personal information to so called online trackers, invisible third party services that collect information about users and profile them. This is no news, and many works in the past tried to measure the extensiveness of this phenomenon. All of them ran active measurement campaigns via crawlers. In this paper, we observe the phenomenon from a passive angle, to naturally factor the diversity of the Internet and of its users. We analyze a large dataset of passively collected traffic summaries to observe how pervasive online tracking is. We see more than 400 tracking services being contacted by unaware users, of which the top 100 are regularly reached by more than 50 % of Internauts, with top three that are practically impossible to escape. Worse, more than 80 % of users gets in touch the first tracker within 1 second after starting navigating. And we see a lot of websites that hosts hundreds of tracking services. Conversely, those popular web extensions that may improve personal protection, e.g., DoNotTrackMe, are actually installed by a handful of users (3.5 %). The resulting picture witnesses how pervasive the phenomenon is, and calls for an increase of the sensibility of people, researchers and regulators toward privacy in the Internet.

AppPrint: Automatic Fingerprinting of Mobile Applications in Network Traffic

Increased adoption of mobile devices introduces a new spin to Internet: mobile apps are becoming a key source of user traffic. Surprisingly, service providers and enterprises are largely unprepared for this change as they increasingly lose understanding of their traffic and fail to persistently identify individual apps. App traffic simply appears no different than any other HTTP data exchange. This raises a number of concerns for security and network management. In this paper, we propose AppPrint, a system that learns fingerprints of mobile apps via comprehensive traffic observations. We show that these fingerprints identify apps even in small traffic samples where app identity cannot be explicitly revealed in any individual traffic flows. This unique AppPrint feature is crucial because explicit app identifiers are extremely scarce, leading to a very limited characterization coverage of the existing approaches. In fact, our experiments on a nation-wide dataset from a major cellular provider show that AppPrint significantly outperforms any existing app identification. Moreover, the proposed system is robust to the lack of key app-identification sources, i.e., the traffic related to ads and analytic services commonly leveraged by the state-of-the-art identification methods.

FLOWR: a self-learning system for classifying mobileapplication traffic

We aim to devise a method that can identify mobile apps related to each individual traffic flow in the wild. Mobile apps are becoming preferred means of Internet access for a growing user population. Such departure from browser based Internet poses a unique challenge to traffic management tools, still largely incapable of handling mobile apps. Consequently, enterprises and service providers become hindered by being unable to deploy effective mobile policies and security solutions. Traditionally, desktop applications and networking protocols were identified by signatures derived from transport-layer ports, ip addresses, or domain names [2, 5]. It is not suitable for mobile apps any more. The main reason is that most mobile apps communicate via generic HTTP/HTTPS traffic, thus being a priori indistinguishable from Internet browsing. State-of-the-art solutions attempted to develop signatures via user studies or app emulations [6, 4, 1]. Neither of the two approaches scales due to a number of key challenges: • Similarity. Besides using similar protocols (HTTP/HTTPS), mobiles apps communicate with largely similar IP-/domainlevel destinations, Content Delivery Networks (CDNs), and cloud services, which makes them difficult to distinguish. • Scalability. With hundreds of thousands of apps, the identification has to devise very efficient matching algorithms at line speeds. Moreover, the references for matching have to be obtained efficiently. One cannot assume running all

MAGMA network behavior classifier for malware traffic

Malware is a major threat to security and privacy of network users. A large variety of malware is typically spread over the Internet, hiding in benign traffic. New types of malware appear every day, challenging both the research community and security companies to improve malware identification techniques. In this paper we present MAGMA, MultilAyer Graphs for MAlware detection, a novel malware behavioral classifier. Our system is based on a Big Data methodology, driven by real-world data obtained from traffic traces collected in an operational network. The methodology we propose automatically extracts patterns related to a specific input event, i.e., a seed, from the enormous amount of events the network carries. By correlating such activities over (i) time, (ii) space, and (iii) network protocols, we build a Network Connectivity Graph that captures the overall network behavior of the seed. We next extract features from the Connectivity Graph and design a supervised classifier. We run MAGMA on a large dataset collected from a commercial Internet Provider where 20,000 Internet users generated more than 330 million events. Only 42,000 are flagged as malicious by a commercial IDS, which we consider as an oracle. Using this dataset, we experimentally evaluate MAGMA accuracy and robustness to parameter settings. Results indicate that MAGMA reaches 95% accuracy, with limited false positives. Furthermore, MAGMA proves able to identify suspicious network events that the IDS ignored.

GeoEcho: Inferring User Interests from Geotag Reports in Network Traffic

Being transmitted as part of numerous Internet services, geo location data is increasingly bringing hints of peoples real-world activities into Internet traffic. This paper focuses on the discovery of key properties that motivate personal activities - locational interests. We propose and design GeoEcho, a mobile traffic analysis system that extracts and analyses a wealth of latitude-longitude geotag reports with the purpose of identifying the points of interest (PoI) which people actually visit. The key challenge in such identification is that geotag reports are commonly sent arbitrarily, sparsely and without a sufficient accuracy to uniquely identify any PoI. In our analysis of a two-week trace from a large North-American cell phone operator, we show that 22% of geo reports do not even represent actual peoples positions, while another 45% of the reports have low accuracy, such that they ambiguously indicate a number of potential PoIs. We devise methods that effectively identify and prune irrelevant geo information and infer personal interests of individuals. Thereby creating representative profiles of personal interests, our key results reveal that users show interest in a limited number of topics, and their interests are largely unique and stable over time. Our analysis shows a significant GeoEcho usability in various contexts ranging from generic user profile and user group analysis, to advertising and security applications.