Effective and Real-time In-App Activity Analysis in Encrypted - - PowerPoint PPT Presentation

effective and real time in app activity analysis in
SMART_READER_LITE
LIVE PREVIEW

Effective and Real-time In-App Activity Analysis in Encrypted - - PowerPoint PPT Presentation

Feb 16, 2023 37 likes •301 views

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming Liu Yanjie Fu, Jingci Ming, Yong Ren Leilei Sun, Hui Xiong Rutgers University, USA Futurewei Technology. Inc,. USA Background 2/27 Explosive

slide-1
SLIDE 1

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming Liu

Yanjie Fu, Jingci Ming, Yong Ren Leilei Sun, Hui Xiong

Rutgers University, USA Futurewei Technology. Inc,. USA

slide-2
SLIDE 2

Explosive Growth in Mobile Apps

Background

Ref: ARK INVEST. https://ark-invest.com/research/social-messaging-apps

2/27

slide-3
SLIDE 3

User’s perspective:

 Communicate with each other in a

social network, like multi-media messaging, moment post.

 Engage in commercial activities, like

conference calls, paying bills, etc.

ISP’s perspective:

 Understand users’ preferences.  Provide personized services or

advertisements.

 Improve mobile users’ satisfaction.

Business in Mobile Apps

3/27

slide-4
SLIDE 4

Challenges

 Goal: to discover mobile users’ In-app activities  Problem: Classify mobile Internet traffic into

different usage categories in a real-time manner.

 Challenges:

  • Encrypted Internet traffic with very limited

information from traffic packets (packet timestamp, packet length and packet protocol).

  • Need to handle large traffic flows from millions of

users simultaneously as an online analyzer.

4/27

slide-5
SLIDE 5

Preliminaries

Definition 1: Internet Traffic Flow

An internet traffic flow 𝑈𝐺 consists of a sequence of encrypted internet packets denoted by 𝑼𝑮 = (𝒖𝒋, 𝑸𝒋)𝒋=𝟐

𝑱

where 𝑱 is the total number of packets and 𝑸𝒋 represents the packet received at time 𝒖𝒋

Definition 2: Traffic Segment

A traffic segment 𝑇 =< 𝑡0, 𝑡𝑢 > is a subsequence of an internet traffic flow from time 𝑡0 to 𝑡𝑢.

Definition 3: Time Window Representation

A time window 𝑋

𝑜 records a small portion of traffic sequence

starting from 𝑢0

𝑜 to 𝑢𝑥𝑜 𝑜 . The size of a time window 𝜐 is fixed:

𝑢𝑥𝑜

𝑜 − 𝑢0 𝑜 ≤ 𝜐. There is a time gap ∆ between adjacent time

windows: 𝑢0

𝑜+1 − 𝑢𝑥𝑜 𝑜

≤ ∆.

5/27

slide-6
SLIDE 6

Data Collection

Data resources: daily usage of volunteers from Rutgers University and employees from major ISP

6/27

slide-7
SLIDE 7

Traffic flow example

Example of Collect Internet Traffic Flow

7/27

slide-8
SLIDE 8

Problem Statement

Given an incoming traffic flow 𝑈𝐺 = (𝑢𝑗, 𝑄𝑗)𝑗=1

𝐽

, we need to classify a sequence of in-App usage activities denoted by { 𝑐𝑜, 𝑓𝑜, 𝑣𝑜 }𝑜=1

𝑂

, where 𝑐𝑜, 𝑓𝑜, and 𝑣𝑜 respectively represent the begin time, the end time, and the activity class. 1. Traffic flow segmentation 2. Traffic segment in-app usage classification

8/27

slide-9
SLIDE 9

Framework Overview

Core algorithms

Offline Analysis: MIMD feature selection. Online Analysis: rCKC traffic flow segmentation.

9/27

slide-10
SLIDE 10

Framework Overview

  • 1. Time window feature vector representation

: Feature of traffic window

  • f feature vector

Input: Raw traffic flow Output: Activity class and its start-end time Time window sequence

  • 2. Recursive connectivity constrained clustering (rCKC) for segmentation

HRF

  • 3. Segmented traffic usage activity classification

Text HRF Picture

  • 4. Output: labeled traffic

10/27

slide-11
SLIDE 11

Offline Analysis

𝜐 ∆

𝑮𝟏

Time series feature extraction

Feature Vector

𝑮𝟐 ,…

Full feature set dim 𝑊 = 30

11/27

slide-12
SLIDE 12

Offline Analysis

Full feature set

  • Packet length related features: basic statistics of packet lengths,

hopping count, length of longest monotone subsequences, size percentiles, forward variances and backward variances.

  • Packet time related features: basic statistics of adjacent packet time

intervals, kurtosis, skewness.

  • Traffic packet density (average number of packet second).
  • Traffic speed (average packet size per second).

Advantages:  High in-app usage activity classification accuracy.

Disadvantages:

  • Not completely independent feature elements.
  • High latency due to complex feature extraction.
  • Large memory requirement for high dimension feature vectors.
  • Low impact on segmentation.

12/27

slide-13
SLIDE 13

Offline Analysis

Maximizing Inner activity similarity and Minimizing Different activity similarity measurement (MIMD feature selection).  Similarity of normalized feature vector of dimension N (Gaussian kernel)  Maximizing Inner activity similarity  Minimizing Different activity similarity  MIMD Objective:

13/27

slide-14
SLIDE 14

Offline Analysis

MIMD feature selection:

  • Recursive feature addition
  • A high dimension feature

provide high CV accuracy but low MIMD score.

  • Dimension of optimal

feature set from MIMD measurement is 6.

  • Optimal feature set keeps a

high CV accuracy (0.55% lower than the highest value at dimension 25).

14/27

slide-15
SLIDE 15

Offline Analysis

Optimal feature set

Given a time window of 𝑶 packets observation: { 𝒖𝟐, 𝑸𝟐 , … , 𝒖𝑶, 𝑸𝑶 }

  • Percentile 25%: percentage of packets with length smaller than 25%

maximum packet length 𝑀𝑛𝑏𝑦: 𝑄25 =

1 𝑂 σ𝑗=1 𝑂

𝜀(𝑄𝑗. 𝑚 < 25% 𝑀𝑛𝑏𝑦).

  • Percentile 75%: percentage of packets with length greater than 75%

maximum packet length 𝑀𝑛𝑏𝑦: 𝑄

75 = 1 𝑂 σ𝑗=1 𝑂

𝜀(𝑄

𝑗. 𝑚 > 75% 𝑀𝑛𝑏𝑦).

  • Top frequent continuous subsequence 𝐔𝐃𝐓: the highest repeating

frequency of packet subsequence of length 3.

  • Packet length variance 𝐰𝐛𝐬: 𝑤𝑏𝑠 =

1 𝑂 (σ𝑗=1 𝑂

𝑄

𝑗. 𝑚2) − ( 1 𝑂 σ𝑗=1 𝑂

𝑄

𝑗. 𝑚) 2

  • Traffic density: number of packets per second: 𝑈𝐸 =

𝑂 𝑢𝑂−𝑢1

  • Traffic speed: average packet lengths per second: 𝑈𝐸 =

σ𝑗=1

𝑂

𝑄𝑗.𝑚 𝑢𝑂−𝑢1

15/27

slide-16
SLIDE 16

Traffic Flow Segmentation

Traffic flow segmentation algorithm (rCKC)

Recursive Connectivity Constrained KMeans Clustering

Challenges:

  • Time series segmentation problem-time continuity constraint
  • Optimal number of single activity segment is unknown (undecided K)

Objective: Group a sequence of time windows {𝑥𝑗}𝑗=1

𝑂 into single-activity segments

Recursive strategy:

  • 1. Check input segment IAS→split input

segment or output as single-activity segment for in-app usage activity classification.

  • 2. Initial 𝐿 segments by maximizing the

adjacent segment DAS.

  • 3. Iteratively optimize 𝐿 − 1 split point as

sub-segment boundaries.

  • 4. Each split sub-segment is fed into rCKC.

16/27

slide-17
SLIDE 17

Online Implementation

Iterative feature vector update

Challenges:

  • No enough cache space for large traffic flow from millions of users
  • Fast packet processing with small and stable cache storage

Objective: Construct time window feature vectors

  • nline without the storage of raw packets.

Iterative strategy:

  • 1. For each incoming Internet packet extract

packet information (𝑢, 𝑄. 𝑚, 𝑄. Pr), update two sets of temporary variables tem, tem’.

  • 2. tem variable is used for current time window

feature vector construction and tem’ for next time window.

  • 3. The packet is released after tem, tem’ update.

17/27

slide-18
SLIDE 18

Experiment

Experimental Data

Table 2, 3, 4 show the basic statistics of

  • ur collected single activity traffic data.

In addition, we collect two-activity traffic data with the time duration of each segment ranging from 5s to 120s.

18/27

slide-19
SLIDE 19

Experiment

Study of Traffic Flow Classifier

Proposed Classifier: Random Forest with VoIP-noVoIP traffic filtering. (HRF) Baselines: Random Forest; Support Vector Classifier; K-Nearest Neighbors Classifier; Gaussian Naïve Bayesian Classifier. Evaluation Metrics: Overall accuracy, Precision, Recall, F-Measure.

19/27

slide-20
SLIDE 20

Experiment

Study of Traffic Flow Analyzer

Proposed Analyzer: rCKC traffic flow segmentation + HRF segmented traffic classifier Baselines: AC + RF: Agglomerative Connectivity Constrained Clustering + RF CUMMA: Adjacent packet merging strategy + RF SW+RF: Sliding window based segmentation + RF. Evaluation Metrics: TDA: traffic duration accuracy. TVA: traffic volume accuracy.

20/27

slide-21
SLIDE 21

Experimental Result

Wechat Performance Comparison

21/27

slide-22
SLIDE 22

Experimental Result

Whatsapp Performance Comparison

22/27

slide-23
SLIDE 23

Experimental Result

Facebook Performance Comparison

23/27

slide-24
SLIDE 24

Experimental Result

Wechat Two-activity Test

24/27

slide-25
SLIDE 25

Experimental Result

Online test

25/27

slide-26
SLIDE 26

Conclusion

An online mobile app traffic analyzer for classifying encrypted mobile app Internet traffic into different types

  • f service usages.
  • MIMD Internet packet time series feature selection criteria.
  • rCKC Internet packet time series segmentation algorithm.
  • VoIP-noVoIP filtered RF classifier for segmented traffic.
  • Online iterative feature vector update strategy.
  • Real world mobile Internet traffic of most popular Apps:

Wechat, Whatsapp and Facebook

26/27