Identifying Mobile Applications for Encrypted Network Traffic

Abstract

Mobile application (simply app) identification at a per-flow granularity is vital for traffic engineering, network management, and security practices in cloud computing. While challenge is caused by a growing fraction of encrypted traffic such as HTTPS. To address this challenge, we have analyzed mobile apps' traffic carefully and observed that: 1) mobile apps may query multiple hostnames simultaneously; 2) the sets of queried hostnames are distinguishable; 3) for mobile apps, the encrypted traffic is a small portion of the total traffic and correlate with some other network flows. This implies that for encrypted network flows, if their correlated DNS or HTTP(S) flows generated by the same app can be obtained, they will be identified eventually. Therefore, in this paper we propose a novel traffic correlation methodology for identifying mobile apps for their encrypted network traffic. To be specific, for encrypted network flows whose IP addresses are resolved by DNS queries, we use temporal and lexical similarity to cluster correlated DNS queries. Otherwise, for encrypted flows established directly via IP addresses, we retrieve correlated traffic by considering similar flow metadata including IP address, flow starting time, packet sizes and intervals. We ran a thorough set of experiments to assess the performance of the proposed approaches. The experimental results show that the identification accuracy can be as high as 93% and the false-positive rate is lower than 8%.