Abstract
In this paper we present PeerRush, a novel system for the identification of unwanted P2P traffic. Unlike most previous work, PeerRush goes beyond P2P traffic detection, and can accurately categorize the detected P2P traffic and attribute it to specific P2P applications, including malicious applications such as P2P botnets. PeerRush achieves these results without the need of deep packet inspection, and can accurately identify applications that use encrypted P2P traffic.
We implemented a prototype version of PeerRush and performed an extensive evaluation of the system over a variety of P2P traffic datasets. Our results show that we can detect all the considered types of P2P traffic with up to 99.5% true positives and 0.1% false positives. Furthermore, PeerRush can attribute the P2P traffic to a specific P2P application with a misclassification rate of 0.68% or less.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Buford, J., Yu, H., Lua, E.K.: P2P Networking and Applications. Morgan Kaufmann Publishers Inc. (2008)
Coskun, B., Dietrich, S., Memon, N.: Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010 (2010)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)
Gomes, J.V., Inacio, P.R.M., Pereira, M., Freire, M.M., Monteiro, P.P.: Detection and classification of peer-to-peer traffic: A survey. ACM Computing Surveys (2012)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Usenix Security Symposium, SS 2008 (2008)
Haq, I.U., Ali, S., Khan, H., Khayam, S.A.: What is the impact of P2P traffic on anomaly detection? In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 1–17. Springer, Heidelberg (2010)
Hayes, B.: Skype: A practical security analysis, http://www.sans.org/reading_room/whitepapers/voip/skype-practical-security-analysis_32918
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET 2008 (2008)
Hu, Y., Chiu, D.M., Lui, J.C.S.: Profiling and identification of P2P traffic. Comput. Netw. 53(6), 849–863 (2009)
Karagiannis, T., Broido, A., Faloutsos, M., Claffy, K.: Transport layer identification of p2p traffic. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, IMC 2004 (2004)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. SIGCOMM Comput. Commun. Rev. 35(4) (August 2005)
Lelli, A.: Zeusbot/spyeye p2p updated, fortifying the botnet, http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
Madhukar, A., Williamson, C.: A longitudinal study of p2p traffic classification. In: Proceedings of the 14th IEEE International Symposium on Modeling, Analysis, and Simulation, MASCOTS 2006 (2006)
Mohajeri Moghaddam, H., Derakhshani, M., Li, B., Goldberg, I.: SkypeMorph: Protocol obfuscation for tor bridges. Tech. Report CACR 2012-08
Nagaraja, S., Mittal, P., Hong, C.Y., Caesar, M., Borisov, N.: Botgrep: finding p2p bots with structured graph analysis. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010 (2010)
Nunnery, C., Sinclair, G., Kang, B.B.: Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure. In: Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2010 (2010)
Sen, S., Spatscheck, O., Wang, D.: Accurate, scalable in-network identification of p2p traffic using application signatures. In: Proceedings of the 13th International Conference on World Wide Web, WWW 2004 (2004)
Stutzbach, D., Rejaie, R.: Understanding churn in peer-to-peer networks. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC 2006 (2006)
Tax, D.M.J.: DDtools, the data description toolbox for Matlab. v1.9.1, http://prlab.tudelft.nl/david-tax/dd_tools.html
Tax, D.M.J.: One-class classification. Ph.D. Thesis, TU Delft (2001)
Wu, H.S., Huang, N.F., Lin, G.H.: Identifying the use of data/voice/video-based p2p traffic by dns-query behavior. In: Proceedings of the 2009 IEEE International Conference on Communications, ICC 2009 (2009)
Yen, T.F., Reiter, M.K.: Are your hosts trading or plotting? telling p2p file-sharing and bots apart. In: Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems, ICDCS 2010 (2010)
Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks, DSN 2011 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K. (2013). PeerRush: Mining for Unwanted P2P Traffic. In: Rieck, K., Stewin, P., Seifert, JP. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2013. Lecture Notes in Computer Science, vol 7967. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39235-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-39235-1_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39234-4
Online ISBN: 978-3-642-39235-1
eBook Packages: Computer ScienceComputer Science (R0)