What Is the Impact of P2P Traffic on Anomaly Detection?

  • Irfan Ul Haq
  • Sardar Ali
  • Hassan Khan
  • Syed Ali Khayam
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)

Abstract

Recent studies estimate that peer-to-peer (p2p) traffic comprises 40-70% of today’s Internet traffic [1]. Surprisingly, the impact of p2p traffic on anomaly detection has not been investigated. In this paper, we collect and use a labeled dataset containing diverse network anomalies (portscans, TCP floods, UDP floods, at varying rates) and p2p traffic (encrypted and unencrypted with BitTorrent, Vuze, Flashget, μTorrent, Deluge, BitComet, Halite, eDonkey and Kademlia clients) to empirically quantify the impact of p2p traffic on anomaly detection. Four prominent anomaly detectors (TRW-CB [7], Rate Limiting [8], Maximum Entropy [10] and NETAD [11]) are evaluated on this dataset.

Our results reveal that: 1) p2p traffic results in up to 30% decrease in detection rate and up to 45% increase in false positive rate; 2) due to a partial overlap of traffic behaviors, p2p traffic inadvertently provides an effective evasion cover for high- and low-rate attacks; and 3) training an anomaly detector on p2p traffic, instead of improving accuracy, introduces a significant accuracy degradation for the anomaly detector. Based on these results, we argue that only p2p traffic filtering can provide a pragmatic, yet short-term, solution to this problem. We incorporate two prominent p2p traffic classifiers (OpenDPI [23] and Karagiannis’ Payload Classifier(KPC)[24]) as pre-processors into the anomaly detectors and show that the existing non-proprietary p2p traffic classifiers do not have sufficient accuracies to mitigate the negative impacts of p2p traffic on anomaly detection.

Given the premise that p2p traffic is here to stay, our work demonstrates the need to rethink the classical anomaly detection design philosophy with a focus on performing anomaly detection in the presence of p2p traffic. We make our dataset publicly available for evaluation of future anomaly detectors that are designed to operate with p2p traffic.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    Maier, G., Feldmann, A., Paxson, V., Allman, M.: On Dominant Characteristics of Residential Broadband Internet Traffic. In: IMC (2009)Google Scholar
  3. 3.
    Erman, J., Gerber, A., Hajiaghayi, M.T., Pei, D., Spatscheck, O.: Network-Aware Forward Caching. In: WWW (2009)Google Scholar
  4. 4.
    Labovitz, C., McPherson, D., Iekel-Johnson, S.: 2009 Internet Observatory Report. In: NANGO: NANGO47 (2009)Google Scholar
  5. 5.
    Li, Z., Goyal, A., Chen, Y., Kuzmanovic, A.: Measurement and Diagnosis of Address Misconfigured P2P Traffic. In: IEEE INFOCOM (2010)Google Scholar
  6. 6.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy (2004)Google Scholar
  7. 7.
    Schechter, S.E., Jung, J., Berger, W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Williamson, M.M.: Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In: ACSAC (2002)Google Scholar
  9. 9.
    Twycross, J., Williamson, M.M.: Implementing and Testing a Virus Throttle. In: Usenix Security (2003)Google Scholar
  10. 10.
    Gu, Y., McCullum, A., Towsley, D.: Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation. In: ACM IMC (2005)Google Scholar
  11. 11.
    Mahoney, M.V.: Network Traffic Anomaly Detection Based on Packet Bytes. In: ACM Symposium on Applied Computing (2003)Google Scholar
  12. 12.
    Next-Generation Intrusion Detection Expert System (NIDES), http://www.csl.sri.com/projects/nides/
  13. 13.
    Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Usenix Security (2004)Google Scholar
  14. 14.
    Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-wide Traffic Anomalies. In: ACM SIGCOMM (2004)Google Scholar
  15. 15.
    Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: ACM SIGCOMM (2005)Google Scholar
  16. 16.
    Patcha, A., Park, J.: An Overview of Anomaly Detection Techniques: Existing Solutions and Latest Technological Trends. Elsevier Computer Networks (2007)Google Scholar
  17. 17.
  18. 18.
    LBNL/ICSI Enterprise Tracing Project, http://www.icir.org/enterprise-tracing/download.html
  19. 19.
  20. 20.
    Collins, M., Reiter, M.: Finding Peer-to-Peer File-Sharing Using Coarse Network Behaviors. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 1–17. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Bartlett, G., Heidemann, J., Papadopoulos, C.: Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing. In: Proceedings of the 10th IEEE Global Internet (2007)Google Scholar
  22. 22.
    Liu, Y., Guo, Y., Liang, C.: A Survey on Peer-to-Peer Video Streaming Systems. In: Peer-to-peer Networking and Applications (2008)Google Scholar
  23. 23.
    OpenDPI, Ipoque’s DPI software’s Open Source Version, http://www.opendpi.org/
  24. 24.
    Karagiannis, T., Broido, A., Brownlee, N., Claffy, K.C., Faloutsos, M.: Is P2P Dying or Just Hiding? In: IEEE Globecom (2004)Google Scholar
  25. 25.
    Sun, X., Torres, R., Rao, S.: DDoS Attacks by Subverting Membership Management in P2P Systems. In: 3rd IEEE Workshop on Secure Network Protocols (2007)Google Scholar
  26. 26.
    Athanasopoulos, E., Anagnostakis, K.G., Markatos, E.P.: Misusing Unstructured P2P Systems to Perform DoS Attacks: The Network That Never Forgets. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 130–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Naoumov, N., Ross, K.: Exploiting P2P Systems for DDoS Attacks. In: INFOSCALE (2006)Google Scholar
  28. 28.
  29. 29.
    Chien, E.: Malicious Threats of Peer-to-Peer Networking. Whitepaper, Symantec Security Response (2008)Google Scholar
  30. 30.
  31. 31.
  32. 32.
    Allot Service Protector, DDoS Protection, http://www.allot.com/Service_Protector.html#products
  33. 33.
  34. 34.
    Ipoque Press Release: P2P Raid in Germany Shows Little Effect, http://www.ipoque.com/news-and-events/news/pressemitteilung-ipoque-210606.html
  35. 35.
    Ashfaq, A.B., Robert, M.J., Mumtaz, A., Ali, M.Q., Sajjad, A., Khayam, S.A.: A Comparative Analysis of Anomaly Detectors under Portscan Attacks. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 351–371. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Javed, M., Ashfaq, A.B., Shafiq, M.Z., Khayam, S.A.: On the Inefficient Use of Entropy for Anomaly Detection. In: RAID (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Irfan Ul Haq
    • 1
  • Sardar Ali
    • 1
  • Hassan Khan
    • 1
  • Syed Ali Khayam
    • 1
  1. 1.School of Electrical Engineering & Computer ScienceNational University of Sciences & Technology (NUST)IslamabadPakistan

Personalised recommendations