MobileInsight Extracting and Analyzing Cellular Network Information - - PowerPoint PPT Presentation

mobileinsight
SMART_READER_LITE
LIVE PREVIEW

MobileInsight Extracting and Analyzing Cellular Network Information - - PowerPoint PPT Presentation

Aug 16, 2022 339 likes •764 views

MobileInsight Extracting and Analyzing Cellular Network Information on Smartphones Yuanjie Li 1 , Chunyi Peng 2 , Zengwen Yuan 1 , Jiayao Li 1 , Haotian Deng 2 , Tao Wang 3 1 University of California, Los Angeles 2 The Ohio State University 3

slide-1
SLIDE 1

MobileInsight

Extracting and Analyzing Cellular Network Information on Smartphones

Yuanjie Li1, Chunyi Peng2, Zengwen Yuan1, Jiayao Li1, Haotian Deng2, Tao Wang3

1University of California, Los Angeles 2The Ohio State University 3Peking University

slide-2
SLIDE 2

“Anytime, Anywhere” Cellular Network Service

2

slide-3
SLIDE 3

Critical Cellular Operations to Users/Apps

3

Physical Layer (PHY) Link Layer (MAC/RLC/PDCP) Radio Resource Control (RRC) Mobility Management (MM) Session Management (SM) Hardware Software

slide-4
SLIDE 4

But They are Closed…

4

Physical Layer (PHY) Link Layer (MAC/RLC/PDCP) Radio Resource Control (RRC) Mobility Management (MM) Session Management (SM) Hardware Software

?

?

? ? ?

slide-5
SLIDE 5

Can We Have Open Access to Runtime Cellular Network Operations?

5

? ? ?

Why my 4G phone switches to slow 2G? Why my phone drains battery quickly? 4 signal bars, but why no data service?

slide-6
SLIDE 6

It’s Not That Simple

Fine grained Full coverage

  • No approaches cover all necessary features

Analysis In-phone At scale

Android APIs

✘ ✔ ✘ ✘ ✔

Operator-side cellular analytics

✔ ✘ ✔ ✔ ✘

External Tools (e.g., QXDM)

✔ ✔ ✘ ✘ ✘

6

slide-7
SLIDE 7

Our Solution: MobileInsight

Fine grained Full coverage

  • A software tool for commodity phones
  • A community tool that can be built and shared together

Analysis In-phone At scale

Android APIs

✘ ✔ ✘ ✘ ✔

Operator-side cellular analytics

✔ ✘ ✔ ✔ ✘

External Tools (e.g., QXDM)

✔ ✔ ✘ ✘ ✘

7

MobileInsight

✔ ✔ ✔ ✔ ✔

slide-8
SLIDE 8

MobileInsight Overview

Hardware

8

01101

PHY MAC/RLC/PDCP RRC MM SM

Software

Monitor

slide-9
SLIDE 9

MobileInsight Overview

State 1 State 3 State 2 State 1 State 3 State 2 State 1 State 3 State 2

9

Hardware Software

Monitor Analyzers API

slide-10
SLIDE 10

In-device Runtime Monitor

How to expose runtime cellular messages to user space?

Analyzers Monitor API

10

slide-11
SLIDE 11

Analyzers Monitor API

11

Hardware Software Coarse-grained cellular info

Radio Interface Layer

Challenge: No Ordinary In-device Schemes

Android APIs

slide-12
SLIDE 12

Analyzers Monitor API

12

Hardware Software Coarse-grained cellular info Android APIs

Radio Interface Layer

Solution: Side-Channel Across SW-HW Boundary

via USB

Parsers /dev/diag

Raw cellular messages

Proxy

slide-13
SLIDE 13

Cellular Protocol Analytics

How to unveil runtime cellular protocol behaviors?

Analyzers Monitor API

13

slide-14
SLIDE 14
  • Operation logic inference
  • Network side
  • Non-standardized, operator-specific
  • State dynamics extraction
  • Device side
  • Regulated by cellular standards

Two Dimensions for Each Protocol

Analyzers Monitor API

Handoff decision logic

slide-15
SLIDE 15

Protocol Analytics: Tracking State Dynamics

  • Current protocol state, transition events and causes
  • RRC: Radio connectivity status and power-saving mode
  • MM: Device registration status
  • SM: Data session activity and QoS status

Analyzers Monitor API

15

slide-16
SLIDE 16

Protocol Analytics: Tracking State Dynamics

  • Observation: regulated by the cellular standards

Analyzers Monitor API

RRC conn. setup accept RRC conn. setup request Downlink data …… RRC conn. reconfiguration Parameters: T1=100ms, T

shortDRX=20ms

T2=2 T

shortDRX

  • Conn. setup

T1

  • Conn. release

T2 Data Data

  • Conn. setup

T1 Data T1

  • Reference state machine + runtime message

16

slide-17
SLIDE 17

Protocol Analytics: Inferring Operation Logic

  • Algorithm to determine protocol configurations and actions
  • Example: handoff decision logic

Analyzers Monitor API

BS 1’s handoff decision logic:

  • Switch to BS 2 (4G) if
  • Otherwise, switch to BS 3 (3G) if

and

RSS1(4G) < −110 dBm RSS3(3G) > −90 dBm RSS2(4G) > RSS1(4G) + 3 dBm

BS 3 (3G) BS 2 (4G) BS 1 (4G)

17

slide-18
SLIDE 18

Inferring Operation Logic is Not Simple

  • Challenge #1: Non-standardized, carrier-specific operations
  • Challenge #2: Internal logic, not visible by end device

Analyzers Monitor API

BS 1’s handoff decision logic:

  • Switch to BS 2 (4G) if
  • Otherwise, switch to BS 3 (3G) if

and

RSS1(4G) < −110 dBm RSS3(3G) > −90 dBm RSS2(4G) > RSS1(4G) + 3 dBm

?

BS 3 (3G) BS 2 (4G) BS 1 (4G)

18

slide-19
SLIDE 19

Observation: Operation Logic is Not Arbitrary

  • Many network-side operations are stateful

Analyzers Monitor API

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

BS 1’s handoff decision logic:

  • Switch to BS 2 (4G) if
  • Otherwise, switch to BS 3 (3G) if

and

RSS1(4G) < −110 dBm RSS3(3G) > −90 dBm RSS2(4G) > RSS1(4G) + 3 dBm

BS 3 (3G) BS 2 (4G) BS 1 (4G)

19

slide-20
SLIDE 20

Observation: Operation Logic is Not Arbitrary

  • Many network-side operations are stateful and interactive

Analyzers Monitor API

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

BS 3 (3G) BS 2 (4G) BS 1 (4G) Meas Control: Monitor 4G Meas Report: RSS2> RSS1+3 Handoff command: to BS2 BS 1 (4G)

20

Solution: Online state machine inference

slide-21
SLIDE 21

State Machine Inference: Partial Recovery

  • Runtime sample sequence 1

Analyzers Monitor API

Meas Control: Monitor 4G Meas Report: RSS2> RSS1+3 Handoff command: to BS2 BS 1 (4G)

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

BS 3 (3G) BS 2 (4G) BS 1 (4G)

21

slide-22
SLIDE 22

State Machine Inference: Partial Recovery

  • Runtime sample sequence 2

Analyzers Monitor API

Meas Control: Monitor 4G Meas Report: RSS1<-110 Meas Control: Monitor 3G&4G BS 1 (4G)

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

Meas Report: RSS2>-90 Handoff command: to BS3

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

Monitor 4G Handoff to 4G

RSS RSS RSS2 > RSS1 + 3dBm

BS 3 (3G) BS 2 (4G) BS 1 (4G)

22

slide-23
SLIDE 23

State Machine Inference: Aggregation a

Analyzers Monitor API

Meas Control: Monitor 4G Meas Report: RSS1<-110 Meas Control: Monitor 3G&4G BS 1 (4G) Meas Report: RSS2>-90 Handoff command: to BS3

Monitor 3G&4G Monitor 4G Handoff to 4G Handoff to 3G

RSS1 < -110dBm RSS1 > -110dBm RSS1 < -110dBm RSS3 > -90dBm RSS2 > RSS1 + 3dBm

Monitor 4G Handoff to 4G

RSS RSS RSS2 > RSS1 + 3dBm

BS 3 (3G) BS 2 (4G) BS 1 (4G)

23

slide-24
SLIDE 24

MobileInsight APIs

Analyzers Monitor API

More tutorials: http://metro.cs.ucla.edu/mobile_insight/tutorials.html

src = OnlineMonitor() lte_rrc_analyzer = LteRrcAnalyzer() wcdma_rrc_analyzer = WcdmaRrcAnalyzer() lte_rrc_analyzer.set_source(src) wcdma_rrc_analyzer.set_source(src) src.run()

24

slide-25
SLIDE 25

Showcase Examples

How can MobileInsight stimulate new apps and research?

25

slide-26
SLIDE 26

Example 1: Fix Our Phone’s Network Failures

  • How: Track protocol state dynamics
  • Root cause: device-side misconfiguration
  • Fix: disable VoLTE when device is in 3G

Data service setup request QoS class = 1 (voice) …… Data service setup reject Cause: QoS unsupported Data service setup request QoS class = 1 (voice) Data service setup reject Cause: QoS unsupported

Session_Inactive Active_Pending Session_Active Inactive_Pending Session_Inactive Active_Pending Session_Active Inactive_Pending Session_Inactive Active_Pending Session_Active Inactive_Pending

26

Hardware Software

?

4 signal bars, but why no data service?

slide-27
SLIDE 27

Example 2: Boost Our Phone’s Data Speed

  • How: Analyze inferred handoff decision logic
  • Root cause: suboptimal FCFS strategy
  • Advice: disable 2G when 4G is available

Meas Control Monitor 2G & 4G Meas Report: 2G available Meas Report: 4G available (ignored by base station) Handoff command: to 2G

Monitor 2G & 4G Handoff to 4G Handoff to 2G

2G Meas Report 4G Meas Report

Monitor 2G & 4G Handoff to 4G Handoff to 2G

2G Meas Report 4G Meas Report

Monitor 2G & 4G Handoff to 4G Handoff to 2G

2G Meas Report 4G Meas Report

27

Hardware Software

?

2G Why switch to slow 2G despite good 4G coverage?

slide-28
SLIDE 28

Research Empowered by MobileInsight

  • Security loophole detection, failure resolution, handoff advisor, etc.
  • iCellular [NSDI’16]: Device-customized multi-carrier roaming
  • MMDiag [SIGMETRICS’16]: mobility misconfiguration detection

28

slide-29
SLIDE 29

Evaluation

Coverage, performance, accuracy and system overhead

29

slide-30
SLIDE 30

Wide Coverage of Phone Models

30

Mobile OS Chipset Feasibility Android Qualcomm ✔ MediaTek ✔ Intel XMM ✔ iOS All ✔ Mobile OS Chipset Feasibility Current Version (2.1.1) Android Qualcomm ✔ ✔ MediaTek ✔ ✘ Intel XMM ✔ ✘ iOS All ✔ ✘

  • Current version: rooted Android with Qualcomm chipset
  • MTK/Intel and iOS support: under development
slide-31
SLIDE 31

Wide Coverage of Cellular Protocols/Messages

  • 3G/4G signaling messages and 4G-L1/L2 messages
  • Characterization of cellular message patterns

Dataset size 245.24GB Total messages 72,389,300 Protocol Layers 4G-PHY (71.8%), 4G-MAC (9.0%), 4G-PDCP (8.3%), 3G/4G-RRC (10.0%), 3G/4G-MM/SM (0.6%), 3GPP2-EvDo/CDMA (0.3%)

31

slide-32
SLIDE 32

Real-time Processing of Cellular Messages

  • 99% messages’ parsing and analyzing within 0.8ms
  • Worst case observed: 33ms

20 40 60 80 100 2 4 6 8 10 CDF (%) Proc time (ms) 6P S5 Tribute

32

slide-33
SLIDE 33

Accurate Cellular Protocol Analytics

  • Tracking Protocol State Dynamics: identical as QXDM
  • Same cellular message sources
  • Inference of Handoff Operation Logic
  • 10-fold cross validation: 87.5%~95.3% prediction accuracy

Table 9: Accuracy for predicting upcoming handoffs.

AT&T T-Mobile Sprint Verizon #Samples 11,050 10,178 10,042 2,741 Accuracy 90.7% 91.8% 95.3% 87.5%

33

slide-34
SLIDE 34

Acceptable System Overhead

  • CPU utilization: 1%-7%
  • Memory: 30MB at maximum
  • Energy: 11-58mW extra power (on Samsung S5)

34

slide-35
SLIDE 35

New Version: v2.1.1

  • More cellular protocol support
  • Cellular data sharing
  • New APIs for mobile applications
  • In-phone cellular log browser

35

slide-36
SLIDE 36

Toward Open and Large-Scale Cellular Datasets

  • Initial dataset release
  • 30+ users, 8 US/Chinese network operators
  • 13-month collection (Jul 2015 – Sep 2016)
  • ~245GB 3G/4G cellular traces
  • Everyone can contribute to the dataset anywhere, anytime!
  • Online trace submission or background data sharing

36

More information: http://metro.cs.ucla.edu/mobile_insight/insightshare.html

slide-37
SLIDE 37

New Research Opportunities Made Possible

Mobile big data analytics Cellular protocol refinements Security threats detections Cross-layer app enhancements

37

slide-38
SLIDE 38

Conclusion

  • Open access to cellular operations benefits everyone
  • Mobile users, researchers, developers and even operators
  • MobileInsight: a first effort toward an open cellular world
  • More community efforts are needed for extension
  • A tool for the community and by the community

38

slide-39
SLIDE 39

Try MobileInsight and explore more! http://metro.cs.ucla.edu/mobile_insight

Yuanjie Li1, Chunyi Peng2, Zengwen Yuan1, Jiayao Li1, Haotian Deng2, Tao Wang3

1University of California, Los Angeles 2The Ohio State University 3Peking University

slide-40
SLIDE 40

40