Mobile Computing
COMP5216
Week 06 Semester 2, 2020
Dr. Kanchana Thilakarathna School of Computer Science
The University of Sydney
Page 1
Announcements
– Project proposal submissions are due now.
– After marking the project proposals, I’ll organize individual
feedback sessions.
– Official moving of students between tutorials are not going to happen.
– Due to restriction of 30 students per class – Timetable clashes
The University of Sydney Page 2
Special Consideration
– In case of Illness or Misadventure – You can apply for special consideration
– The first thing you do should be
– Let the coordinator know (best by email and while still sick) – Submit your assignment
– Follow proper bureaucratic procedures
– Have professional practitioner sign special USyd form
– Submit application for special consideration online, upload scans – Note you have only a quite short deadline for applying
– No special consideration for missing out a few days or being on holiday etc.
– Take the responsibility of your time management
– University Policy:
http://sydney.edu.au/current_students/special_consideration/index.shtml
The University of Sydney
Page 3
Assessment – Late submission policy
– Suppose you hand in work after the deadline:
– If you have not been granted special consideration or arrangements
– A penalty of 5% of the maximum marks will be taken per day (or part) late.
– After ten days, you will be awarded a mark of zero.
– e.g. If an assignment is worth 40% of the final mark and you are one
hour late submitting, then the maximum marks possible would be 38%.
– e.g. If an assignment is worth 40% of the final mark and you are 28 hours late submitting, then the maximum marks possible marks would be 36%.
– Warning: submission sites get very slow near deadlines
– Submit early; you can resubmit if there is time before the
deadline The University of Sydney
Page 4
Academic Dishonesty & Plagiarism
– Academic Integrity – Plagiarism: NO
– Outsourcing: NO
– See more details on the course website in Assessment section
– “The University of Sydney is unequivocally opposed to, and intolerant of, plagiarism and academic dishonesty.
– Academic dishonesty means seeking to obtain or obtaining academic advantage for oneself or for others (including in the assessment or publication of work) by dishonest or unfair means.
– Plagiarism means presenting another person’s work as one’s own work by presenting, copying or reproducing it without appropriate acknowledgement of the source.” [from site below]
– Submitted work is compared against other work (from students, the internet, etc)
– TurnitIn for textual tasks (through Canvas), other systems for code
– Penalties for academic dishonesty or plagiarism can be severe
– University Policy: http://sydney.edu.au/elearning/student/EI/index.shtml
The University of Sydney Page 5
Outline
– State of Mobile Security & Privacy – What is Privacy ?
– Mobile Security threat models
– Security of Mobile Operating Systems – App sandboxing
– Permissions
– Releasing apps
– Best Mobile Security Practices
The University of Sydney
Page 6
Security Challenge
• Exponentialgrowthofsmartdevicesandthirdpartyapps. – Leads to security & privacy threats:
The University of Sydney
Page 7
§ Theft of personal information. § Increased risks of malware.
Security concerns of smart devices
The University of Sydney Page 8
Security threats are expected to grow further…
– Advanced sensing – 3D, IR cameras, HR, Brainwaves, etc.
The University of Sydney Page 9
What is Privacy ?
– “Personal Information”
– Any information that identifies you or could reasonably be used to
identify you
• E.g. name, address, financial details, opinions, memberships, ethnic origin, health information, criminal record, etc.
– Not just demographics
• E.g. photos, IP address, Device IDs, MAC address, Contact list, Call
history, Location, Installed apps, etc.
– Carefully treat and protect personal information collection, use, storage and sharing through your service
The University of Sydney Page 10
What is Privacy ?
– “Personal Information”
– Any information that identifies you or could reasonably be used to
identify you
• E.g. name, address, financial details, photos, opinions, memberships, ethnic origin, health information, criminal record, etc.
The University of Sydney https://www.oaic.gov.au Page 11
What is Privacy ?
– “Personal Information”
– Any information that identifies you or could reasonably be used to
identify you
• E.g. name, address, financial details, photos, opinions, memberships, ethnic origin, health information, criminal record, etc.
The University of Sydney
Page 12
What is Privacy ?
– Failing to protect privacy could also result in a breach of the Privacy Act – https://www.oaic.gov.au/privacy-law/privacy-act/
– EU General Data Protection Regulation (GDPR) – https://www.eugdpr.org
– Mobile Privacy – A better practice guide for mobile app developers – Developed in 2014 – Old, but still provides useful guidelines
– https://www.oaic.gov.au/resources/agencies-and-organisations/guides/guide-for-mobile-app- developers.pdf
Checklist
q Your privacy responsibilities
q Be open and transparent about your privacy practices
q Obtain meaningful consent despite the small screen challenge
q Timing of user notice and consent is critical
q Only collect personal information that your app needs to function q Secure what you collect
The University of Sydney
Page 13
Mobile Security Threat Models
– Physical Attacks
– Circumvent authentication to unlock the device.
– App Attacks
– Use malicious app to hijack the access to other apps, etc. – Code tampering
– System Attacks
– Use mobile platform (Apple, Android, etc.) vulnerabilities
which impacts all apps installed on the device.
– Server/Cloud Attacks
– Data breaches
– Common to all other web services
– Network Attacks
– Use packet sniffing or spoofing
– Man-In-the-Middle attacks
– Common to all other web services
The University of Sydney
Page 14
Physical Attacks
– Currentdeviceunlockingmethods-Passwords,PINs,Patterns,Biometrics – Onceunlocksallappsareaccessible
– Whatarethepotentialauthenticationattacks? – Smudge attacks [Aviv et al. 2010]
– Entering patterns leave smudge that can be detected with various lighting techniques
– Aviv, A. J., Gibson, K. L., Mossop, E., Blaze, M.,&Smith, J. M. (2010). Smudge Attacks on Smartphone Touch Screens. Woot, 10, 1-7.
– Fingerprint extraction
– Many demos on YouTube
The University of Sydney
Page 15
Physical Attacks
– People choose common simple patterns
– Low entropy – Faster brute force attacks
– At most 1600 patterns with less than 5 strokes
– People often reuse passwords, PINs
– Security questions are often very standard, with predictable answers and limited possibilities
– Mother’s maiden name? – depending on culture, try Smith, Chang, Kim, Schmidt, …
– First car? – try Golf, Yaris, Corolla, …
– Social networks help collect additional information about a person
The University of Sydney Page 16
Physical Attacks
– Is our phones more secure than earlier with biometric authentication?
– Most (if not all) biometric authentication falls back to PIN – No more secure than PIN
– Biometrics – if compromised, lost for ever – Can not be changed
The University of Sydney
Page 17
App Attacks – Mobile Malware
– Capable of performing System Attacks and/or App Attacks
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2018.pdf The University of Sydney Page 18
App Attacks – Mobile Malware
– Examples of threats on Google Play store in 2017
The University of Sydney https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/malware-forecast-2018.pdf?la=en Page 19
App Attacks – Mobile Malware
– Ransomware example: Fake app for popular Chinese game King of Glory
– Direct user to pay via WeChat, AliPay, QQ
The University of Sydney https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/malware-forecast-2018.pdf?la=en Page 20
App Attacks – Mobile Malware
– Types of Android Ransomware – Lock Screen Ransomware
– Crypto
– Send SMS
– Steal sensitive information – Disable anti-virus software
– Advertisement Hijacking
– Take a popular application & change the advertisement ID – Publish in a different app market
– For fun: Change scores in games/Skip levels The University of Sydney
Page 21
System Attacks – OS vulnerabilities
– Android exploits and vulnerabilities – Janus attack – 2017
https://blog.trendmicro.com/trendlabs-security-intelligence/janus-android-app-signature-bypass-allows-attackers-modify- legitimate-apps/
• Modify the APK (add extra bytes) without changing the signature • Exploited to update an already installed app without the
knowledge of the developer – Stagefright attack – 2015
– https://www.androidcentral.com/stagefright
• A video sent via MMS could be used to attack libStageFright
mechanism which process video files
• Exploited to do remote code executions
The University of Sydney
Page 22
System Attacks – OS vulnerabilities
– “Rooting” Android Devices
– Enables “Root” access to the system
– Allows to replace the existing OS with custom ROMs
– “Jail Breaking” iOS Devices
– Allows to bypass the app signatures
– Exploited to download & install apps, extensions, from outside Apple AppStore
– Popularity of jail breaking and rooting are going down
– Vendor are also keep making it difficult to highjack the OS
The University of Sydney
Page 23
The University of Sydney
Page 24
Security of Mobile Operating Systems
Operating Systems got you covered (mostly) …
– Closed-source operating system based on Unix (Darwin)
– Apps are developed in Swift
– Native development in Objective-C
– App Sandbox
– User permission structure
– Vendor (Apple) singed app release
– Open-source operating system based on Linux (by Google)
– Public review, no obscurity
– Native development in Java
– App Sandbox
– User permission structure
– Developer (self) singed app release
The University of Sydney
Page 25
Android OS Architecture
Source: Android developer documentation The University of Sydney
Applications: Users interact with the device via the apps. Can be either first party or third party.
Android Framework: Provides basic functions such as communication between apps, managing voice calls or managing app life cycles.
Native Libraries: C/C++ libraries that contain instructions to the device on handling different types of data. E.g. Webkit, SSL, SQLite, and OpenGL.
Android Runtime: Dalvik Virtual Machine and Core Libraries. Hardware Abstraction Layer (HAL): Converts the Java API
calls to system calls that is understood by the Linux kernel.
Linux Kernel: A kernel built on top of Linux kernel2. Additional modifications done by Google to make it suitable for smartphones (E.g. power management). Handles all conventional operating system functions such as process management and memory management.
Page 26
1. Android App Sandbox
–
1. 2. 3.
–
Similar to user-based protection model in Linux
Each app runs with its UID in its own Dalvik Virtual Machine Apps are not allowed to talk to each other
Limited access to the OS (Kernel)
Apps must explicitly share resources and actions by declaring the required permissions for additional capabilities not provided by the basic sandbox
The University of Sydney Page 27
2. User Permission Structure
– App must get permission to do anything that – Uses data or resources that the app did not create
– Uses network, hardware, features that do not belong to it – Affects the behaviour of the device
– Affects the behaviour of other apps
– If it isn’t yours, get permission!
The University of Sydney
Page 28
2. User Permission Structure
– Normal permissions do not directly risk the user’s privacy
– Example: Set the time zone
– Android automatically grants normal
permissions.
– Dangerous permissions give access to user’s private data
– Example: Read the user’s contacts
– Android asks user to explicitly grant
dangerous permissions
The University of Sydney
Page 29
2. User Permission Structure
– Before Marshmallow (API 23) – Grant permission before
installing
– After Marshmallow (API 23)
– App must get runtime permission
The University of Sydney
Page 30
2. User Permission Structure
– Before API 23àUninstall app !
– After API 23
– Can revoke each permission at any time Settings > apps > permissions
– Use Android Support Library to develop backward compatible permission structure
The University of Sydney
Page 31
3. Android app signing process
– The code we write is built to an Android Application Package (APK) – Developer(self)signedapprelease
Managing your own key
Google Play App signing
The University of Sydney
Page 32
The University of Sydney
Page 33
Security Best Practices
Best Practices for Privacy Aware Apps
– Do not ask “personal information” if not necessary
– Privacy by Design
– Building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles
– Make privacy your competitive advantage
– Draft a privacy policy (data management procedure) if you
access sensitive information
– Beware of what you log. Android log can be read by other
apps with READ_LOGS permission The University of Sydney
Page 34
Security Best Practices – Physical Attacks
– PIN or a pattern for individual apps (second layer of defence)
– E.g. Perfect AppLock https://play.google.com/store/apps/details?id=com.morrison.applocklit e&hl=en
– Use Multi-Factor Authentication – Smartwatch, glasses, cloth, etc.
The University of Sydney Page 35
Security Best Practices – Physical Attacks
– Two-factor authentication with SMS messages and OTC (one-time-code)
– Is this secure? What are the vulnerabilities?
– SMS interception/hijacking: As a result of the less secure signalling protocols used in
mobile networks
• In2017,attackerssuccessfullyinterceptedtheSMSauthenticationusedbysome German banks by creating a fake mobile network and sending messages to the O2-Telefonica mobile network
– SIM-swap
– Mobile number port-out
– Interception by malware and trojans
• Check Point Ltd. discovered a trojan named “EuroGrabber” which carried out similar attacks in Eastern Europe and swiped approximately $47 million from over 30,000 customers
The University of Sydney
Page 36
Security Best Practices – Physical Attacks
– Advanced SMS-based two-factor authentication with KeyMaps – Merging with the ZKPP (Zero-Knowledge Password Proof)
– E.g. https://www.tokenone.com
The University of Sydney Page 37
Security Best Practices – Physical Attacks
– Behaviouralauthenticationfortwo-factorauthentication
– Nearlyimpossibletoperfectlymimicbehaviours,e.g.replayattacks.
– BreathPrint
– Breathingacousticsforuserauthentication
– MusicIDforsmartheadsets
– Brainwavepatternsforuserauthentication
– FollowNISTDigitalIdentityGuidelines
– https://pages.nist.gov/800-63-3/sp800-63-3.html
TP9 TP10
AF8 Fpz AF7
The University of Sydney
Page 38
Security Best Practices – Permissions
– Only use permission that is necessary for the functionality of the app
– Beware of the permission requested by libraries
– Users don’t see the library, Users see your app.
– Review libraries and pick the one with minimum permission
– Explain the reason for requesting a particular permission to the user
– Indicate when you access sensitive information to the user
The University of Sydney Page 39
Security Best Practices – Permissions
– Ask permission at the right time – E.g. Photo app (Camera Permission)
• At the launch – Access to Camera
• When user wants to share – Access to Contacts
– Ask the right (minimum) permission
– E.g. Reducing the volume of audio playback when receiving a call
– READ_PHONE_STATE permission allows you to detect receiving a call
• It also allows you to read Phone Hardware IDs, SIM, Incoming phone number, etc.àOver permission ?
– Instead,useAudioFocus
• •
Don’tneedanypermission
https://developer.android.com/guide/topics/media-apps/volume-and- earphones
The University of Sydney
Page 40
Security Best Practices – Permissions
– Can you avoid using permission ?
The University of Sydney Page 41
Security Best Practices – Permissions
– Can you avoid using permission ?
– Use another app to perform the task you wanted… How ?
The University of Sydney Page 42
Security Best Practices – Permissions
– Use another app to perform the task you wanted… How ?
– Example: Taking a Photo – With CAMERA Permission
• Allows your app to access the Camera directly • You have to design the UI for taking a photo
• Only prompt the permission request once
– With Intent type MediaStore.ACTION_IMAGE_CAPTURE • You do not have to design the UI for taking a photo • User can pick the favorite app to take a photo
• Your app will not have direct access to Camera
• Selection prompt appears every time user invoke this action The University of Sydney
Page 43
Security Best Practices – IDs
– – –
–
– –
Don’t store user names and passwords on the device
Use user name and passwords for the initial authentication
Use a hash or non-reversible form of data if you plan to transmit sensitive data
• E.g. use hash of an email for the primary key, not the email address.
Hash function H are used to produce a hash h of fixed length given a message m: h = H(m)
One-way function: computationally infeasible to find an input m that corresponds to an output h, whereas computing h from m is easy
Weak collision resistant: given an input m and an output h, it is infeasible to find another different input m’ such that H(m) = H(m’)
The University of Sydney Page 44
Security Best Practices – IDs
– Usershort-lived,servicespecificauthorizationtokens • Use the com.google.android.gms.iid InstanceID API.
• Use randomUUID()
– Forauniqueidentifiertotrackusersacrossapps
– Why?
– GUID(GloballyUniqueIdentifier)isrequired,don’tuseIMEIorphone number
– Createalargeuniquenumber
– Forauniqueidentifiertotrackusersacrossapps
– ForAdvertisingandAnalytics
– UsetheAdvertisingIdentifieravailablefromtheAdvertisingIdClient.Info class via the getId() method
– https://developers.google.com/android/reference/com/google/android/ gms/ads/identifier/AdvertisingIdClient
The University of Sydney Page 45
Security Best Practices – Storage
– Three methods to save files – Internal Storage
– External Storage – Content Providers
Internal Storage
– Only accessible to the app, good enough for most of the apps – For more sensitive data, you can encrypt files
• Do not make keys accessible to the app • Encrypt with KeyStore –
https://developer.android.com/reference/java/security/KeyStore
– If you want to share data with another app…
The University of Sydney Page 46
Security Best Practices – Storage
– If you want to share data with another app… • Use Content Provider
• Avoid the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes
External Storage
– Don’t store sensitive information on the external storage – External storage can be readable and writable by every app – External storage can be removed by the user
– Perform input validation before receiving data from the external storage
– https://developer.android.com/training/articles/security- tips#InputValidation
The University of Sydney
Page 47
Security Best Practices – Web content access
– Carefully use WebView due to common exploits with HTML and JavaScript
– E.g. Cross-Site Scripting
– If you app do not use JavaScript, do not call setJavaScriptEnabled()
– Carefully use addJavaScriptInterface() as it allows JavaScript to perform like another app
• Only for web sites that can trust
– If sensitive data was exchanged, use clearCache()
The University of Sydney Page 48
Security Best Practices – Networking
– Minimizenetworkingactivities
– Authenticated,encryptedsocket-levelcommunicationviaSSLSocket
class
– Avoidwritingnewprotocols
– Neverwritenewcryptographicalgorithms
– DonotuseSMSforsensitiveinformationexchange
– SMSarenotencrypted
– Notstronglyauthenticated
– CanbereadbyanyapplicationwithREAD_SMSpermission
– UseHTTPSoverHTTPwherever,wheneverpossible – WhenisitnotpossibletouseHTTPS?
The University of Sydney
Page 49
Security Best Practices – Why HTTPS (HTTP over TLS) ?
– If somebody can capture the network traffic generated by the previous app, he will be able to see what words you are looking for?
– Who potentially can capture the traffic generated by the smartphone?
– Solution: End to End Encryption → HTTPS
The University of Sydney
Page 50
Security Best Practices – Encryption
Public key signature
– Alice sends a message P to Bob
1. Alice encrypts it with her private key KA- and sends it off to Bob
2. She can use Bob’s public key KB+ to keep the message secret and sends KB+(P, KA- (P)), combining P and the version she signed
3. Bob decrypts the signed version of the message with Alice’s public key. If the message is the same as the non-signed one, then it has been sent by Alice.
Is this provide enough integrity?
The University of Sydney Page 51
Security Best Practices – Encryption
Issues with public key signatures
– Alice’s signature is valid only until Alice’s private key remains a secret
– If Alice wants to bail out, Alice could claim that her private key was stolen
– Alice can change her private key
– Central authority may be required keep track of keys
The University of Sydney Page 52
Security Best Practices – Validation of Certificates
– A certificate is a simple text file containing some information such as Company Name, the domain name, and a public key.
– Anybody can create such file and create a server pretending to be somebody else.
– Answer is Certificate Authorities.
– Android comes with the set of CAs it trusts. Once you receive a certificate from a server & if it says it is issued by a trusted CA in the phones list, Android can verify the certificate.
– Example CAs are Comodo, Symantex, DigiCert, and Entrust. The University of Sydney
Page 53
Security Best Practices – Trusted CA in Android
– If you go to Settings → Additional Settings → Security & Privacy → Trusted credentials.
The University of Sydney
Page 54
Security Best Practices – Releasing the App
– You can use Android Studio to sign your app
– Sign up as a developer (Need to pay a subscription fee).
– https://play.google.com/apps/publish/signup/ – Go to the developer dashboard.
– https://play.google.com/apps/publish/
– Google App Security Improvement Program
– https://developer.android.com/google/play/asi
– A good way to identify malicious third-party libraries
– Launch Checklist
– https://developer.android.com/distribute/best-practices/launch/launch-
checklist
– Week 11 Tutorial
The University of Sydney Page 55
Summer Research Projects/Honours Projects
CS2020/23 Unravelling the Nascent Privacy Risks of 3D Spatial Mixed Reality Data
Supervisor: Kanchana Thilakarathna
Eligibility: The ability and desire to experiment with real devices, e.g. Oculus and HoloLens; and knowledge in applied machine learning.
Project Description:
Augmented, virtual, and/or mixed reality technology (AR/VR/MR) is increasingly becoming popular. From face filters to virtual pets or monsters that seemingly inhabit the physical-world, various MR applications are now widely accessible to most users.
MR platforms require spatial understanding of objects or surfaces, including their structural and photo-metric (e.g. colour and texture) attributes. Aside from objects being detected, spatial information also reveals the location of the user with high specificity, e.g. in which part of the house the user is, or even detect user poses, movement, or changes in their environment which poses additional and, potentially, latent risks to user privacy. In light of that, this project focuses on holistic experimental validation of the existence of privacy risks associated with MR devices, e.g. Oculus, and measures to quantify and detect the extent of the threats. This is a collaborative project with Facebook Reality Labs.
Requirement to be on campus: No
Related Reading:
– [1] J. A. de Guzman, Jaybie A., Kanchana Thilakarathna, and Aruna Seneviratne. “A First Look into Privacy Leakage
in 3D Mixed Reality Data.” European Symposium on Research in Computer Security (ESORICS), pp. 149-169, 2019. – [2] J. A. de Guzman, K. Thilakarathna, and A. Seneviratne. Safemr: Privacy-aware visual information protection for
mobile mixed reality. In 2019 IEEE 41st Conference on Local Computer Networks (LCN). IEEE, 2019.
– [3] J. A. De Guzman, K. Thilakarathna, and A. Seneviratne. Security and privacy approaches in mixed reality: A literature survey. ACM Comput. Surv., 52(6):110:1–110:37, Oct. 2019.
– [4] J. A. de Guzman, K. Thilakarathna, and A. Seneviratne. Conservative plane releasing for spatial privacy protection in mixed reality. arXiv preprint arXiv:2004.08029, 2020.
– Please contact me if you are interested.
The University of Sydney Page 56
Privacy and Security of XR
o Multi-layer 3D point cloud mapping of surroundings
o We were the first to reveal spatial privacy risks of MR devices.
o Reveal and quantify privacy risks associated with mobile AR/MR devices, especially through 3D point clouds.
o Development of privacy preserving transformation of spatial data.
Spatial generalizations
o We are one of the 5 research groups in the world working with Facebook Reality Labs in developing privacy-aware MR solutions.
o https://research.fb.com/blog/2020/09/announcing-the-winners-of-the-explorations-of-trust-in-ar-vr- and-smart-devices-request-for-proposals/
PaThertUnieversit:y of Sydney Page 57
Summer Research Projects/Honours Projects
CS2020/33 Efficient Streaming of 360 Degree Videos by Deep Video Content Analysis
Supervisor: Kanchana Thilakarathna
Eligibility: Knowledge on applied machine learning and computer networking basics are desirable. Mobile programming (iOS or Android) experience will be an added advantage. Project Description:
360° videos are a popular application of virtual reality. However, streaming 360-videos requires high bandwidth consumption. Tile-based streaming, which partitions a video frame into tiles and sends selected tiles based on user field- of-view (FoV) can fail if user FoVs are not available in real-time. This project aims to predict future user FoVs by analysing content features and using these predictions for efficient tile partitioning.
Firstly, you will investigate different psychological factors that affect visual attention such as the contextual relationships between objects. Existing research shows that humans tend to be attracted to faces and text. However, there is plenty of untapped psychological research such as semantic guidance which you will put into practice. You will then focus on developing a novel content-based tile-distribution that allocates different quality levels for tiles leveraging methods such as DNNs. Finally, you will evaluate these approaches by developing an end-to- end 360-video streaming platform. Requirement to be on campus: No
Related Reading:
– [1] Constantin, Mihai Gabriel, et al. “Computational understanding of visual interestingness beyond semantics:
literature survey and analysis of covariates.” ACM Computing Surveys (CSUR)52.2 (2019): 25.
– [2] Qian, Feng, et al. “Flare: Practical viewport-adaptive 360-degree video streaming for mobile devices.”
Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. ACM, 2018.
– [3] He, Jian, et al. “Rubiks: Practical 360-degree streaming for smartphones.” Proceedings of the 16th Annual
International Conference on Mobile Systems, Applications, and Services. ACM, 2018. – Please contact me if you are interested.
The University of Sydney
Page 58
Networking Challenge of XR
o 80 times more bandwidth than conventional video o Ultra small latency to avoid cyber-sickness
o Large scale measurement and quantification of the quality of service offered by current mobile networks
o Development of field of view aware video encoding mechanism
o Development of tile-based video streaming framework
PaThertUnieversit:y of Sydney
Page 59
Summer Research Projects/Honours Projects
CS2020/24 Real-time Encrypted Network Traffic Profiling with Deep Learning
Supervisor: Kanchana Thilakarathna
Eligibility: Knowledge on applied machine learning and computer networking basics are desirable. Project Description:
Providers of large, enterprise-class networks find it hard to track hosts, servers and other vulnerable assets in their networks. Network profiling systems provide valuable insights to the assets on a network and their purpose. A network profile enables providers to better consider how configuration changes will impact networks, and security administrators to identify suspicious activity. However, effective network profiling under real world conditions is increasingly challenging. The primary focus of this research is to develop means to address issues in traffic profiling imposed by real-time constraints such as high-speed networking and ubiquitous encryption. The project aims to develop a network profiling method based on deep learning operating at high real-time speed. This project is a collaboration with Data61-CSIRO. Requirement to be on campus: No
Related Reading:
– [1] Li, Y., Huang, Y., Xu, R., Seneviratne, S., Thilakarathna, K., Cheng, A., … & Jourjon, G. (2018, November). Deep Content: Unveiling Video Streaming Content from Encrypted WiFi Traffic. In 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA) (pp. 1-8). IEEE.
– [2] Zhang, Xiaokuan, Jihun Hamm, Michael K. Reiter, and Yinqian Zhang. “Statistical Privacy for Streaming Traffic.” In NDSS. 2019.
– Please contact me if you are interested.
The University of Sydney Page 60
Side-channel information leaks
– Deep Bypass: Clear & Dark Real-time Traffic Profiling with Deep Learning
Season 1 – E1
Encrypted tunnel
PaThertUnieversit:y of Sydney
Page 61
CNN Architecture
Real-time Sampling
What’s Next ?
– Start working on your project
– Tutorial 6 – Mobile Augmented Reality
– Next week – Best practices for Mobile Energy and Cloud Computing
– See you all next week !
The University of Sydney
Page 62