Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering."— Presentation transcript:

1 Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering

2 Outline Introduction and Objectives Flow Data Identification Methods ◦ Class A-1 : Degree-Based P2P Detection ◦ Class A-2 : Known Port ◦ Class B-1 : Repeated Communication ◦ Class B-2 : P2P Port-Based Identification ◦ Class B-3 : Triggered P2P Detection Results Conclusion Future Work

3 Introduction Why detection of P2P Traffic? ◦ Helpful for network capacity planning, provisioning, traffic shaping/policing, etc. How to detect P2P Traffic? ◦ Port based ◦ Signature based ◦ Behavior based ◦ Machine learning based ◦ Host graph based

4 Objectives No deep packet inspection Simpler, but still be effective P2P flow graph based

5 Flow Data SIP : source IP DIP : destination IP SP : source port DP : destination port PR : protocol (tcp or udp) ST : flow start time EID : event ID (info for signature matching)

6 Flow Data time SYN B SIPSPPRDPDIP 60355 6881 TCP Mathematical expression Pictorial view Each flow has components. A ST

7 Identification Methods flow 1 Class B methods connect flow1 to flow 2 flow 2 Class A methods detect flow 1 (an initial P2P flow) P2P flow graph by methods

8 Class A-1 : Degree-based P2P Detection A X7X7 TCP 63234 52334 X 13 X 12 55038 18636 UDP 55038 26675 UDP X1X1 X3X3 63135 2710 TCP 631386969 TCP X 10 X 11 X2X2 63320 51413 TCP 63120 5354 TCP 63356 9090 TCP X9X9 X8X8 X4X4 X5X5 X6X6 UDP 55038 21566 UDP 55038 33561 TCP 55038 60727 TCP 27164 TCP 55038 33765 55038 t T T X4X4 X5X5 X6X6 X8X8 In-degree hosts X9X9 Out-degree hosts X1X1 X2X2 X3X3 X7X7 X 10 X 11 X 12 X 13 8 5

9 Class A-1 : Degree-based P2P detection  Out-degree  In-degree  Detector  P2P active time ( ID is not considered)

10 Class A-2 : Known Port  P2P active Time  Detector

11 Identification Methods flow 1 Take a look at Class B methods flow 2 Done with Class A methods P2P flow graph by methods

12 Class B-1 : Repeated Communication between Known P2P Peers A TCP 63234 52334 X A X A X

13 Class B-1 : Repeated Communication between Known P2P Peers  Detector given an initial P2P flow  Detector given a set of P2P flows P2P peers =

14 Class B-2 : P2P Port Identification and Port-Based P2P Detection

15 A X7X7 TCP 63234 52334 X 13 X 12 55038 18636 UDP 55038 26675 UDP X1X1 X3X3 63135 2710 TCP 631386969 TCP X 10 X 11 X2X2 63320 51413 TCP 63120 5354 TCP 63356 9090 TCP

16 Class B-2 : P2P Port Identification and Port-Based P2P Detection A X7X7 TCP 63234 52334 X 13 X 12 55038 18636 UDP 55038 26675 UDP X1X1 X3X3 63135 2710 TCP 631386969 TCP X 10 X 11 X2X2 63320 51413 TCP 63120 5354 TCP 63356 9090 TCP

17 Class B-2 : P2P Port Identification and Port-Based P2P Detection T T TCP or UDP … Incoming … TCP or UDP outgoing IP P2P port

18 Class B-2 : P2P Port Identification and Port-Based P2P Detection  Detector given an P2P flow

19 Class B-3 : Triggered P2P Detection 1 sec A X …… Nearby flows tend to be P2P flows

20 Class B-3 : Triggered P2P Detection  Detector given an P2P flow P2P peers =

21 Summary Class A : Conservativeness ↑ T : time window offset T T T ↓, R ↑ R peers R : threshold for # of peers connected

22 Summary Class A : Class B : : K th iteration : until convergence

23 Results : Number of P2P flows Detected C1C2C3 0 0.2 0.4 0.6 0.8 1 Combination Fraction of flows KPF 480, 250 AC 15,100 GH ∞ TGH ∞ x 10 7 Combination # of flows C1C2C3 0 2 4 6 8

24 Results : Vertex Degree Single P2P flow F2 F3 F4 F5 F6 F7 F8 F1 : by GH 1 type1 = any type2 = UDP type3 = TCP, DIP = internal IP type4 = TCP, DIP = external IP Degree = 8

25 Results : Vertex Degree 10 0 1 2 3 4 5 6 -3 10 -2 10 10 0 Degree CCDF type1 type2 type3 type4 type1 = any type2 = UDP type3 = TCP, DIP = internal IP type4 = TCP, DIP = external IP

26 131.118.39.53:4226 Results : Vertex Degree 72.20.34.145:6881 Single P2P flow

27 Results : Large Connected Component : by GH 1 Single P2P flow : by GH 2

28 Results : Large Connected Component TypeMeanMedian 1 49,476,74869,689,804 2 68,179,53469,689,804 3 63,217,66269,689,804 4 16,932,282115,692 0 12 x 10 5 0 0.2 0.4 0.6 0.8 1 # of flows reachable CCDF type1 = any type2 = UDP type3 = TCP, DIP = internal IP type4 = TCP, DIP = external IP … 7 x 10 7 5

29 Visualization of P2P Flow Graph TA link small connected components GH link large connected component

30 Conclusion Even if Class A methods detect the small number of P2P flows by setting parameters conservatively, Class B recursive methods identify almost the rest of P2P flows. There exists the large connected component (LCC) in P2P flow graph, so the identification of a single P2P flow in LCC leads to all flow detection in LCC.

31 Future Work Real-time Identification Complexity Analysis

32 Thanks

33 < 1024 1025 1755 2967 3268 3724 5050 5190 5351 8080 Port white list : well-known port : NFS : MMS : Symantec AntiVirus : msft-gc : World of Warcraft : Yahoo! Messenger : AOL Instant Messenger : NAT Port Mapping Protocol : HTTP alternate

34 BitTorrent Gnutella Edonkey FastTrack Freenet Soulseek Known P2P port : 6881~6889, 6969, 2710 : 6346~6349 : 2323, 3306, 4242, 4500, 4501, 4661~4674, 4677, 4678, 7778 : 1214, 1215, 1331 : 19114, 8081 : 2234, 5534

35

36

Download ppt "Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering."

Similar presentations

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
Efficient Constraint Monitoring Using Adaptive Thresholds Srinivas Kashyap, IBM T. J. Watson Research Center Jeyashankar Ramamirtham, Netcore Solutions.

Efficient Constraint Monitoring Using Adaptive Thresholds Srinivas Kashyap, IBM T. J. Watson Research Center Jeyashankar Ramamirtham, Netcore Solutions.
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.

Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
On Modeling Feedback Congestion Control Mechanism of TCP using Fluid Flow Approximation and Queuing Theory  Hisamatu Hiroyuki Department of Infomatics.

On Modeling Feedback Congestion Control Mechanism of TCP using Fluid Flow Approximation and Queuing Theory  Hisamatu Hiroyuki Department of Infomatics.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.

PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.

Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
1 Ch. 7 : Internet Transport Protocols. Transport Layer Our goals: r understand principles behind transport layer services: m Multiplexing / demultiplexing.

1 Ch. 7 : Internet Transport Protocols. Transport Layer Our goals: r understand principles behind transport layer services: m Multiplexing / demultiplexing.
TCP/IP Reference Model Host To Network Layer Transport Layer Application Layer Internet Layer.

TCP/IP Reference Model Host To Network Layer Transport Layer Application Layer Internet Layer.
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

Similar presentations

Ads by Google