MUI-defender: CNN-Driven, Network Flow-Based Information Theft Detection for Mobile Users

  • Zhenyu Cheng
  • Xunxun ChenEmail author
  • Yongzheng Zhang
  • Shuhao Li
  • Jian Xu
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 268)


Nowadays people save a lot of privacy information in mobile devices. These information can be theft by adversaries through suspicious apps installed in smartphones, and protecting users’ privacy has become a great challenge. So developing a method to identify if there are apps thieving users’ personal information in smartphones is important and necessary. Through the analysis of apps’ network traffic data, we observe that general apps generate regular network flows with the users’ normal operations. But information theft apps’ network flows have no relationship with users’ operations. In this paper we propose a model MUI-defender (Mobile Users’ Information defender), which is based on analyzing the relationship between users’ operation patterns and network flows with CNN (Convolutional Neural Network), can efficiently detect information theft. Because of C&C (Command-and-Control) server invalidation [33] and system version incompatibility [25], etc., most of the collected information theft apps can’t run properly in reality. So we extract information theft code modules from some of these apps, and then recode and compile them into the ITM-capsule (Information Theft Modules capsule) for verification. Finally, we run the ITM-capsule and several normal apps to detect the network flows, which shows our detection model can achieve an accuracy higher than 94%. Therefore, MUI-defender is suitable for detecting the network flows of information theft.


Information theft Network flow Operation pattern CNN 



This work was supported by the National Key Research and Development Program of China (No. 2016YFB0801502), and the National Natural Science Foundation of China (Grant No. U1736218). We are grateful for the assistance from the volunteers. Thanks to their valuable contribution to the experiments in this paper. We also want to thank the reviewers for the thorough comments and helpful suggestions.


  1. 1.
    Cisco visual networking index: Global mobile data traffic forecast update, 2016–2021 white paper. Accessed 28 Mar 2017
  2. 2.
    Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM Sigplan Not. 49(6), 259–269 (2014)CrossRefGoogle Scholar
  3. 3.
    Atkins, J.B., Dobson, R.W.A.: Monitoring system for a mobile communication network for traffic analysis using a hierarchical approach. US Patent 7,830,812, 9 Nov 2010Google Scholar
  4. 4.
    Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement, pp. 71–82. ACM (2002)Google Scholar
  5. 5.
    Barford, P., Plonka, D.: Characteristics of network traffic flow anomalies. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 69–73. ACM (2001)Google Scholar
  6. 6.
    Benson, T., Akella, A., Maltz, D.A.: Network traffic characteristics of data centers in the wild. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 267–280. ACM (2010)Google Scholar
  7. 7.
    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, pp. 49–54. ACM (2011)Google Scholar
  8. 8.
    Chandra, R.: Network traffic monitoring for search popularity analysis. US Patent 7,594,011, 22 Sept 2009Google Scholar
  9. 9.
    Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Can’t you hear me knocking: identification of user actions on Android apps via traffic analysis. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 297–304. ACM (2015)Google Scholar
  10. 10.
    Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Analyzing Android encrypted network traffic to identify user actions. IEEE Trans. Inf. Forensics Secur. 11(1), 114–125 (2016)CrossRefGoogle Scholar
  11. 11.
    Deng, J., Han, R., Mishra, S.: Decorrelating wireless sensor network traffic to inhibit traffic analysis attacks. Perv. Mob. Comput. 2(2), 159–186 (2006)CrossRefGoogle Scholar
  12. 12.
    Desnos, A., et al.: Androguard: Reverse engineering, malware and goodware analysis of android applications (2013).
  13. 13.
    Enck, W., et al.: Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014)CrossRefGoogle Scholar
  14. 14.
    Falaki, H., Lymberopoulos, D., Mahajan, R., Kandula, S., Estrin, D.: A first look at traffic on smartphones. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 281–287. ACM (2010)Google Scholar
  15. 15.
    Fusco, F., Deri, L.: High speed network traffic analysis with commodity multi-core systems. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 218–224. ACM (2010)Google Scholar
  16. 16.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: RiskRanker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 281–294. ACM (2012)Google Scholar
  17. 17.
    Hintz, A.: Fingerprinting websites using traffic analysis. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003). Scholar
  18. 18.
    Lakhina, A., Papagiannaki, K., Crovella, M., Diot, C., Kolaczyk, E.D., Taft, N.: Structural analysis of network traffic flows. In: ACM SIGMETRICS Performance Evaluation Review, vol. 32, pp. 61–72. ACM (2004)Google Scholar
  19. 19.
    LeCun, Y., Bottou, L., Bengio, Y., Haffner, P.: Gradient-based learning applied to document recognition. Proc. IEEE 86(11), 2278–2324 (1998)CrossRefGoogle Scholar
  20. 20.
    Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 255–263. ACM (2006)Google Scholar
  21. 21.
    Mah, B.A.: An empirical model of HTTP network traffic. In: Proceedings of Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution, INFOCOM 1997, vol. 2, pp. 592–600. IEEE (1997)Google Scholar
  22. 22.
    Müller, M.: Information Retrieval for Music and Motion, vol. 2. Springer, Heidelberg (2007). Scholar
  23. 23.
    Neasbitt, C., Perdisci, R., Li, K., Nelms, T.: ClickMiner: towards forensic reconstruction of user-browser interactions from network traces. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1244–1255. ACM (2014)Google Scholar
  24. 24.
    Qadeer, M.A., Iqbal, A., Zahid, M., Siddiqui, M.R.: Network traffic analysis and intrusion detection using packet sniffer. In: Second International Conference on Communication Software and Networks, ICCSN 2010, pp. 313–317. IEEE (2010)Google Scholar
  25. 25.
    Schmidt, A.D., et al.: Enhancing security of Linux-based Android devices. In: Proceedings of 15th International Linux Kongress. Lehmann (2008)Google Scholar
  26. 26.
    Shabtai, A., Tenenboim-Chekina, L., Mimran, D., Rokach, L., Shapira, B., Elovici, Y.: Mobile malware detection through analysis of deviations in application network behavior. Comput. Secur. 43, 1–18 (2014)CrossRefGoogle Scholar
  27. 27.
    Sommer, C., German, R., Dressler, F.: Bidirectionally coupled network and road traffic simulation for improved IVC analysis. IEEE Trans. Mob. Comput. 10(1), 3–15 (2011)CrossRefGoogle Scholar
  28. 28.
    Stöber, T., Frank, M., Schmitt, J., Martinovic, I.: Who do you sync you are?: smartphone fingerprinting via application behaviour. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 7–12. ACM (2013)Google Scholar
  29. 29.
    Tan, D.J., Chua, T.W., Thing, V.L., et al.: Securing Android: a survey, taxonomy, and challenges. ACM Comput. Surv. (CSUR) 47(4), 58 (2015)Google Scholar
  30. 30.
    Tang, D., Baker, M.: Analysis of a local-area wireless network. In: Proceedings of the 6th Annual International Conference on Mobile Computing and Networking, pp. 1–10. ACM (2000)Google Scholar
  31. 31.
    Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Profiledroid: multi-layer profiling of android applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking, pp. 137–148. ACM (2012)Google Scholar
  32. 32.
    Yu, S., Zhao, G., Dou, W., James, S.: Predicted packet padding for anonymous web browsing against traffic analysis attacks. IEEE Trans. Inf. Forensics Secur. 7(4), 1381–1393 (2012)CrossRefGoogle Scholar
  33. 33.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)Google Scholar
  34. 34.
    Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011). Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Zhenyu Cheng
    • 1
    • 2
  • Xunxun Chen
    • 1
    • 2
    Email author
  • Yongzheng Zhang
    • 1
    • 2
  • Shuhao Li
    • 1
    • 2
  • Jian Xu
    • 1
    • 2
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations