research-article

Per-user policy enforcement on mobile apps through network functions virtualization

Authors:

Alok Tongaonkar,

Antonio NucciAuthors Info & Claims

MobiArch '14: Proceedings of the 9th ACM workshop on Mobility in the evolving internet architecture

Pages 37 - 42

https://doi.org/10.1145/2645892.2645896

Published: 11 September 2014 Publication History

Abstract

Due to the increasing popularity of smartphones and tablets, mobile apps are becoming the preferred portals for users to access various network services in both residential and enterprise environments. Predominantly using generic HTTP or HTTPS protocols, traffic from different mobile apps is largely indistinguishable. This loss of visibility into mobile app traffic brings new challenges to network management and traffic analysis. It has became very hard to implement network policies based on the differentiation between traffic from compliant and non-compliant mobile apps. This paper presents a system that not only provides network administrators the much desired capability of enforcing policies on mobile app traffic, but also does that at a fine per-user granularity. The proposed system takes a Network Functions Virtualization (NFV) approach and virtualizes an edge router into multiple virtual data planes. Specifically, each data plane serves solely to one particular user and consists of user-specific virtualized network functions. The independence of the virtual data planes facilitates enforcing network policies at the per-user level. To enable policy enforcement on mobile apps, our system includes a sophisticated mobile app identification module to recognize traffic from different apps using preloaded traffic signatures. By exploiting TLS proxying, our system can even enforce policies on those mobile apps adopting traffic encryption. We have implemented a prototype of the proposed system as a wireless access point (AP) using a commodity small form factor PC. Our preliminary experimental evaluations show that the system can scale to modest number of users without much impacting user experience in using the network.

References

[1]

hostapd and wpa_supplicant. http://hostap.epitest.fi/.

[2]

I. Cerrato, M. Pramotton, and F. Risso. Moving applications from the host to the network: Experiences, challenges, and findings. In IEEE Workshop on Mobile Cloud Networking (MCN), 2013.

[3]

A. Cortesi. mitmproxy - a man-in-the-middle proxy. http://mitmproxy.org/.

[4]

S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song. NetworkProfiler: Towards Automatic Fingerprinting of Android Apps. In Proceedings of IEEE INFOCOM, 2013.

[5]

N. Egi and et al. A platform for high performance and flexible virtual routers on commodity hardware. ACM SIGCOMM Computer Communication Review, 2010.

Digital Library

[6]

A. D. Keromytis and J. L. Wright. Transparent network security policy enforcement. In Proceedings of USENIX ATC, 2000.

Digital Library

[7]

K. W. Miller, J. Voas, and G. F. Hurlburt. BYOD: security and privacy considerations. It Professional, 14(5):0053--55, 2012.

Digital Library

[8]

O. Morandi, F. Risso, P. Rolando, S. Valenti, and P. Veglia. Creating portable and efficient packet processing applications. Design Automation for Embedded Systems, 15(1):51--85, 2011.

Digital Library

[9]

B. Morrow. BYOD security challenges: control and protect your most sensitive data. Network Security, 2012(12):5--8, 2012.

[10]

M. R. Nascimento, C. E. Rothenberg, M. R. Salvador, C. N. Corrêa, S. C. de Lucena, and M. F. Magalhães. Virtual routers as a service: the routeflow approach leveraging software-defined networks. In Proceedings of the 6th International Conference on Future Internet Technologies, pages 34--37. ACM, 2011.

Digital Library

[11]

F. Risso and I. Cerrato. Customizing data-plane processing in edge routers. In Software Defined Networking (EWSDN), 2012 European Workshop on, pages 114--120. IEEE, 2012.

Digital Library

[12]

R. Sailer, T. Jaeger, X. Zhang, and L. Van Doorn. Attestation-based policy enforcement for remote access. In Proceedings of the 11th ACM conference on Computer and communications security. ACM, 2004.

Digital Library

[13]

Symantec. Internet security threat report 2014. http://www.symantec.com/security_response/publications/threatreport.jsp.

[14]

A. Tongaonkar, S. Dai, A. Nucci, and D. Song. Understanding mobile app usage patterns using in-app advertisements. In Passive and Active Measurement. Springer, 2013.

Digital Library

[15]

Q. Xu, T. Andrews, Y. Liao, S. Miskovic, Z. M. Mao, M. Baldi, and A. Nucci. FLOWR: A Self-Learning System for Classifying Mobile Application Traffic. In Proceedings of ACM SIGMETRICS, 2014.

Digital Library

Cited By

Tang HCui YWu JYang XYang Z(2019)Trigger relationship aware mobile traffic classificationProceedings of the International Symposium on Quality of Service10.1145/3326285.3329050(1-10)Online publication date: 24-Jun-2019
https://dl.acm.org/doi/10.1145/3326285.3329050
Schnepf NBadonnel RLahmadi AMerz S(2017)Automated verification of security chains in software-defined networks with synaptic2017 IEEE Conference on Network Softwarization (NetSoft)10.1109/NETSOFT.2017.8004195(1-9)Online publication date: Jul-2017
https://doi.org/10.1109/NETSOFT.2017.8004195
Tongaonkar A(2016)A Look at the Mobile App Identification LandscapeIEEE Internet Computing10.1109/MIC.2016.7720:4(9-15)Online publication date: Jul-2016
https://doi.org/10.1109/MIC.2016.77
Show More Cited By

Index Terms

Per-user policy enforcement on mobile apps through network functions virtualization
1. Networks
  1. Network protocols
2. Security and privacy
  1. Network security

Recommendations

Cross-application data provenance and policy enforcement

We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can ...
Policy enforcement in traditional non-SDN networks
Abstract
Middleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-...
A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

While preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MobiArch '14: Proceedings of the 9th ACM workshop on Mobility in the evolving internet architecture

September 2014

76 pages

ISBN:9781450330749

DOI:10.1145/2645892

Program Chairs:
Rui L. Aguiar
Universidade Aveiro, Int. de Telecomunicações, Portugal
,
Katherine Guo
Bell Labs Research, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 September 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MobiCom'14

Sponsor:

SIGMOBILE

MobiCom'14: The 20th Annual International Conference on Mobile Computing and Networking

September 11, 2014

Hawaii, Maui, USA

Acceptance Rates

MobiArch '14 Paper Acceptance Rate 11 of 17 submissions, 65%;

Overall Acceptance Rate 47 of 92 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
271
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tang HCui YWu JYang XYang Z(2019)Trigger relationship aware mobile traffic classificationProceedings of the International Symposium on Quality of Service10.1145/3326285.3329050(1-10)Online publication date: 24-Jun-2019
https://dl.acm.org/doi/10.1145/3326285.3329050
Schnepf NBadonnel RLahmadi AMerz S(2017)Automated verification of security chains in software-defined networks with synaptic2017 IEEE Conference on Network Softwarization (NetSoft)10.1109/NETSOFT.2017.8004195(1-9)Online publication date: Jul-2017
https://doi.org/10.1109/NETSOFT.2017.8004195
Tongaonkar A(2016)A Look at the Mobile App Identification LandscapeIEEE Internet Computing10.1109/MIC.2016.7720:4(9-15)Online publication date: Jul-2016
https://doi.org/10.1109/MIC.2016.77
Alsmadi IZarour M(2016)Empirical Evidences in Software-Defined Network Security: A Systematic Literature ReviewInformation Fusion for Cyber-Security Analytics10.1007/978-3-319-44257-0_11(253-295)Online publication date: 22-Oct-2016
https://doi.org/10.1007/978-3-319-44257-0_11
Lombardi FDi Pietro R(2016)Trusted, Heterogeneous, and Autonomic Mobile CloudSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_14(439-455)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_14
Liu YSong HBermudez IMislove ABaldi MTongaonkar ASharma AAgrawal RGrossglauser M(2015)Identifying Personal Information in Internet TrafficProceedings of the 2015 ACM on Conference on Online Social Networks10.1145/2817946.2817947(59-70)Online publication date: 2-Nov-2015
https://dl.acm.org/doi/10.1145/2817946.2817947
Yao HRanjan GTongaonkar ALiao YMao ZFdida SPau GKasera SZheng H(2015)SAMPLESProceedings of the 21st Annual International Conference on Mobile Computing and Networking10.1145/2789168.2790097(439-451)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1145/2789168.2790097
Wei XValler NMadhyastha HNeamtiu IFaloutsos M(2015)A behavior-aware profiling of handheld devices2015 IEEE Conference on Computer Communications (INFOCOM)10.1109/INFOCOM.2015.7218455(846-854)Online publication date: Apr-2015
https://doi.org/10.1109/INFOCOM.2015.7218455
Hurel GBadonnel RLahmadi AFestor O(2015)Behavioral and dynamic security functions chaining for Android devicesProceedings of the 2015 11th International Conference on Network and Service Management (CNSM)10.1109/CNSM.2015.7367339(57-63)Online publication date: 9-Nov-2015
https://dl.acm.org/doi/10.1109/CNSM.2015.7367339

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten