FLOWR: a self-learning system for classifying mobileapplication traffic

We aim to devise a method that can identify mobile apps related to each individual traffic flow in the wild. Mobile apps are becoming preferred means of Internet access for a growing user population. Such departure from browser based Internet poses a unique challenge to traffic management tools, still largely incapable of handling mobile apps. Consequently, enterprises and service providers become hindered by being unable to deploy effective mobile policies and security solutions. Traditionally, desktop applications and networking protocols were identified by signatures derived from transport-layer ports, ip addresses, or domain names [2, 5]. It is not suitable for mobile apps any more. The main reason is that most mobile apps communicate via generic HTTP/HTTPS traffic, thus being a priori indistinguishable from Internet browsing. State-of-the-art solutions attempted to develop signatures via user studies or app emulations [6, 4, 1]. Neither of the two approaches scales due to a number of key challenges: • Similarity. Besides using similar protocols (HTTP/HTTPS), mobiles apps communicate with largely similar IP-/domainlevel destinations, Content Delivery Networks (CDNs), and cloud services, which makes them difficult to distinguish. • Scalability. With hundreds of thousands of apps, the identification has to devise very efficient matching algorithms at line speeds. Moreover, the references for matching have to be obtained efficiently. One cannot assume running all