identifying personal information in internet traffic
play

Identifying Personal Information in Internet Traffic Yabing Liu Han - PowerPoint PPT Presentation

Jan 13, 2024 •270 likes •639 views

Identifying Personal Information in Internet Traffic Yabing Liu Han Hee Song Ignacio Bermudez Alan Mislove Mario Baldi Alok Tongaonkar Northeastern University Cisco Systems Symantec Corporation November 2, 2015,

  1. Identifying Personal Information in Internet Traffic Yabing Liu † Han Hee Song ‡ Ignacio Bermudez § Alan Mislove † Mario Baldi ‡ Alok Tongaonkar § † Northeastern University ‡ Cisco Systems § Symantec Corporation November 2, 2015, COSN’15

  2. Web-based services Most popular Internet-based services • Web sites, smartphone apps • Traditional PCs, tablets, and smartphones • Facebook (1.44 B) WhatApp (800 M) Users share significant data explicitly • Name, gender, email, locations… • Photos, videos, blogs, news, statuses… Applications collect user data implicitly • Monetizing personal information (third parties) Yabing Liu 2

  3. Web-based services Users don’t have control • Cannot keep content secret from provider • Little visibility into what apps do with PI Organizations concerned about their user privacy • Companies, universities, … • Alert users about potential leak + Goal: Important to understand PI transmitted • Develop system which can automatically detect it Yabing Liu 3

  4. Personal Information Definition of PI • Anything the web site or app can receive about the user Users today have many types of PI • Name, birthday, income, interests, user ID, … • Photos, videos, statuses, … Focus: certain types of text-based PI Yabing Liu 4

  5. Motivating Experiment Controlled Lab traffic in Aug. 2014 • Set up web/HTTPS-MITM proxy • Configured iPhone to use the proxy • Downloaded and ran top 35 free apps from the App Store • Examined network traces (only HTTP/HTTPS) Yabing Liu 5

  6. PI in App Traffic What is the fraction of HTTP VS. HTTPS flows? • 62% HTTP VS. 38% HTTPS What applications are collecting user PI? • All of them! • Examples: Email, Name, UserID, Location, Gender, … What fraction of flows have PI? • 3% Upshot: Lots of PI, but needle in a haystack Yabing Liu 6

  7. Goal Automatically detect when web sites or smartphone apps collect PI In-network ISP Internet User (monitors traffic, looks for PI) Explore in-network measurement and analysis • Large organizations who control the network • Not end-host-based approach (e.g., devices, browsers) • Only HTTP transactions (44% of ground truth PI from Lab traffic) Reasons • Significantly lower barriers to deployment • Higher coverage than end-host-based approach Yabing Liu 7

  8. Outline • Motivation • Dataset • Methodology • Evaluation Yabing Liu 8

  9. Dataset Real ISP operational traffic • 24 hour PCAP data [Aug. 2011, one European City] • 13K users without ground truth • To test methodologies at scale Dataset HTTP flows ISP traffic 40,775,119 Locate the flows with PI Yabing Liu 9

  10. Domain-Keys Deconstruct fields from HTTP traffic trace • Key — HTTP GET request, Referrer header, Cookie • Domain — Host header • <Domain, Key> (DK) - Value pairs Observed HTTP transaction GET /foo.html?user_firstname=Alice HTTP/1.1 Host: imagevenue.com Cookie: a=293&g=00s9229daa&age=39&id=27 ETag: 2039-2dc90ea2-12 Referer: http://www.facebook.com/?user_id=89 Accept-Encoding: deflate,gzip HTTP/1.1 200 OK Date: Mon, 23, May 2013 22:38:34 GMT Yabing Liu 10

  11. Domain-Keys Deconstruct fields from HTTP traffic trace • Key — HTTP GET request, Referrer header, Cookie • Domain — Host header • <Domain, Key> (DK) - Value pairs Derived domain-keys and values Observed HTTP transaction GET /foo.html?user_firstname=Alice HTTP/1.1 Domain Key Field Value Host: imagevenue.com imagevenue.com user_firstname GET Alice Cookie: a=293&g=00s9229daa&age=39&id=27 ETag: 2039-2dc90ea2-12 imagevenue.com a Cookie 293 Referer: http://www.facebook.com/?user_id=89 Cookie 00s9229da imagevenue.com g Accept-Encoding: deflate,gzip a imagevenue.com age Cookie 39 HTTP/1.1 200 OK imagevenue.com id Cookie 27 Date: Mon, 23, May 2013 22:38:34 GMT imagevenue.com user_id Referer 89 Yabing Liu 10

  12. Domain-Keys Deconstruct fields from HTTP traffic trace • Key — HTTP GET request, Referrer header, Cookie • Domain — Host header Tuples Domain-keys • <Domain, Key> (DK) - Value pairs 51,368,712 3,113,696 Derived domain-keys and values Observed HTTP transaction GET /foo.html?user_firstname=Alice HTTP/1.1 Domain Key Field Value Host: imagevenue.com imagevenue.com user_firstname GET Alice Cookie: a=293&g=00s9229daa&age=39&id=27 ETag: 2039-2dc90ea2-12 imagevenue.com a Cookie 293 Referer: http://www.facebook.com/?user_id=89 Cookie 00s9229da imagevenue.com g Accept-Encoding: deflate,gzip a imagevenue.com age Cookie 39 HTTP/1.1 200 OK imagevenue.com id Cookie 27 Date: Mon, 23, May 2013 22:38:34 GMT imagevenue.com user_id Referer 89 Yabing Liu 10

  13. Seeded Approach Look for domain-keys with many values that “look like” PI But many challenges in analyzing data 1 Do every domain-keys have enough number of values? 2 What kinds of value are PI we look for? 3 How to filter out keys with many mismatched values? 4 How to discover missing values? Yabing Liu 11

  14. Step1: Pre-processing Does every DK have enough number of values? 1 Yabing Liu 12

  15. Step1: Pre-processing Does every DK have enough number of values? 1 Out of 3.1M DKs, only the top 9% of DKs has at least 10 tuples. Yabing Liu 12

  16. Step1: Pre-processing Does every DK have enough number of values? 1 9% of heavy hitter DKs cover over 90% of values. Yabing Liu 12

  17. Step2: Seed rules What kinds of value are PI we look for? 2 • Regular expressions with constraints and dictionaries PI Type Seed Rules AgeRange /^[0-9]{1,3}-[0-9]{1,3}$/ (where the second number is larger than the first) City Dictionary of cities, such as {“boston”, “new york”, “chicago”, …} Email /^(\w|\-|\_|\.)+\@((\w|\-|\_)+\.)+[a-zA-Z]{2,}$/ /^[\+\-]{0,1}\d+\.\d{4}\d+$/ (where the value is within the range of the Geo country) /^[mf]$/ or /^(fe)?male$/ or the corresponding words for the male/female in Gender local language Name Dictionary of boy and girl names, such as {“alice”, “christian”, …} /^([+]code?((38[{8,9}|0])|(34[{7-9}|0])|(36[6|6|0])|(33[{3-9}|0])|(32[{3-9}| Phone 0])|(32[{8,9}]))([\d]{7})$/ Yabing Liu 13

  18. Step2: Seed rules What kinds of value are PI we look for? 2 • Regular expressions with constraints and dictionaries PI Type Seed Rules AgeRange /^[0-9]{1,3}-[0-9]{1,3}$/ (where the second number is larger than the first) City Dictionary of cities, such as {“boston”, “new york”, “chicago”, …} Email /^(\w|\-|\_|\.)+\@((\w|\-|\_)+\.)+[a-zA-Z]{2,}$/ /^[\+\-]{0,1}\d+\.\d{4}\d+$/ (where the value is within the range of the Geo country) /^[mf]$/ or /^(fe)?male$/ or the corresponding words for the male/female in Gender local language Name Dictionary of boy and girl names, such as {“alice”, “christian”, …} /^([+]code?((38[{8,9}|0])|(34[{7-9}|0])|(36[6|6|0])|(33[{3-9}|0])|(32[{3-9}| Phone 0])|(32[{8,9}]))([\d]{7})$/ Yabing Liu 13

  19. Step2: Seed rules What kinds of value are PI we look for? 2 • Regular expressions with constraints and dictionaries PI Type Seed Rules AgeRange /^[0-9]{1,3}-[0-9]{1,3}$/ (where the second number is larger than the first) City Dictionary of cities, such as {“boston”, “new york”, “chicago”, …} Email /^(\w|\-|\_|\.)+\@((\w|\-|\_)+\.)+[a-zA-Z]{2,}$/ /^[\+\-]{0,1}\d+\.\d{4}\d+$/ (where the value is within the range of the Geo country) /^[mf]$/ or /^(fe)?male$/ or the corresponding words for the male/female in Gender local language Name Dictionary of boy and girl names, such as {“alice”, “christian”, …} /^([+]code?((38[{8,9}|0])|(34[{7-9}|0])|(36[6|6|0])|(33[{3-9}|0])|(32[{3-9}| Phone 0])|(32[{8,9}]))([\d]{7})$/ Yabing Liu 13

  20. Step3: Filtering domain-keys How to filter out DKs with many mismatched values? 3 • For each DK, plot ratio of matched values Yabing Liu 14

  21. Step3: Filtering domain-keys How to filter out DKs with many mismatched values? 3 • For each DK, plot ratio of matched values Yabing Liu 14

  22. Step3: Filtering domain-keys How to filter out DKs with many mismatched values? 3 • For each DK, plot ratio of matched values 23% of Email candidate domain-keys have ratio =1 Yabing Liu 14

  23. Step3: Filtering domain-keys How to filter out DKs with many mismatched values? 3 • For each DK, plot ratio of matched values 40% of Email candidate domain-keys have ratio >=0.2 Pick knee points to select threshold Yabing Liu 14

  24. Step3: Filtering domain-keys How to filter out DKs with many mismatched values? 3 • For each DK, plot ratio of matched values 62% of Geo candidate domain-keys have ratio >=0.9 Pick knee points to select threshold Yabing Liu 14

  25. Step4: Expansion How to expand the missing values? 4 • Seed rules do not cover all possible cases User-Index Domain Key Value 1 google-analytics.com email johnDoe@gmail.com 2 google-analytics.com email janeDoe@hotmail.com 1 google-analytics.com email johnDoe 2 google-analytics.com email janeDoe 3 facebook.com gender female 4 facebook.com gender m 5 facebook.com gender f 6 facebook.com gender 1 7 facebook.com gender f-f 8 facebook.com gender f-m Take all values of DKs with enough matches Yabing Liu 15

Recommend

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying activity via payload Theory behind the idea Measuring NetFlow Measuring DNS traffic captures Implications and future work Motivation

580 views • 17 slides
Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance analysis Anomaly and intrusion detec=on Network engineering Traffic at different granulari=es IP-level packets Capture per-packet

539 views • 40 slides
5.2 MAS for managing the personal information space: ILTIS Lorenz (2001) ILTIS: Information

5.2 MAS for managing the personal information space: ILTIS Lorenz (2001) ILTIS: Information

5.2 MAS for managing the personal information space: ILTIS Lorenz (2001) ILTIS: Information Location and Tracking by Integrating Services Scenario: A human user creates for him- or herself a personal information space in the Internet and with

260 views • 23 slides
DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet,

DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet,

QUEUING THEORY: EXPONENTIAL DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet, etc. Also: how can we describe how traffic is processed? What are some metrics? Rate at which people

945 views • 13 slides
Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

6/7/2011 Outline State of the Internet Internet Governance Forum the World Malta Internet Traffic Statistics Introduction Usage and trends Internet Governance Definition/s History and today Launch of Malta I

84 views • 6 slides
Three Layers of Internet Governance protection of personal data illegal and harmful

Three Layers of Internet Governance protection of personal data illegal and harmful

Internet Governance Revisited: Think Decentralization ! Dr. Marc Holitscher, University of Zurich Presentation given at the ITU-workshop on Internet Governance February 26th 2004 Three Layers of Internet Governance protection of personal

407 views • 5 slides
Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet? Active measurement vs. passive

771 views • 31 slides
Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet? q Active measurement vs. passive

654 views • 31 slides
COVID-19: Identifying &amp; Managing Stress Wednesday, May 20, 2020 1:00 2:00 pm Serving

COVID-19: Identifying &amp; Managing Stress Wednesday, May 20, 2020 1:00 2:00 pm Serving

COVID-19: Identifying &amp; Managing Stress Wednesday, May 20, 2020 1:00 2:00 pm Serving Commercial Fishermen and their Families About Todays Webinar Personal Information Information provided by participants during registration will

457 views • 8 slides
Identifying MMORPG Bots: Identifying MMORPG Bots: A Traffic Analysis Approach A Traffic Analysis

Identifying MMORPG Bots: Identifying MMORPG Bots: A Traffic Analysis Approach A Traffic Analysis

Identifying MMORPG Bots: Identifying MMORPG Bots: A Traffic Analysis Approach A Traffic Analysis Approach (MMORPG: Massively Multiplayer Online Role Playing Game) (MMORPG: Massively Multiplayer Online Role Playing Game) Kuan-Ta Chen National

593 views • 30 slides
MISSION Leadership OnDemand AGENDA Personal Values Overview Identifying your Personal

MISSION Leadership OnDemand AGENDA Personal Values Overview Identifying your Personal

PERSONAL VALUES AND MISSION Leadership OnDemand AGENDA Personal Values Overview Identifying your Personal Values Activity Creating a Mission Statement What are values? WHAT ARE VALUES? Personal Values: A

221 views • 11 slides
CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic

CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic

NASDAQ CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic Exchange, Infrastructure and Major Players. by Teresa Wan Sales Director Singapore Office Francois Lemaigre Sales VP - EMEA 2 Europe

159 views • 11 slides
Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous

Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous

Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous 1 Two open questions about BitTorrent locality AS 2 AS 3 # connections Internet Internet AS 1 Reduces traffic AS 4 AS 5 How far can we

366 views • 14 slides
Identifying core skills required for the digital economy: Internet of Things Prof. Dr. Anna

Identifying core skills required for the digital economy: Internet of Things Prof. Dr. Anna

Identifying core skills required for the digital economy: Internet of Things Prof. Dr. Anna Frster Sustainable Communication Networks University of Bremen Germany ITU-CBS, Santo Domingo, June 19 th 2018 Core Questions What is the Internet

135 views • 12 slides
An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates

An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates

An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates integration of streaming audio Radio juke boxes A. Mena and J. Heidemann Broadcast radio USC/Information Sciences Institute Live

414 views • 7 slides
Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

19 Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019 https://ieeexplore.ieee.org/document/8737483 Motivations Reliable traffic modelling is important for network planning, deployment and management;

447 views • 29 slides
Personal information and data protection What is personal data? Any information about you that

Personal information and data protection What is personal data? Any information about you that

Personal information and data protection What is personal data? Any information about you that can identify you! This could be: your name, address, date of birth or telephone number; the type of job you do; the things you buy;

585 views • 24 slides
Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Traffic Measurement Analysis &amp; Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

716 views • 60 slides
The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max Planck Institute for Informatics Virtual 27-30 Oct 2020 RIPE81 Meeting COVID-19 and the Internet COVID-19 and the Internet 1 COVID-19 and

1.17k views • 55 slides
26. Security 1 2 3 4 5 27. Stability 1 2 3 4 5 28. Neatness 1 2 3 4 5

26. Security 1 2 3 4 5 27. Stability 1 2 3 4 5 28. Neatness 1 2 3 4 5

Identifying Personal Core Values Consider the following questions. How could these questions help you in identifying you thoughts, feelings, values, beliefs, priorities? 1. What are my most redeeming qualities? 2. What are my weaknesses? 3. What

154 views • 3 slides
Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Internet for Executives Internet for Executives Information Superhighway Information

Internet for Executives Internet for Executives Information Superhighway Information

Internet for Executives Internet for Executives Information Superhighway Information Superhighway Information at your fingertips publish + access Information will be ubiquitous interactive high speed all digital

1.38k views • 98 slides
BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC

BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC

BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC FINGERPRINTING DAVID McGREW, PhD CISCO FELLOW mcgrew@cisco.com FLOCON 2020 PEOPLE David McGrew Blake Anderson Brandon Enright Adam Weller Lucas

561 views • 23 slides
Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013 Reflection and Amplification Attacks DNS abused as DDoS Tool Spamhaus hit with 300 Gigabit/second DDoS Reflected Amplification Attack

429 views • 23 slides

More recommend