Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hui Xu, Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R. Lyu

Published byRoy Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "Hui Xu, Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R. Lyu"— Presentation transcript:

1 Hui Xu, Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R. Lyu
SpyAware: Investigating the Privacy Leakage Signatures in App Execution Traces Hui Xu, Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R. Lyu

2 Private Data Is Valuable
Big Data Machine Learning Recommendation

3 Whether a Leakage Is Legitimate?
Depends on: User Preference Software Functionality

4 How to Handle the Leakage?
Principle: Privacy Awareness Users should be informed when the leakage happens. Malware disposing approach is inappropriate. Your SMS has been leaked!!! Maybe I should remove the app.

5 Privacy Leakage Definition
Source Sink Privacy Sensitive Data Read Behavior Send Behavior Privacy Leakage

6 Industrial Solutions They only control read behaviors!

7 Without Taint Analysis
Research Solutions Taint Analysis Leakage Happens Instructions Read Send Taint Propagation Data Sensitive Data Variable1 Variable2 Without Taint Analysis Leakage ??? Instructions Read Send ? ? ? Data Sensitive Data Variable1 Variable2

8 TaintDroid Approach: dynamic taint analysis (tracks the data flow during runtime) Usability Issues: portability (a new OS), overhead W. Enck, et al. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones[J]. ACM Transactions on Computer Systems (TOCS), 2014

9 Our Inspiration & Hypothesis
Hypothesis: Some correlation exists between privacy leakage behaviors and app execution traces. Approach of Data Analytics: Transform data to insight. Observable Phenomenon Hidden Incident Spyware Behavior App Execution Traces S1 spyware Pre I1 Pre I2 Read Pos I1 Pos I2 Send S2 spyware Pre I1 Read Pos I3 Pos I2 Send S3 benign Pre I2 Read Pos I1 S4 benign Pre I3 Read Pos I1

10 What Instructions Are Helpful?
System Call: widely used on Linux platform Pros: It contains all the information of program executions. Cons: It is low level, and the interpretation is difficult. Binder Call: newly proposed in Android OS Pros: It is semantical, and can be easily interpreted. Cons: It only traces inter-process communications.

11 Trace the Instructions with a Profiler
To trace system calls: strace To trace binder calls: Hijack a payload into the target app process with ptrace. The homemade payload decodes binder calls.

12 Overall Framework Statistical Pattern Recognition Training Phase
Profiler Binder Call System Call Spyware Samples Apps Feature Extractor Trainer Models Benign Samples Leakage Indicator TaintDroid Detection Phase App Profiler Binder Call System Call Profile Sample Feature Extractor Classifier Result

13 Android Binder Call Binder Instance Details Access Contacts
# Type Data 1 BC_TRANSACTION ****android.app.IActivityManager**********%*com.sec.multiwindow.MW_TOUCH_DETECTED***********************`*********mw_x****e*****mw_action*********mw_y********* 2 BR_REPLY **** 3 ****android.content.IContentProvider****GET_system****sound_effects_enabled*** 4 5 **"*android.gui.DisplayEventConnection** 6 **$*********value*****0* 7 ****android.app.IActivityManager************com.android.contacts**** 8 9 ****android.content.IContentProvider****'*content://com.android.contacts/contacts*****_id*********************** 10 ****0*com.android.providers.contacts.ContactsProvider2****com.android.providers.contacts******************com.android.providers.contacts****************com.android.providers.contacts******android.process.acore*************#*/system/app/SecContactsProvider.apk*#*/system/app/SecContactsProvider.apk*-*/data/data/com.android.providers.contacts/lib*****!*/system/ framework/sec_feature.jar*+*/data/user/0/com.android.providers.contacts*********************android.process.acore*********contacts;com.android.contacts***android.permission.READ_CONTACTS**!*android.permission.WRITE_CONTACTS*********.*********** 11 ****************_id*********B***************************************f*** Binder Instance Details Access Contacts

14 Detect Read Behaviors Signature Data Type
android.os.IServiceManager****iphonesubinfo IMEI, ICCID content://com.android.contacts/ Contact List android.content.IContentProvider + com.android.contacts content://sms/ SMS content://call_log/ Call History content://browser/bookmarks Browser History android.account.IAccountManager Account Android.os.IServiceManager****location Location android.location.ILocationManager***gps android.location.ILocationManager***network android.location.ILocationManager***passive android.media.IMediaRecorder Mic android.gui.Sensor Accelerometer android.hardware.Camera Camera

15 Binder Call-based Features
Approach: Use BR_TRANSACTION; discard BR_REPLY. Strip details and retain the destination instance name. Choose discriminative instances. Leakage happens automatically when starting a new activity: android.app.IActivityManager Network communications are generally performed in a stand alone thread: adroid.app.IApplicationThread Apps may check current network connection status before communication: android.net.IConnectivityManager, android.net.wifi.IWifiManager Messenger is a common method to pass event or values between threads: android.os.IMessenger Leakages may happen when an app is querying the server: com.android...view.IInputMethodManager

16 System Call-based Features
Approach: Strip the parameters and retain the name. Calculate the document frequency of system calls. Low DF: Rarely occurred High DF: Not discriminative Features: 13 system calls ranging from 0.06 to 0.22

17 Extract Features for Each Sample
Terms: A Sample: We separate the sequence of instructions into samples according to touch operations. A sample is a suspicious sample, if it includes at least one read behavior according to the binder call. Steps: Judge whether a sample is a suspicious sample. Discard the sample if it is nonsuspicious. Extract features for only suspicious ones. Reason: Android app is UI oriented.

18 Experimental Settings
Goal: Discriminate whether a suspicious sample indicates a privacy leakage. Baseline: TaintDroid App set: 100 top ranking apps from Google Play Method: We manually run each app for a few minutes; we don’t use Monkey because of registration issues. Suspicious Profiles Leak ? No Leak

19 Experimental Apps App DevID Location com.wochacha Leak com.starbucks.hk Read com.trello jp.naver.line.android org.coursera.android sg.bigo cn.com.fetion com.wonder com.axonlabs.hkbus com.chinamobile.contacts.im com.babytree.apps.lama com.tranzmate com.tencent.pb com.skyscape.android.ui org.wikipedia com.sina.weibo com.epocrates com.ijinshan.kbatterydoctor_en com.airbnb.android com.ebay.mobile com.groupon com.booking com.sirma.mobile.bible.android com.coupons.ciapp com.tripadvisor.tripadvisor com.sinyee.babybus.feeling com.nextmedia com.musixmatch.android.lyrify com.etermax.preguntados.lite com.Qunar com.soundcloud.android com.ss.android.article.news cn.kuwo.kwmusichd de.motain.iliga com.dianping.v1 com.banjo.android com.sankuai.meituan com.yahoo...im com.kayak.android com.easygame.marblelegend com.dolphin.browser.express.web net.skyscanner.android.main com.zillow.android.zillowmap org.mozilla.firefox com.ik.flightherofree com.evernote com.ksmobile.cb com.flightview.flightview_free com.eico.weico com.droidware.uninstallmaster cn.bluesky.chinesechess com.netease.newsreader com.lingualeo.android com.happiplay.baccarat com.zhaopin.social com.baidu.news me.soundwave.soundwave com.sohu.newsclient com.tencent.news com.thefancy.app com.cubic.autohome com.ifeng.news2 com.wanelo.android com.soufun.app com.wumo com.mobilesrepublic.appy com.yahoo...weather com.quanleimu.activity com.nytimes.android com.moji.mjweather com.pccw.finance com.bigduckgames.flowbridges DevID Leakage: 347 suspicious profiles from 56 apps, 139 spyware behaviors Location Leakage: 171 suspicious profiles from 51 apps, 51 spyware behaviors

20 Experimental Result Using Support Vector Machine and Cross Validation Positive Negative Total Accuracy Dev ID True 59 175 234 67.4% False 33 80 113 Location 21 134 78.4% 7 30 37 Naïve guesser with prior distribution knowledge Dev ID Accuracy F1-Measure Naïve Guesser 59.6% 0% SVM 67.4% 50.6% Location Accuracy F1-Measure Naïve Guesser 70.2% 0% SVM 78.4% 53.1% The results justify the existence of correlation between spyware behaviors and app execution traces.

21 Summary Spyware awareness is an appropriate way for combating privacy leakage. Detecting privacy leakage precisely is difficult: using dynamic taint analysis approach We propose to discriminate privacy leakage events through app execution traces, which include binder call and system call. We design a set of tools, and justify the correlation between privacy leakage events and app execution traces through real-world experiments.

22 Feature Work Improve the performance by:
Investigating on in-app signatures Trying more complicated features Analyze the insights from the result: Understand more about the traces. Improve our profiler and method by: Considering multi-process Considering cross-app leakage Develop and deploy such a tool for real-world usage.

Download ppt "Hui Xu, Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R. Lyu"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Computational Asset Description for Cyber Experiment Support using OWL Telcordia Contact: Marian Nodine Telcordia Technologies Applied Research

1 Computational Asset Description for Cyber Experiment Support using OWL Telcordia Contact: Marian Nodine Telcordia Technologies Applied Research
Mobile Shelf Monitor Shop organization for profit maximization.

Mobile Shelf Monitor Shop organization for profit maximization.
Neural networks Introduction Fitting neural networks

Neural networks Introduction Fitting neural networks
Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
CLUE: SYSTEM TRACE ANALYTICS FOR CLOUD SERVICE PERFORMANCE DIAGNOSIS Hui Zhang 1, Junghwan Rhee 1, Nipun Arora 1, Sahan Gamage 2, Guofei Jiang 1, Kenji.

CLUE: SYSTEM TRACE ANALYTICS FOR CLOUD SERVICE PERFORMANCE DIAGNOSIS Hui Zhang 1, Junghwan Rhee 1, Nipun Arora 1, Sahan Gamage 2, Guofei Jiang 1, Kenji.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.

Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
1 Simulation Modeling and Analysis Verification and Validation.

1 Simulation Modeling and Analysis Verification and Validation.
Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.

Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.
1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4.

1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4.
Presentation By Deepak Katta

Presentation By Deepak Katta
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Toward a Statistical Framework for Source Anonymity in Sensor Networks.

Toward a Statistical Framework for Source Anonymity in Sensor Networks.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Similar presentations

Ads by Google