Contact information
| Name | Andrea Jiménez-Berenguel |
| public_email_address | |
| displayName | Andrea Jiménez-Berenguel |
Contact
Publications
Jimenez-Berenguel, Andrea; Gil, César; García-Rubio, Carlos; Forné, Jordi; Campo, Celeste
DNS Query Forgery: A Client-Side Defense Against Mobile App Traffic Profiling Journal Article
In: IEEE Access, vol. 13, pp. 1-20, 2025, ISSN: 2169-3536.
@article{Andrea002,
title = {DNS Query Forgery: A Client-Side Defense Against Mobile App Traffic Profiling},
author = {Andrea Jimenez-Berenguel and César Gil and Carlos García-Rubio and Jordi Forné and Celeste Campo},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11250988
https://ieeexplore.ieee.org/document/11250988
},
doi = {https://doi.org/10.1109/ACCESS.2025.3633695},
issn = {2169-3536},
year = {2025},
date = {2025-11-17},
urldate = {2025-11-17},
journal = {IEEE Access},
volume = {13},
pages = {1-20},
abstract = {Mobile applications generate DNS queries that expose user behavioral patterns to network observers, creating privacy vulnerabilities even when communications are encrypted. Network eavesdroppers and DNS resolvers can analyze domain name sequences to profile users based on their app usage patterns. This paper proposes a client-side defense mechanism based on DNS query forgery to obfuscate user DNS-based profiles. Our method applies a query forgery technique that consists of injecting false DNS queries into genuine traffic streams. We mathematically model user profiles as probability distributions over interest categories and analyze the optimal proportion of false queries needed to achieve desired privacy levels. We evaluate three query forgery strategies: Uniform, TrackMeNot-based, and Optimized, finding that the Optimized strategy using KL divergence is the most effective. To validate our approach, we develop a novel methodology for generating synthetic user traces, creating a dataset of 1,000 users by mapping real app traffic data onto individual user profiles. Our analysis reveals that 50% privacy improvement is achievable with less than 20% traffic overhead, while 100% privacy protection requires approximately 40-60% additional traffic. We further propose a modular system architecture for practical implementation on mobile devices. This work offers a client-side privacy solution that operates without third-party trust requirements, empowering users to defend against traffic analysis without compromising application functionality.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Mobile applications generate DNS queries that expose user behavioral patterns to network observers, creating privacy vulnerabilities even when communications are encrypted. Network eavesdroppers and DNS resolvers can analyze domain name sequences to profile users based on their app usage patterns. This paper proposes a client-side defense mechanism based on DNS query forgery to obfuscate user DNS-based profiles. Our method applies a query forgery technique that consists of injecting false DNS queries into genuine traffic streams. We mathematically model user profiles as probability distributions over interest categories and analyze the optimal proportion of false queries needed to achieve desired privacy levels. We evaluate three query forgery strategies: Uniform, TrackMeNot-based, and Optimized, finding that the Optimized strategy using KL divergence is the most effective. To validate our approach, we develop a novel methodology for generating synthetic user traces, creating a dataset of 1,000 users by mapping real app traffic data onto individual user profiles. Our analysis reveals that 50% privacy improvement is achievable with less than 20% traffic overhead, while 100% privacy protection requires approximately 40-60% additional traffic. We further propose a modular system architecture for practical implementation on mobile devices. This work offers a client-side privacy solution that operates without third-party trust requirements, empowering users to defend against traffic analysis without compromising application functionality.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; García-Rubio, Carlos; Campo-Vázquez, Celeste
Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 506-507, Universidad de Sevilla, 2024, ISBN: 978-84-09-62140-8.
@inproceedings{andrea001,
title = {Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo-Vázquez},
url = {https://idus.us.es/handle/11441/159179
https://dialnet.unirioja.es/servlet/articulo?codigo=9633499
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {506-507},
publisher = {Universidad de Sevilla},
abstract = {La privacidad del usuario sigue siendo vulnerable cuando se utilizan protocolos de comunicación cifrados, como HTTPS, cuando las consultas DNS se envían en texto claro a través del puerto UDP 53 (Do53). En este estudio, demostramos la posibilidad de caracterizar una aplicación móvil que utiliza un usuario basándonos en su tráfico Do53. Mediante el análisis de un conjunto de datos de tráfico, formado por 80 aplicaciones móviles Android, podemos identificar la aplicación que se está utilizando basándonos en sus consultas DNS con una precisión del 88,75 %. Aunque los sistemas operativos modernos, incluido Android desde la versión 9.0, admiten el tráfico DNS cifrado, esta función no está activada por defecto y depende del soporte del proveedor de DNS. Además, incluso cuando el tráfico DNS está cifrado, el proveedor de servicios DNS sigue teniendo acceso a nuestras consultas y podría extraer información de ellas.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
La privacidad del usuario sigue siendo vulnerable cuando se utilizan protocolos de comunicación cifrados, como HTTPS, cuando las consultas DNS se envían en texto claro a través del puerto UDP 53 (Do53). En este estudio, demostramos la posibilidad de caracterizar una aplicación móvil que utiliza un usuario basándonos en su tráfico Do53. Mediante el análisis de un conjunto de datos de tráfico, formado por 80 aplicaciones móviles Android, podemos identificar la aplicación que se está utilizando basándonos en sus consultas DNS con una precisión del 88,75 %. Aunque los sistemas operativos modernos, incluido Android desde la versión 9.0, admiten el tráfico DNS cifrado, esta función no está activada por defecto y depende del soporte del proveedor de DNS. Además, incluso cuando el tráfico DNS está cifrado, el proveedor de servicios DNS sigue teniendo acceso a nuestras consultas y podría extraer información de ellas.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.