Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.

Slides:

Advertisements

Similar presentations

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.

Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

CSC458 Programming Assignment II: NAT Nov 7, 2014.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Efficient Constraint Monitoring Using Adaptive Thresholds Srinivas Kashyap, IBM T. J. Watson Research Center Jeyashankar Ramamirtham, Netcore Solutions.

Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

On Modeling Feedback Congestion Control Mechanism of TCP using Fluid Flow Approximation and Queuing Theory　 Hisamatu Hiroyuki Department of Infomatics.

Firewalls and Intrusion Detection Systems

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

1 Ch. 7 : Internet Transport Protocols. Transport Layer Our goals: r understand principles behind transport layer services: m Multiplexing / demultiplexing.

TCP/IP Reference Model Host To Network Layer Transport Layer Application Layer Internet Layer.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE

FIREWALL Mạng máy tính nâng cao-V1.

Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Cs423-cotter1 P2P Discovering P2P (Miller) Internet.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.2: Using NBAR for Classification.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

E Multimedia Communications Anandi Giridharan Electrical Communication Engineering, Indian Institute of Science, Bangalore – , India Multimedia.

Othman Othman M.M., Koji Okamura Kyushu University 1.

CS 3830 Day 13 Introduction 1-1. Announcements r Quiz 3: Wednesday, Oct 10 r Prog3 due Wednesday, Oct 10 Transport Layer 3-2.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Hybrid Modeling of TCP Congestion Control João P. Hespanha, Stephan Bohacek, Katia Obraczka, Junsoo Lee University of Southern California.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.

Brief Announcement : Measuring Robustness of Superpeer Topologies Niloy Ganguly Department of Computer Science & Engineering Indian Institute of Technology,

Analysis of UDP Traffic Usage on Internet Backbone Links* Min Zhang Maurizio Dusi Wolfgang John *This study was performed while authors visited CAIDA at.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

ECE 526 – Network Processing Systems Design Network Address Translator.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.

Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Network Address Translation Sandip Chakraborty. NAT PRIVATE NETWORK PUBLIC NETWORK IP: Port: 8123 IP: Port: 9678 IP:

28/09/2016 Mildly Penetrative Packet Inspection Shane Alcock WAND.

Could SP-NAT Save the Internet?

TECH TIP – Videoconferencing settings for Apple AirPort Extreme wireless access point. SYMPTOM / ISSUE After connecting a set-top videoconferencing system.

Denial of Service Mitigation with OpenFlow using SciPass

Snort – IDS / IPS.

改良UDP洞穿技術設計物聯網通訊：以遠端門鈴監控系統為例 Improving UDP Hole Punching Technique For IoT Communications: A Remote Door-bell Monitoring System 報告時間28~32分佳楊凱勝指導教授：柯開維.

Working at a Small-to-Medium Business or ISP – Chapter 7

POOJA Programmer, CSE Department

Firewalls Jiang Long Spring 2002.

Request for Comments(RFC) 3489

Transport Layer Identification of P2P Traffic

16EC Computer networks unit II Mr.M.Jagadesh

Presentation transcript:

Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering

Outline Introduction and Objectives Flow Data Identification Methods ◦ Class A-1 : Degree-Based P2P Detection ◦ Class A-2 : Known Port ◦ Class B-1 : Repeated Communication ◦ Class B-2 : P2P Port-Based Identification ◦ Class B-3 : Triggered P2P Detection Results Conclusion Future Work

Introduction Why detection of P2P Traffic? ◦ Helpful for network capacity planning, provisioning, traffic shaping/policing, etc. How to detect P2P Traffic? ◦ Port based ◦ Signature based ◦ Behavior based ◦ Machine learning based ◦ Host graph based

Objectives No deep packet inspection Simpler, but still be effective P2P flow graph based

Flow Data SIP : source IP DIP : destination IP SP : source port DP : destination port PR : protocol (tcp or udp) ST : flow start time EID : event ID (info for signature matching)

Flow Data time SYN B SIPSPPRDPDIP TCP Mathematical expression Pictorial view Each flow has components. A ST

Identification Methods flow 1 Class B methods connect flow1 to flow 2 flow 2 Class A methods detect flow 1 (an initial P2P flow) P2P flow graph by methods

Class A-1 : Degree-based P2P Detection A X7X7 TCP X 13 X UDP UDP X1X1 X3X TCP TCP X 10 X 11 X2X TCP TCP TCP X9X9 X8X8 X4X4 X5X5 X6X6 UDP UDP TCP TCP TCP t T T X4X4 X5X5 X6X6 X8X8 In-degree hosts X9X9 Out-degree hosts X1X1 X2X2 X3X3 X7X7 X 10 X 11 X 12 X

Class A-1 : Degree-based P2P detection  Out-degree  In-degree  Detector  P2P active time ( ID is not considered)

Class A-2 : Known Port  P2P active Time  Detector

Identification Methods flow 1 Take a look at Class B methods flow 2 Done with Class A methods P2P flow graph by methods

Class B-1 : Repeated Communication between Known P2P Peers A TCP X A X A X

Class B-1 : Repeated Communication between Known P2P Peers  Detector given an initial P2P flow  Detector given a set of P2P flows P2P peers =

Class B-2 : P2P Port Identification and Port-Based P2P Detection

A X7X7 TCP X 13 X UDP UDP X1X1 X3X TCP TCP X 10 X 11 X2X TCP TCP TCP

Class B-2 : P2P Port Identification and Port-Based P2P Detection A X7X7 TCP X 13 X UDP UDP X1X1 X3X TCP TCP X 10 X 11 X2X TCP TCP TCP

Class B-2 : P2P Port Identification and Port-Based P2P Detection T T TCP or UDP … Incoming … TCP or UDP outgoing IP P2P port

Class B-2 : P2P Port Identification and Port-Based P2P Detection  Detector given an P2P flow

Class B-3 : Triggered P2P Detection 1 sec A X …… Nearby flows tend to be P2P flows

Class B-3 : Triggered P2P Detection  Detector given an P2P flow P2P peers =

Summary Class A : Conservativeness ↑ T : time window offset T T T ↓, R ↑ R peers R : threshold for # of peers connected

Summary Class A : Class B : : K th iteration : until convergence

Results : Number of P2P flows Detected C1C2C Combination Fraction of flows KPF 480, 250 AC 15,100 GH ∞ TGH ∞ x 10 7 Combination # of flows C1C2C

Results : Vertex Degree Single P2P flow F2 F3 F4 F5 F6 F7 F8 F1 : by GH 1 type1 = any type2 = UDP type3 = TCP, DIP = internal IP type4 = TCP, DIP = external IP Degree = 8

Results : Vertex Degree Degree CCDF type1 type2 type3 type4 type1 = any type2 = UDP type3 = TCP, DIP = internal IP type4 = TCP, DIP = external IP

:4226 Results : Vertex Degree :6881 Single P2P flow

Results : Large Connected Component : by GH 1 Single P2P flow : by GH 2

Results : Large Connected Component TypeMeanMedian 1 49,476,74869,689, ,179,53469,689, ,217,66269,689, ,932,282115, x # of flows reachable CCDF type1 = any type2 = UDP type3 = TCP, DIP = internal IP type4 = TCP, DIP = external IP … 7 x

Visualization of P2P Flow Graph TA link small connected components GH link large connected component

Conclusion Even if Class A methods detect the small number of P2P flows by setting parameters conservatively, Class B recursive methods identify almost the rest of P2P flows. There exists the large connected component (LCC) in P2P flow graph, so the identification of a single P2P flow in LCC leads to all flow detection in LCC.

Future Work Real-time Identification Complexity Analysis

Thanks

< Port white list : well-known port : NFS : MMS : Symantec AntiVirus : msft-gc : World of Warcraft : Yahoo! Messenger : AOL Instant Messenger : NAT Port Mapping Protocol : HTTP alternate

BitTorrent Gnutella Edonkey FastTrack Freenet Soulseek Known P2P port : 6881~6889, 6969, 2710 : 6346~6349 : 2323, 3306, 4242, 4500, 4501, 4661~4674, 4677, 4678, 7778 : 1214, 1215, 1331 : 19114, 8081 : 2234, 5534