App identification based on encrypted multi-smartphone sources traffic fingerprints

Abstract

The smartphone app identification technology based on traffic fingerprints has begun to play an important role in monitoring malware and assisting network management with the smartphone security issues getting more attention. Smartphones connected to the Internet are often produced by multiple manufacturers, belong to multiple models and use a variety of operating systems. But current researches cannot achieve high-accuracy app identification while using datasets collected from traffic sources of different smartphone. In this paper, we propose an app identification system which use frequency distribution fingerprints to identify apps from encrypted multi-smartphone source traffic. The key idea of our work is to convert the occurrence frequency of traffic stream attribute values (e.g. TCP stream length and SSL/TLS handshake message type) into the format of frequency distribution. We use the random forest algorithm to identify apps from the frequency distributions extracted from the encrypted traffic collected from different three smartphones. In addition, we explore the impact of the app browsing contents, app behaviors, individual differences between smartphones of the same model and brand differences on the performance of our identification system. Our work achieves 99.3% TPR and 0.2% FPR performance on the datasets collected from two different brands of smartphones. Additionally, we show that the variety of app behaviors has the most significant impact on our identification performance, even more than the brand differences.