Mosaic: Quantifying Privacy Leakage in Mobile Networks

Transcription

1 Mosaic: Quantifying Privacy Leakage in Mobile Networks Ning Xia (Northwestern University) Han Hee Song (Narus Inc.) Yong Liao (Narus Inc.) Marios Iliofotou (Narus Inc.) Antonio Nucci (Narus Inc.) Zhi-Li Zhang (University of Minnesota) Aleksandar Kuzmanovic (Northwestern University)

2 Scenario Different footprints Different services IP 1 IP K IP 1 IP K ISP A CSP B Dynamic IP, CSP/ISP Different devices 2

3 Problem Other research work IP1 IPK ISP A IP1 IPK CSP B Input packet traces Tessellation Mosaic We are here! How much private information can be obtained and expanded about end users by monitoring network traffic? 3

4 Motivation I will know everything about everyone! IP1 IPK ISP A IP1 IPK CSP B Agencies Bad guys Mobile Traffic: Relevant: more personal information Challenging: frequent IP changes 4

5 Challenges How to track users when they hop over different IPs? Sessions: Flows(5-tuple) are grouped into sessions IP1" IP2" time" time" Traffic Markers: Identifiers in the traffic that can be used to differentiate users IP3" time" With Traffic Markers, it is possible to connect the users true identities to their sessions. 5

6 Datasets Dataset Source Description 3h-Dataset CSP-A Complete payload 9h-Dataset CSP-A Only HTTP headers Ground Truth Dataset CSP-B Payload & RADUIS info. 3h-Dataset: main dataset for most experiments 9h-Dataset: for quantifying privacy leakage Ground Truth Dataset: for evaluation of session attribution RADIUS: provide session owners 6

7 Methodology Overview IP 1 ISP A IP K Tessellation IP 1 CSP B IP K Traffic attribution Mapping from sessions to users Mosaic construction Via traffic markers Via activity fingerprinting Network data analysis Public web crawling Combine information from both network data and OSN profiles to infer the user mosaic. 7

8 Traffic Attribution via Traffic Markers Traffic Markers: Identifiers in the traffic to differentiate users Key/value pairs from HTTP header User IDs, device IDs or sessions IDs Domain Keywords Category Source osn1.com c_user=<osn1_id> OSN User ID Cookies osn2.com oauth_token=<osn2_id>-## OSN User ID HTTP header admob.com X-Admob-ISU Advertising HTTP header pandora.com user_id User ID Cookies google.com sid Session ID Cookies How can we select and evaluate traffic markers from network data? 8

9 Traffic Attribution via Traffic Markers OSN IDs as Anchors: The most popular user identifiers among all services Linked to user public profiles OSN Source Session Coverage OSN1 ID HTTP URL and cookies 1.3% OSN2 ID HTTP header 1.0% Top 2 OSN providers from North America Only 2.3% sessions contain OSN IDs OSN IDs can be used as anchors, but their coverage on sessions is too small 9

10 Traffic Attribution via Traffic Markers Block Generation: Group Sessions into Blocks IP" 1" IP" IP 1" OSN ID Block Other sessions? δ time" time" Session interval δ Depends on the CSP δ=60 seconds in our study Block Session group on the same IP from the same user Traffic markers shared by the same block 99K session blocks generated from the 12M sessions 10

11 Traffic Attribution via Traffic Markers Culling the Traffic Markers: OSN IDs are not enough Uniqueness: Can the traffic marker differentiate between users? Persistency: How long does a traffic marker remain the same? Score Uniqueness Persistency Uniqueness = 1 No two users will share the same google.com#sid value 0.9 admob.com #isu OSN1 ID mobclix.com mobclix.com #uid #uid pandora.com #user_id pandora.com #user_id mobclix.com #u #u mobclix.com mydas.mobi #mac-id mydas.mobi #mac-id Traffic markers Traffic markers google.com #sid google.com #sid craigslist.org #cl_b #cl_b craigslist.org Persistency ~= 1 The value of Google.com#sid remains the same for the same user nearly all the observation duration We pick 625 traffic markers with uniqueness = 1, persistency >

12 Traffic Attribution via Traffic Markers Traffic Attribution: Connecting the Dots Tessellation User T i ( ) IP 1" Same OSN ID IP 2" Same traffic marker IP 3" Traffic markers are the key in attributing sessions to the same user over different IP addresses 12

13 Traffic Attribution via Activity Fingerprinting What if a session block has no traffic markers? Assumption (Activity Fingerprinting): Users can be identified from the DNS names of their favorite services DNS names: Extracted 54,000 distinct DNS names Classified into 21 classes Activity Fingerprinting: Favorite (top-k) DNS names as the user s fingerprint Service classes Search Chat Dating E-commerce News Picture Service providers bing, google, yahoo skype, mtalk.googl.com plentyoffish, date amazon, ebay google, hotmail, yahoo msnbc, ew, cnn Flickr, picasa 13

14 Traffic Attribution via Activity Fingerprinting Fi : Top k DNS names from user as activity fingerprint : Uniqueness of the fingerprint (F i ) k = 4 k = 5 k = 6 k = 7 k = Normalized fingerprint DNS names IDs Y-axis: closer to 1, more distinct the fingerprint is X-axis: normalized by the total number of DNS names Mobile users can be identified by the DNS names from their preferred services 14

15 Traffic Attribution Evaluation Session Correct (Not complete) Not correct R i RADIUS user (Ground Truth) T i T j T i Tessellation user (Correct?) R i R j identified sessions/users Coverage = total sessions/users Accuracy on Covered Set correctly identified sessions/users = total identified sessions/users 15

16 Traffic Attribution Evaluation Evaluation Results Coverage User 15.70% 43.20% 69.00% Session 2.40% 49.80% 78.60% OSN ID extraction Via traffic markers Via activity fingerprinting Accuracy on Covered Set User Session 100% 99.30% 96.40% 100% 94.50% 92.50% OSN ID extraction Via traffic markers Via activity fingerprinting 16

17 Construction of User Mosaic Mosaic of Real-World User Alice Sub-classes: Residence, coordinates, city, state, and etc. Least gain Most gain Example MOSAIC with 12 information classes(tesserae): Information (Education, affiliation and etc.) from OSN profiles Information (Locations, devices and etc.) from user sessions 17

18 Quantifying Privacy Leakage Leakage from OSN profiles vs. from Network Data Both public OSN profiles & activity analysis Public OSN profiles only Activity analysis only OSN profiles provide static user information (education, interests) # of Users Analysis on network data provides real-time activities and locations 0 Device_info. Demographics Association Social_actvty Location Art_culture Education E-commerce Affiliation Entertainment Content_exch. News_info. Information from both sides can corroborate to each other Information from OSN profiles and network data complement and corroborate each other 18

19 Preventing User Privacy Leakage Protect traffic markers Traffic markers (OSN IDs and etc.) should be limited and encrypted Restrict 3 rd parties Third party applications/developers should be strongly regulated Protect user profiles OSN public profiles should be carefully obfuscated 19

20 Conclusions Prevalence in the use of OSNs leaves users true identities available in the network Tracking techniques used by mobile apps and services make traffic attribution easier Flows/sessions can be labeled with network users true identities, even without any identity leaks Various types of information can be gleaned to paint rich digital Mosaic about users 20

21 Mosaic: Quantifying Privacy Leakage in Mobile Network Thanks! 21