What Is the Impact of P2P Traffic on Anomaly Detection?
- Irfan Ul HaqAffiliated withSchool of Electrical Engineering & Computer Science, National University of Sciences & Technology (NUST)
- , Sardar AliAffiliated withSchool of Electrical Engineering & Computer Science, National University of Sciences & Technology (NUST)
- , Hassan KhanAffiliated withSchool of Electrical Engineering & Computer Science, National University of Sciences & Technology (NUST)
- , Syed Ali KhayamAffiliated withSchool of Electrical Engineering & Computer Science, National University of Sciences & Technology (NUST)
Recent studies estimate that peer-to-peer (p2p) traffic comprises 40-70% of today’s Internet traffic . Surprisingly, the impact of p2p traffic on anomaly detection has not been investigated. In this paper, we collect and use a labeled dataset containing diverse network anomalies (portscans, TCP floods, UDP floods, at varying rates) and p2p traffic (encrypted and unencrypted with BitTorrent, Vuze, Flashget, μTorrent, Deluge, BitComet, Halite, eDonkey and Kademlia clients) to empirically quantify the impact of p2p traffic on anomaly detection. Four prominent anomaly detectors (TRW-CB , Rate Limiting , Maximum Entropy  and NETAD ) are evaluated on this dataset.
Our results reveal that: 1) p2p traffic results in up to 30% decrease in detection rate and up to 45% increase in false positive rate; 2) due to a partial overlap of traffic behaviors, p2p traffic inadvertently provides an effective evasion cover for high- and low-rate attacks; and 3) training an anomaly detector on p2p traffic, instead of improving accuracy, introduces a significant accuracy degradation for the anomaly detector. Based on these results, we argue that only p2p traffic filtering can provide a pragmatic, yet short-term, solution to this problem. We incorporate two prominent p2p traffic classifiers (OpenDPI  and Karagiannis’ Payload Classifier(KPC)) as pre-processors into the anomaly detectors and show that the existing non-proprietary p2p traffic classifiers do not have sufficient accuracies to mitigate the negative impacts of p2p traffic on anomaly detection.
Given the premise that p2p traffic is here to stay, our work demonstrates the need to rethink the classical anomaly detection design philosophy with a focus on performing anomaly detection in the presence of p2p traffic. We make our dataset publicly available for evaluation of future anomaly detectors that are designed to operate with p2p traffic.
- What Is the Impact of P2P Traffic on Anomaly Detection?
- Book Title
- Recent Advances in Intrusion Detection
- Book Subtitle
- 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010. Proceedings
- pp 1-17
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Industry Sectors
- eBook Packages
- Editor Affiliations
- 16. Computer Sciences Department, University of Wisconsin
- 17. International Computer Science Institute
- Author Affiliations
- 18. School of Electrical Engineering & Computer Science, National University of Sciences & Technology (NUST), Islamabad, 44000, Pakistan
To view the rest of this content please follow the download PDF link above.