• Home

  • Documents

  • A platform for the analysis and visualization of network
3
HAL Id: hal-01242911 https://hal.inria.fr/hal-01242911 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés. A platform for the analysis and visualization of network flow data of android environments Abdelkader Lahmadi, Frederic Beck, Eric Finickel, Olivier Festor To cite this version: Abdelkader Lahmadi, Frederic Beck, Eric Finickel, Olivier Festor. A platform for the analysis and vi- sualization of network flow data of android environments. IFIP/IEEE International Symposium on In- tegrated Network Management (IM), May 2015, Ottawa, Canada. 2015, 10.1109/INM.2015.7140443. hal-01242911

A platform for the analysis and visualization of network

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: A platform for the analysis and visualization of network

HAL Id: hal-01242911https://hal.inria.fr/hal-01242911

Submitted on 14 Dec 2015

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

A platform for the analysis and visualization of networkflow data of android environments

Abdelkader Lahmadi, Frederic Beck, Eric Finickel, Olivier Festor

To cite this version:Abdelkader Lahmadi, Frederic Beck, Eric Finickel, Olivier Festor. A platform for the analysis and vi-sualization of network flow data of android environments. IFIP/IEEE International Symposium on In-tegrated Network Management (IM), May 2015, Ottawa, Canada. 2015, �10.1109/INM.2015.7140443�.�hal-01242911�

https://hal.inria.fr/hal-01242911
https://hal.archives-ouvertes.fr
Page 2: A platform for the analysis and visualization of network

A Platform for the Analysis and Visualization ofNetwork Flow Data of Android Environments

Abdelkader LahmadiUniversity of Lorraine, LORIA

Vandoeuvre-les-Nancy, F-54506, FranceEmail: [email protected]

Frederic Beck and Eric Finickel and Olivier FestorINRIA Nancy Grand-Est

Villers-les-Nancy, F-54600, FranceEmail: {frederic.beck, eric.finickel, olivier.festor}@inria.fr

Abstract—In this demo, we present a monitoring platformdedicated to the collection, storage, analysis and visualization oflogs and network flow data of mobile applications. The platformrelies on a set of on-device probes to monitor network and systemactivities of these applications. The data are collected from theseprobes and parsed through generic and flexible collectors relyingon Flume agents that we have adapted and extended. We arestoring the collected data using a column oriented Hbase storageengine which is the Hadoop database. Finally, after being parsed,the data are made available within the Elasticsearch engine tosearch and visualize them using the Kibana tool.

I. INTRODUCTION

Android-based devices, including smartphones and tablets,are emerging and widely adopted by users because of theirinteresting capabilities. They evolved from simple telephonydevices into sophisticated, yet compact, PC connected toa wide spectrum of networks, including Internet via Wi-Fi, GPRS/EDGE or 3G network access. The network trafficgenerated by these devices is increasing, since they enableusers to access and browse web sites, send emails, play on-linegames and exchange information. It is projected that mobiletraffic will grow 10 times faster than fixed Internet traffic.The analysis of the network behavior of applications runningon a smartphone device requires the collection of informationabout data leaving the device, and where it is sent. Observingnetwork traffic activities is a popular approach to monitorand assess the security of deployed networked devices, andit is able to provide information about spectrum of trafficmix, attacks, applications, etc. However, the characteristics ofthe traffic generated by smartphones and their network-activeapplications remain wholly unexplored, where only few worksprovide first insights about this traffic, mainly from packetcapture datasets. One likely reason why individual smartphonetraffic has gone unstudied with fine-grain view, is that mobilededicated probes and monitoring platforms are missing, unlikewide-area Internet where several probes and platforms havebeen developed and deployed to monitor and record trafficthrough access links.

In this paper, we present a monitoring and measurementplatform that relies mainly on Big Data oriented componentsto collect, analyze and visualise network flow data generatedby Android running applications. The network flow data ofeach running application is measured on device using our flowbased monitoring probe, named Flowoid, which is dedicatedto Android environments. Flow data are recorded and exportedby Flowoid to be collected using a scalable architecture.

Then, they are stored in column oriented database, indexedand finally visualized and analyzed. This platform allowedus to explore and identify communications patterns of severalmobile applications.

The rest of the paper is organized as follows. In section II,we describe the architecture and internals of our monitoringplatform. Then, we provide insights about obtained resultsusing the described platform, mainly traffic patterns of Androidnetwork-active applications that we have studied, and that wewill be able to show in the demo. Finally, conclusion and futurework are described in III.

II. PLATFORM ARCHITECTURE AND DETAILS

Our platform relies on different components to measure,collect, store and visualize logs and network flow data ofAndroid applications: a set of probes and agents running onAndroid devices, a set of collectors, a storage engine, the indexengine and a visualization tool. Figure 1 depicts the overallarchitecture of the platform. In the following subsections, wewill detail each component.

Fig. 1. Architecture and details of the collection and analysis platform.

A. On device probes

We have developed mainly two on-device probes to collectdata about running applications. The first probe is Flowoid,which is a NetFlow exporter for Android devices. It is com-posed of a backend IP driver retrieving the packets using thepcap library, a NetFlow version 9 exporter creating and export-ing the flows, and a GUI, the Flowoid app itself. Our exporterassociates each observed network flow with geolocation data,

Page 3: A platform for the analysis and visualization of network

consisting of the GPS coordinates of the device, among others.This information is exported together with the traditional fieldsdefined in the NetFlow/IFPIX protocols: IP version, sourceand destination addresses, the number of exchanged bytes, thetype of protocol, the number of exchanged packets, the sourceand destination ports and the duration of the flow. In addition,each record contains several additional fields associated to thecontext to the flow: the identifier of the localization method, atimestamp, the integer part of the latitude, the decimal part ofthe latitude, the integer part of the longitude and the decimalpart of the longitude, the name of the mobile application thatinitiated the connection, the state of the device screen (On,Off, locked, unlocked), an identifier of the device, the type ofthe device connectivity (Wifi, EDGE, CDMA, HSPA, LTE, ...)and the state of the application (background, foreground) whenthe flow has started. The second probe is related to the log dataassociated to each running application. The data are collectedon device using the dumpsys and logcat tools provided bythe Android platform. Then, all data are exported periodicallyto collectors using the syslog protocol, where it is parsedand stored. We also associated to each log data additionalinformation related the geolocation of the device.

B. Data collection and storage

The data sent by the probes is collected using Flumebased collectors. Apache Flume1 is a distributed, reliable,and available system for efficiently collecting, aggregating andmoving large amounts of log data from many different sourcesto a centralized data store. Each unit of data is considered asan event that flows through a Flume agent. The event travelsfrom a source through a channel to a Sink. An event carriesa payload (byte array) that is accompanied by an optional setof headers. Flume has the capability to modify or drop eventsin-flight. This is done with the help of interceptors. We havedeveloped and integrated in Flume agents a set of sources,sinks and intercepters to handle the collected data. We havemainly two sources dedicated respectively to NetFlow andSyslog messages. We have also developed two interceptorsthat parse the different messages (NetFlow and Syslog) andtransform them into JSON documents. Each JSON documentis finally sent to a sink to be stored in a Hbase table. Thelisting 1 denotes an example of a NetFlow record exported byFlowoid and parsed using a Flume interceptor.

C. Data search and visualisation

The stored data is then indexed using the Elasticsearch2

engine which allows us to easily search inside log and flowdata. We have also deployed Kibana which is a web-basedvisualization and dashboard builder tool that interacts withElasticsearch to make search requests, aggregate data andvisualize them using several visualisation tools: piecharts,tables, bar charts and tile maps. Figure 2 depicts an exampleof three layers piechart obtained using Kibana. The piechartshows the most contacted servers (third outer layer), destina-tion ports (second inner layer) used by the Android versionof the Facebook application (first inner layer). We mainlyobserve that the Facebook application relies on the HTTPSservice (port 443) to contact its servers. However the recently

1http://flume.apache.org/2http://www.elasticsearch.org/

Snippet 1 An example of a NetFlow record exported byFlowoid and parsed by the Flume collector.

"IPVersion": "4","LongituteDecimal": "1767651","LongitudeInteger": "6","SrcAddr": "10.35.67.24","DeviceID": "362507473","DstAddr": "173.252.102.16","LatitudeDecimal": "7097251","SrcPort": "33294","LatitudeInteger": "48","Packets": "18","AppName": "com.facebook.katana","EndTime": "108799063","StartTime": "108457518","Bytes": "2540","DstPort": "443","Protocol": "6","TCPFlags": "16"

available lite version of Facebook is using the 8000 port. Allthe components of the application are using the TCP protocol.

Fig. 2. A piechart of the communication patterns of the Android version ofFacebook application.

III. CONCLUSION

In this paper, we presented the architecture and the differentcomponents of a monitoring platform dedicated to Androidenvironments. Relying on this platform, we are mainly col-lecting and analyzing logs and network flow data related toAndroid applications lifecycle activities. The used technologiesand the available tools within this platform will offer newperspectives to investigate new approaches and solutions forthe security monitoring of managed Android environments. Weare currently developing and extending our platform with moreanalysis and visualization modules to enhance its interactivity.

ACKNOWLEDGMENTS

This work was partly funded by Flamingo, a Network ofExcellence project (ICT-318488) supported by the EuropeanCommission under its Seventh Framework Program.


WSNGE: A Platform for Simulating Complex Wireless Sensor ... · WSNGE: A Platform for Simulating Complex Wireless Sensor Networks Supporting Rich Network Visualization and Online

WSNGE: A Platform for Simulating Complex Wireless Sensor ... · WSNGE: A Platform for Simulating Complex Wireless Sensor Networks Supporting Rich Network Visualization and Online

Documents
DVIN Data Visualization Interactive Network. CRD Network

DVIN Data Visualization Interactive Network. CRD Network

Documents
Social Network Analysis - Visualization

Social Network Analysis - Visualization

Technology
Network Visualization – FINAL PAPER

Network Visualization – FINAL PAPER

Documents
Network Visualization Software

Network Visualization Software

Documents
Network Visualization using Gephi

Network Visualization using Gephi

Documents
Social Network Analysis and Visualization

Social Network Analysis and Visualization

Data & Analytics
Benchmarking Visualization Platform. The Platform Brief description

Benchmarking Visualization Platform. The Platform Brief description

Documents
Visualization and Management Platform with Augmented ... · tion platform for wireless network environments using augmented reality technology, and eva-luate the effectiveness of

Visualization and Management Platform with Augmented ... · tion platform for wireless network environments using augmented reality technology, and eva-luate the effectiveness of

Documents
Two Papers on Network Visualization

Two Papers on Network Visualization

Documents
Road Network Visualization

Road Network Visualization

Documents
A2DataDive: African Health OER Network - Network Visualization

A2DataDive: African Health OER Network - Network Visualization

Education
A UNIFORM VISUALIZATION PLATFORM IN TRANSPORTATION …nashvillempotest.nashville.gov/docs/TRB_presentation_091312.pdf · a uniform visualization platform in transportation planning

A UNIFORM VISUALIZATION PLATFORM IN TRANSPORTATION …nashvillempotest.nashville.gov/docs/TRB_presentation_091312.pdf · a uniform visualization platform in transportation planning

Documents
Using Visualization Platform - OpenTextotadocs.opentext.com/documentation/ManualsIHUB3/using... · 2015. 1. 21. · 4 Using Visualization Platform About BIRT iHub Visualization Platform

Using Visualization Platform - OpenTextotadocs.opentext.com/documentation/ManualsIHUB3/using... · 2015. 1. 21. · 4 Using Visualization Platform About BIRT iHub Visualization Platform

Documents
Pick Your Visualization: Platform Views and Visuals

Pick Your Visualization: Platform Views and Visuals

Technology
PIVOT: platform for interactive analysis and visualization

PIVOT: platform for interactive analysis and visualization

Documents
Network Visualization Design using Prefuse Visualization

Network Visualization Design using Prefuse Visualization

Documents
Graph and Network Visualization

Graph and Network Visualization

Documents
Network visualization with Gephi

Network visualization with Gephi

Documents
Neural Network Visualization

Neural Network Visualization

Documents
Organizational Network Analysis & Data Visualization

Organizational Network Analysis & Data Visualization

Documents
GPRS optimisation and Network visualization

GPRS optimisation and Network visualization

Documents
Social Network Visualization 101

Social Network Visualization 101

Education
Visualization Tools for the Refinery Platform - Supporting reproducible research with provenance visualization

Visualization Tools for the Refinery Platform - Supporting reproducible research with provenance visualization

Science
Data Visualization for Social Network

Data Visualization for Social Network

Data & Analytics
Social Network Visualization

Social Network Visualization

Documents
Linkurious Enterprise: graph visualization platform neo4j

Linkurious Enterprise: graph visualization platform neo4j

Documents
Integration of Multi-disciplinary Visualization Platform

Integration of Multi-disciplinary Visualization Platform

Documents
Facebook Social Network Mapping Visualization

Facebook Social Network Mapping Visualization

Documents
Network Visualization: Nifty New Tools

Network Visualization: Nifty New Tools

Documents