A Multi-perspective Analysis of Carrier-Grade NAT Deployment

As ISPs face IPv4 address scarcity they increasingly turn to network address translation (NAT) to accommodate the address needs of their customers. Recently, ISPs have moved beyond employing NATs only directly at individual customers and instead begun deploying Carrier-Grade NATs (CGNs) to apply address translation to many independent and disparate endpoints spanning physical locations, a phenomenon that so far has received little in the way of empirical assessment. In this work we present a broad and systematic study of the deployment and behavior of these middleboxes. We develop a methodology to detect the existence of hosts behind CGNs by extracting non-routable IP addresses from peer lists we obtain by crawling the BitTorrent DHT. We complement this approach with improvements to our Netalyzr troubleshooting service, enabling us to determine a range of indicators of CGN presence as well as detailed insights into key properties of CGNs. Combining the two data sources we illustrate the scope of CGN deployment on today's Internet, and report on characteristics of commonly deployed CGNs and their effect on end users

Do galaxies that leak ionizing photons have extreme outflows?

To reionize the early universe, high-energy photons must escape the galaxies that produce them. It has been suggested that stellar feedback drives galactic outflows out of star-forming regions, creating low density channels through which ionizing photons escape into the inter-galactic medium. We compare the galactic outflow properties of confirmed Lyman continuum (LyC) leaking galaxies to a control sample of nearby star-forming galaxies to explore whether the outflows from leakers are extreme as compared to the control sample. We use data from the Cosmic Origins Spectrograph on the Hubble Space Telescope to measure the equivalent widths and velocities of Si II and Si III absorption lines, tracing neutral and ionized galactic outflows. We find that the Si II and Si III equivalent widths of the LyC leakers reside on the low-end of the trend established by the control sample. The leakers' velocities are not statistically different than the control sample, but their absorption line profiles have a different asymmetry: their central velocities are closer to their maximum velocities. The outflow kinematics and equivalent widths are consistent with the scaling relations between outflow properties and host galaxy properties -- most notably metallicity -- defined by the control sample. Additionally, we use the Ly\alpha\ profiles to show that the Si II equivalent width scales with the Ly\alpha\ peak velocity separation. We determine that the low equivalent widths of the leakers are likely driven by low metallicities and low H I column densities, consistent with a density-bounded ionization region, although we cannot rule out significant variations in covering fraction. While we do not find that the LyC leakers have extreme outflow velocities, the low maximum-to-central velocity ratios demonstrate the importance of the acceleration and density profiles for LyC and Ly\alpha\ escape. [abridged]Comment: 17 pages, 8 Figures. Accepted for publication in Astronomy & Astrophysic

ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic

It is well known that apps running on mobile devices extensively track and leak users' personally identifiable information (PII); however, these users have little visibility into PII leaked through the network traffic generated by their devices, and have poor control over how, when and where that traffic is sent and handled by third parties. In this paper, we present the design, implementation, and evaluation of ReCon: a cross-platform system that reveals PII leaks and gives users control over them without requiring any special privileges or custom OSes. ReCon leverages machine learning to reveal potential PII leaks by inspecting network traffic, and provides a visualization tool to empower users with the ability to control these leaks via blocking or substitution of PII. We evaluate ReCon's effectiveness with measurements from controlled experiments using leaks from the 100 most popular iOS, Android, and Windows Phone apps, and via an IRB-approved user study with 92 participants. We show that ReCon is accurate, efficient, and identifies a wider range of PII than previous approaches.Comment: Please use MobiSys version when referencing this work: http://dl.acm.org/citation.cfm?id=2906392. 18 pages, recon.meddle.mob

A Multi-view Context-aware Approach to Android Malware Detection and Malicious Code Localization

Existing Android malware detection approaches use a variety of features such as security sensitive APIs, system calls, control-flow structures and information flows in conjunction with Machine Learning classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps' behaviours with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterise several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevent them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localisation. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps' dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid's unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localisation experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall