ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Inferring undesirable behavior from P2P traffic analysis
Full text PdfPdf (560 KB)
Source
Joint International Conference on Measurement and Modeling of Computer Systems archive
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems table of contents
Seattle, WA, USA
SESSION: Security table of contents
Pages 25-36  
Year of Publication: 2009
ISBN:978-1-60558-511-6
Authors
Ruben D. Torres  Purdue University, West Lafayette, IN, USA
Mohammad Y. Hajjat  Purdue University, West Lafayette, IN, USA
Sanjay G. Rao  Purdue University, West Lafayette, IN, USA
Marco Mellia  Politecnico di Torino, Torino, Italy
Maurizio M. Munafo  Politecnico di Torino, Torino, Italy
Sponsors
ACM: Association for Computing Machinery
SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 83,   Downloads (12 Months): 239,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1555349.1555353
What is a DOI?

ABSTRACT

While peer-to-peer (P2P) systems have emerged in popularity in recent years, their large-scale and complexity make them difficult to reason about. In this paper, we argue that systematic analysis of traffic characteristics of P2P systems can reveal a wealth of information about their behavior, and highlight potential undesirable activities that such systems may exhibit. As a first step to this end, we present an offline and semi-automated approach to detect undesirable behavior. Our analysis is applied on real traffic traces collected from a Point-of-Presence (PoP) of a national-wide ISP in which over 70% of the total traffic is due to eMule [19], a popular P2P file-sharing system. Flow-level measurements are aggregated into "samples" referring to the activity of each host during a time interval. We then employ a clustering technique to automatically and coarsely identify similar behavior across samples, and extensively use domain knowledge to interpret and analyze the resulting clusters. Our analysis shows several examples of undesirable behavior including evidence of DDoS attacks exploiting live P2P clients, significant amounts of unwanted traffic that may harm network performance, and instances where the performance of participating peers may be subverted due to maliciously deployed servers. Identification of such patterns can benefit network operators, P2P system developers, and actual end-users.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
eMule forum :: Fake Server List And Ip Numbers. http://forum.emule-project.net/index.php?showtopic=120066.
 
2
eMule forum: Repeated Kad Errors. http://forum.emule-project.net/index.php?showtopic=133799.
 
3
I-BlockList. http://www.IBlocklist.com.
 
4
Is the Skype outage really a big deal? http://news.cnet.com/8301-10784\_3-9761673-7.html.
 
5
Anirban Banerjee , Michalis Faloutsos , Laxmi Bhuyan, The P2P war: Someone is monitoring your activities, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.6, p.1272-1280, April, 2008  [doi>10.1016/j.comnet.2008.01.011]
 
6
Adunanza. http://www.adunanza.net/.
 
7
E. Athanasopoulos, K.G.Anagnostakis, and E. Markatos. Misusing Unstructured P2P Systems to Perform DoS Attacks: The Network That Never Forgets. In ACNS, 2006.
8
Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637210]
 
9
S. Bellovin. Security Aspects of Napster and Gnutella. Invited Talk at USENIX Annual Technical Conference, 2001.
10
Laurent Bernaille , Renata Teixeira , Kave Salamatian, Early application identification, Proceedings of the 2006 ACM CoNEXT conference, December 04-07, 2006, Lisboa, Portugal  [doi>10.1145/1368436.1368445]
 
11
R. Birke, M. Mellia, M. Petracca, and D. Rossi. Understanding VoIP from backbone measurements. In INFOCOM, 2007.
 
12
BitTorrent. http://www.bittorrent.org.
13
Kenjiro Cho , Kensuke Fukuda , Hiroshi Esaki , Akira Kato, The impact and implications of the growth in residential user-to-user traffic, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
 
14
CISCO. Cisco IOS NetFlow. http://www.cisco.com/web/go/netflow.
 
15
M. Collins and M. Reiter. Finding Peer-To-Peer File-sharing Using Coarse Network Behaviors. In ESORICS, 2006.
 
16
Fivos Constantinou , Panayiotis Mavrommatis, Identifying Known and Unknown Peer-to-Peer Traffic, Proceedings of the Fifth IEEE International Symposium on Network Computing and Applications, p.93-102, July 24-26, 2006  [doi>10.1109/NCA.2006.34]
 
17
DC. http://dcplusplus.sourceforge.net/.
 
18
K. Defrawy, M. Gjoka, and A. Markopoulou. "BotTorrent: Misusing BitTorrent to launch DDoS attacks". In SRUTI, 2007.
 
19
eMule. http://www.emule-project.net.
 
20
M. Ester, H.-P. Kriegel, J. Sander, and X. Xu. A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In KDD-96, 1996.
21
Marios Iliofotou , Prashanth Pappu , Michalis Faloutsos , Michael Mitzenmacher , Sumeet Singh , George Varghese, Network monitoring using traffic dispersion graphs (tdgs), Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA  [doi>10.1145/1298306.1298349]
 
22
IPP2P. http://www.ipp2p.org.
23
Thomas Karagiannis , Andre Broido , Michalis Faloutsos , Kc claffy, Transport layer identification of P2P traffic, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy  [doi>10.1145/1028788.1028804]
24
Thomas Karagiannis , Konstantina Papagiannaki , Michalis Faloutsos, BLINC: multilevel traffic classification in the dark, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
25
Balachander Krishnamurthy , Subhabrata Sen , Yin Zhang , Yan Chen, Sketch-based change detection: methods, evaluation, and applications, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA  [doi>10.1145/948205.948236]
26
Anukool Lakhina , Mark Crovella , Christophe Diot, Mining anomalies using traffic feature distributions, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
 
27
Petar Maymounkov , David Mazières, Kademlia: A Peer-to-Peer Information System Based on the XOR Metric, Revised Papers from the First International Workshop on Peer-to-Peer Systems, p.53-65, March 07-08, 2002
 
28
M. Mellia , R. Lo Cigno , F. Neri, Measuring IP and TCP behavior on edge nodes with Tstat, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.47 n.1, p.1-21, 14 January 2005  [doi>10.1016/j.comnet.2004.06.026]
29
Andrew W. Moore , Denis Zuev, Internet traffic classification using bayesian analysis techniques, Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 06-10, 2005, Banff, Alberta, Canada
 
30
N. Naoumov and K. Ross. Exploiting P2P systems for DDoS attacks. In International Workshop on Peer-to-Peer Information Management, 2006.
 
31
Phoenix Labs. PeerGuardian. http://phoenixlabs.org/pg2/.
 
32
Prolexic. http://www.prolexic.com/content/moduleId/tPjJLKRF/ article/aRQNVcBH.html.
 
33
J. Rosenberg , J. Weinberger , C. Huitema , R. Mahy, STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), RFC Editor, 2003
 
34
Pang-Ning Tan , Michael Steinbach , Vipin Kumar, Introduction to Data Mining, (First Edition), Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2005
 
35
Yin Zhang , Zihui Ge , Albert Greenberg , Matthew Roughan, Network anomography, Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p.30-30, October 19-21, 2005, Berkeley, CA
 
36
Mo Zhou , Yafei Dai , Xiaoming Li, A Measurement Study of the Structured Overlay Network in P2P File-Sharing Applications, Proceedings of the Eighth IEEE International Symposium on Multimedia, p.621-628, December 11-13, 2006  [doi>10.1109/ISM.2006.5]

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network monitoring

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.4 Distributed Systems
          Subjects: Distributed applications


General Terms:
Measurement, Performance, Security


Keywords:
P2P, measurement

Collaborative Colleagues:
Ruben D. Torres: colleagues
Mohammad Y. Hajjat: colleagues
Sanjay G. Rao: colleagues
Marco Mellia: colleagues
Maurizio M. Munafo: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player