Comprehensive Quantitative Analysis on Privacy Leak Behavior

<div><p>Privacy information is prone to be leaked by illegal software providers with various motivations. Privacy leak behavior has thus become an important research issue of cyber security. However, existing approaches can only qualitatively analyze privacy leak behavior of software applications. No quantitative approach, to the best of our knowledge, has been developed in the open literature. To fill this gap, in this paper we propose for the first time four quantitative metrics, namely, <i>possibility</i>, <i>severity</i>, <i>crypticity</i>, and <i>manipulability</i>, for privacy leak behavior analysis based on Privacy Petri Net (PPN). In order to compare the privacy leak behavior among different software, we further propose a comprehensive metric, namely, <i>overall leak degree</i>, based on these four metrics. Finally, we validate the effectiveness of the proposed approach using real-world software applications. The experimental results demonstrate that our approach can quantitatively analyze the privacy leak behaviors of various software types and reveal their characteristics from different aspects.</p></div

The PPN presenting the privacy leak behavior of A1.

<p>The PPN presenting the privacy leak behavior of A1.</p

Details Of The Module Presented InFig. 3(A).

<p>Details Of The Module Presented In<a href="http://www.plosone.org/article/info:doi/10.1371/journal.pone.0073410#pone-0073410-g003" target="_blank">Fig. 3(A)</a>.</p

Position icons.

<p>Position icons.</p

The call sequence fragment of A1.

<p>The call sequence fragment of A1.</p

Typical module for privacy data accessing.

<p>(a) Module <i>m_nfda</i> : PPN module for ordinary file data access; (b)Module <i>m_ada</i> : PPN module for application data access; (c) Module <i>m_sda</i> : PPN module for system data access; (d) Module <i>m_dda</i> : PPN module for dynamic data access.</p

Typical module for privacy data transmission. (a)Module <i>m_socket</i> : PPN module for socket connection; (b)Module <i>m_http</i> : PPN module for HTTP connection; (c) Module <i>m_ftp</i> : PPN module for FTP connection.

<p>Typical module for privacy data transmission. (a)Module <i>m_socket</i> : PPN module for socket connection; (b)Module <i>m_http</i> : PPN module for HTTP connection; (c) Module <i>m_ftp</i> : PPN module for FTP connection.</p

Interrelationship among the four metrics.

<p>Interrelationship among the four metrics.</p

The four metrics and the overall degree of the seven categories of software applications.

<p>The four metrics and the overall degree of the seven categories of software applications.</p

Quantitative values of A1 among browsers.

<p>Quantitative values of A1 among browsers.</p