Abstract
A user who wants to use a service forbidden by their site’s usage policy can masquerade their packets in order to evade detection. One masquerade technique sends prohibited traffic on TCP ports commonly used by permitted services, such as port 80. Users who hide their traffic in this way pose a special challenge, since filtering by port number risks interfering with legitimate services using the same port. We propose a set of tests for identifying masqueraded peer-to-peer file-sharing based on traffic summaries (flows). Our approach is based on the hypothesis that these applications have observable behavior that can be differentiated without relying on deep packet examination. We develop tests for these behaviors that, when combined, provide an accurate method for identifying these masqueraded services without relying on payload or port number. We test this approach by demonstrating that our integrated detection mechanism can identify BitTorrent with a 72% true positive rate and virtually no observed false positives in control services (FTP-Data, HTTP, SMTP).
This work was partially supported by NSF award CNS-0433540, and by KISA and MIC of Korea.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Claffy, K., Braun, H., Polyzos, G.: A parameterizable methodology for internet traffic flow profiling. IEEE Journal of Selected Areas in Communications 13(8), 1481–1494 (1995)
Early, J., Brodley, C., Rosenberg, C.: Behavioral authentication of server flows. In: Proceedings of the 19th Annual Computer Security Applications Conference (2003)
Hernandez-Campos, F., Nobel, A., Smith, F., Jeffay, K.: Understanding patterns of TCP connection usage with statistical clustering. In: Proceedings of the 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (2005)
Izal, M., Urvoy-Keller, G., Biersack, E.W., Felber, P.A., Al Hamra, A., Garcés-Erice, L.: Dissecting bittorrent: Five months in a torrent’s lifetime. In: Proceedings of the 5th Annual Passive and Active Measurement Workshop (2004)
Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: Proceedings of IEEE Globecom 2004 - Global Internet and Next Generation Networks (2004)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2005)
Karbhari, P., Ammar, M., Dhamdhere, A., Raj, H., Riley, G., Zegura, E.: Bootstrapping in gnutella: A measurement study. In: Proceedings of the 5th Annual Passive and Active Measurement Workshop (2004)
Kim, M., Kang, H., Hong, J.: Towards peer-to-peer traffic analysis using flows. In: Self-Managing Distributed Systems, 14th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management (2003)
Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of the 2002 ACM Symposium on Applied Computing (2002)
McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow clustering using machine learning techniques. In: Proceedings of the 5th International Workshop on Passive and Active Network Measurement (2004)
De Montigny-Leboeuf, A.: Flow attributes for use in traffic characterization. Technical Report CRC-TN-2005-003, Communications Research Centre Canada (December 2005)
Moore, A., Zuev, D., Crogan, M.: Discriminators for use in flow-based classification. Technical Report RR-05-13, Department of Computer Science, Queen Mary, University of London (August 2005)
Nickless, W., Navarro, J., Winkler, L.: Combining CISCO netflow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In: Proceedings of the 14th Annual Large Systems Administration (LISA) Conference (2000)
Ohzahata, S., Hagiwara, Y., Terada, M., Kawashima, K.: A traffic identification method and evaluations for a pure p2p application. In: Proceedings of the 6th Annual Passive and Active Measurement Workshop (2005)
Partridge, C.: A Proposed Flow Specification. RFC 1363 (Informational) (September 1992)
Pentikousis, K., Badr, H.: Quantifying the deployment of TCP options, a comparative study. IEEE Communications Letters 8(10), 647–649 (2004)
Pouwelse, J., Garbacki, P., Epema, D., Sips, H.: A measurement study of the BitTorrent peer-to-peer file-sharing system. Technical Report PDS-2004-007, Delft University of Technology (April 2004)
Romig, S., Fullmer, M., Luman, R.: The OSU flow-tools package and CISCO netflow logs. In: Proceedings of the 14th Annual Large Systems Administration (LISA) Conference (2000)
Saroiu, S., Gummadi, P., Gribble, S.: A measurement study of peer-to-peer file sharing systems. In: Proceedings of Multimedia Computing and Networking (2002)
Sen, S., Spatscheck, O., Wang, D.: Accurate, scalable in-network identification of p2p traffic using application signatures. In: Proceedings of the 13th International Conference on World Wide Web (2004)
Soule, A., Salamatia, K., Taft, N., Emilion, R., Papagiannaki, K.: Flow classification by histograms: or how to go on safari in the internet. In: Proceedings of the 2004 Joint International Conference on Measurement and Modeling of Computer Systems (2004)
Taylor, C., Alves-Foss, J.: An empirical analysis of NATE: network analysis of anomalous traffic events. In: Proceedings of the 10th New Security Paradigms Workshop (2002)
Tutschku, K.: A measurement-based traffic profile of the eDonkey filesharing service. In: Proceedings of the 5th Annual Passive and Active Measurement Workshop (2004)
Wright, C., Monrose, F., Masson, G.: HMM profiles for network traffic classification. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Collins, M.P., Reiter, M.K. (2006). Finding Peer-to-Peer File-Sharing Using Coarse Network Behaviors. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds) Computer Security – ESORICS 2006. ESORICS 2006. Lecture Notes in Computer Science, vol 4189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11863908_1
Download citation
DOI: https://doi.org/10.1007/11863908_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44601-9
Online ISBN: 978-3-540-44605-7
eBook Packages: Computer ScienceComputer Science (R0)