Post on 12-Apr-2017
PEER TO PEER NETWORK TRAFFICCLASSIFICATION
LEKSHMI M NAIR( AM.EN.P2CSE13011)
S4 M.TECH CSE
MAJOR PROJECT
GUIDED BY : Dr. G P SAJEEV
July 2, 2015
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 1 / 53
OUTLINE
1 Introduction to P2P networking2 P2P network traffic3 Need for P2P traffic classification4 Existing classification schemes5 System design6 Implementation details7 Results8 References
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 2 / 53
INTRODUCTION TO ’PEER TO PEER’ (P2P)NETWORKING
P2P NETWORK SYSTEMPeer-to-peer (P2P) is adecentralized communicationsmodel in which each party hasthe same capabilities andeither party can initiate acommunication session unlikein client/server model.
Figure: P2P Network
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 3 / 53
P2P NETWORK TRAFFIC
P2P traffic constitute the traffic created by various P2Papplications such as BitTorrent, Skype, Napster, Gnutella etc...P2P is generally used to pass large amounts of data, so they canslow down your internet connection.
Figure: P2P Applications
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 4 / 53
NEED FOR P2P TRAFFIC CLASSIFICATION
Network design andprovisioning / TrafficEngineering.Optimize and control networkutilization to address QoSassignment and trafficshaping.Accounting / Content basedcharging.Security monitoring.Network Forensics.
Figure: Traffic Classification
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 5 / 53
NEED FOR P2P TRAFFIC CLASSIFICATION
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 6 / 53
EXISTING CLASSIFICATION SCHEMES
Some of the existing P2P traffic classification techniques are :Port-based classificationSignature-based classificationFlow-based classificationStatistics-based classificationHybrid method
Comparison
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 7 / 53
A BRIEF COMPARISON OF EXISTINGTECHNIQUES
Name Method Merits De-Merits Remarks
Port-based.
Classificationbased onport number.
Simpleand fast.
Inefficient due torandom port allo-cation.
Accuracy ismuch lower.
Signature-based.
Based onrecognitionof spe-cific packetpayloads.
Reducesfalse-positiveand false-negatives
High computa-tional complexitysince each packetneeds to beanalyzed.
Inefficient onencryptedpayloads.
Flow-based.
Based on be-havioral pat-terns.
Speed. Cannot alwaysclassify trafficto its specifiedapplications
Speedup trafficclassification,but cannotclassify alltraffics.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 8 / 53
A BRIEF COMPARISON OF EXISTINGTECHNIQUES ( Contd..)
Name Method Merits De-Merits Remarks
Statistics-based.
By means of sta-tistical featuressuch as packetsize, packet inter-arrival time, andflow duration.
Moreunique-ness.
As no. offeaturesincreases,mappingbecomesdifficult.
Inefficient as no.of features in-creases.
Hybridmethod.
By combiningany of the abovemethods.
Moreaccu-rate.
Only 2-classclassifier isimplementedtill date
Scope forUDP needsto be deter-mined.
Table: Survey on P2P classification techniques.
Back
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 9 / 53
PROJECT THEME
The performance of existing P2P traffic classification schemes arepoor. Also, there is no classification scheme to classify P2P trafficinto malicious-P2P & non-malicious P2P.
PROBLEM DEFINITIONThe problem of classifying P2P traffic into malicious and non-maliciousis not addressed so far.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 10 / 53
DEFINITION TO MALICIOUS ACTIVITIES
1 Poisoning2 Polluting3 Insertion of viruses4 Malware5 Denial of Service6 Spam7 Password Stealing8 Advertising
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 11 / 53
IDENTIFYING P2P TRAFFIC
P2P traffic has bi-directional nature.Eg.- BitTorrent - seeders and leechers.
Notion of a communication more suited to P2P.Who is talking to whom?
Both header and payload information are considered for trafficclassification.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 12 / 53
SYSTEM DESIGN
Figure: Network Traffic Classifier
Continue
Aggregation Module
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 13 / 53
MODULES
1. Filtering.2. Communication Creation Module.3. Automatic Signature Generation Module.4. Aggregation Module.5. Classification Module.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 14 / 53
PACKET FILTERING MODULE
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 15 / 53
PACKET FILTERING ALGORITHM
Packet Filtering Module
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 16 / 53
COMMUNICATION CREATION ALGORITHM
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 17 / 53
COMMUNICATION CREATION MODULE
Figure: Communication Creation Module
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 18 / 53
Classification Criterion
Features Malicious Non-MaliciousVolume Low HighInter-arrival time Large SmallTraffic Automated/Scripted
commandsUser-bursty traffic
Table: Malicious vs Non-Malicious Features
System Design
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 19 / 53
AUTO-SIGN MODULE
Figure: Automatic Signature Generation Module
Similarity Score
System Design
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 20 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 21 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 22 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 23 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 24 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 25 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 26 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 27 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 28 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 29 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 30 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 31 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 32 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 33 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 34 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 35 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 36 / 53
LCS (Example)
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 37 / 53
LASER ALGORITHM
The signature refinement process can be simply expressed as follows:
Candidate_Sign_1 = Sign(Flow_1,Flow_2)Candidate_Sign_2 = Sign(Flow_3,Candidate_Sign_1)...Candidate_Sign_n = Sign(Flow_n + 1,Candidate_Sign_n − 1)
If Candidate_Sign_n = Candidate_Sign_n − 1
For the certain iteration counts then Candidate_Sign_n is the finalsignature.
Auto Sign Module
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 38 / 53
FLOW SIMILARITY OF UNKNOWN PACKETTRACES
Auto Sign Module
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 39 / 53
AGGREGATION MODULE
In Communication Aggregation Module, we aggregate the results ofcommunication creation module and auto-sign module.
Figure: Aggregation ModuleLEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 40 / 53
CLASSIFICATION MODULE
In Classification Module, we train the system using the generateddataset, so that for new incoming traces we can predict whether thetraffic flow is malicious p2p or non-malicious p2p.C4.5 decision tree algorithm is employed in classification module.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 41 / 53
SUMMARY (MAJOR PROJECT)
Figure: P2P Network Traffic Classifier
A hybrid technique forp2p trafficclassification.Combination ofsignature based andstatistical method byexploting thecommunicationbehaviour of the p2pnodes.P2P traffic is classifiedinto malicious andnon-malicious p2p.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 42 / 53
IMPLEMENTATION DETAILS
Figure: Implementation of P2P Network Traffic Classifier
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 43 / 53
IMPLEMENTATION DETAILS
Figure: P2P Network Traffic Classifier
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 44 / 53
RESULTS
The signatures of various protocols are extracted using LASERalgorithm. They are listed in the following table.
Application SignatureAzureus "POST/rpc/config", "HTTP/<version>", "User-
Agent:Azureus<version>", "Host :"GigaTribe "GET", "&p=", "&cmd=OpenSession",
"HTTP/1.1", "User-Agent:GigaTribe","HTTP/1.1", "200 OK"
Zultrax "ZEPP 19 29 port"-offset(0) 0x0d0a0d0a,"ZEPP OK number12,28,29my IPaddress:port"-offset(0) 0x0d0a0d0a
Storm .mpg;sizeBitlord "GET", "HTTP", "User-Agent:BitTorrent",
"www.bitlord.com"DC++ "GET", "HTTP", "User-Agent:DC++"AntsP2P "NOTIFY * HTTP" "USN: uuid:ANtsP2P"KCeasy "GET / HTTP/"offset(0) "cookie:Kceasy"
Table: Malicious vs Non-Malicious Signatures
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 45 / 53
RESULTS
The signatures of various protocols are extracted using LASERalgorithm. They are listed in the following table.
Application SignatureLimewire "GET" "User-Agent: LimeWire/"
"Java/"iMesh "POST"offset(0) "function=login"
"Host: login.imesh.com"Mute "client=MUTE&version="offset(12)Soulseek "GET "offset(0) "User-Agent:
SoulSeek"Skype ""GET "offset(0) "HTTP" "User-
Agent: skype"eDonkey2000 "GET / HTTP/"offset(0)
"cookie:Kceasy"eMule 0xe3 (offset 0)iMesh "POST"offset(0) "function=login"
"Host: login.imesh.com"
Table: Malicious vs Non-Malicious Signatures
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 46 / 53
RESULTS
The evaluation parameters are estimated for 3 dataset. The results aregiven in the following table.
Dataset Error Rate CCR FP FN DR1. 9.5 85.31 0.095 0.169 0.9042. 4.25 91.42 0.172 0.058 0.8283. 12.9 84.96 0.184 0.140 0.816
Table: P2P traffic classification rates
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 47 / 53
RESULTS
The error rate decreases as number of records taken for trainingincreases. A graphical representation to substantiate this result is asshown in Figure.
Figure: Accuracy performance of the classifier for different datasets
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 48 / 53
PERFORMANCE EVALUATION
The validation of the model is done using 3 classification algorithms -namely Bayesian Network, Decision tree and Adaboost with REPtrees. The results are given in the following table.
Decision Tree Bayes Net AdaboostTPR FPR CR TPR FPR CR TPR FPR CR
Storm 0.92 0.12 0.93 0.92 0.21 0.91 0.89 0.19 0.90Waledac 0.93 0.17 0.95 0.96 0.22 0.93 0.90 0.15 0.91BitTorrent 0.94 0.11 0.96 0.92 0.18 0.95 0.92 0.22 0.92eDonkey2000 0.94 0.13 0.95 0.95 0.18 0.96 0.94 0.18 0.94
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 49 / 53
PUBLICATION
1 Lekshmi M Nair, and G P Sajeev. "Internet Traffic Classification byAggregating Correlated Decision Tree Classifier." ComputationalIntelligence, Modelling and Simulation (CIMSim), 2015 SeventhInternational Conference on IEEE, Kuantan, Malaysia, 27 - 29 July2015.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 50 / 53
REFERENCES
Ye, Wujian, and Kyungsan Cho. "Hybrid P2P traffic classification with heuristicrules and machine learning." Soft Computing (2014): 1-13.
Valenti, Silvio, and Dario Rossi. "Identifying key features for P2P trafficclassification." Communications (ICC), 2011 IEEE International Conference on.IEEE, 2011.
Adibi, Sasan. "Traffic Classification-Packet-, Flow-, and Application-basedApproaches." International Journal of Advanced Computer Science andApplications-IJACSA 1 (2010): 6-15.
Nguyen, Thuy TT, and Grenville Armitage. "A survey of techniques for internettraffic classification using machine learning." Communications Surveys &Tutorials, IEEE 10.4 (2008): 56-76.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 51 / 53
References
Narang, Pratik, et al. "Peershark: detecting peer-to-peer botnets by trackingconversations. " Security and Privacy Workshops (SPW), 2014 IEEE. IEEE,2014.
F. Gringoli, L. Salgarelli, M. Dusi, N. Cascarano, F. Risso and K.C. Claffy, "GT:picking up the truth from the ground for Internet traffic", ACM SIGCOMMComputer Communication Review, Vol. 39, No. 5, pp. 13-18, Oct. 2009.
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 52 / 53
LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 53 / 53